next up previous
Next: 2.1.1 Comments upon problems/limitations Up: 2 Current KLIPS input/output Previous: 2 Current KLIPS input/output

2.1 output: ipsec_tunnel_start_xmit

  1. gather private information
  2. clone skb if necessary
  3. verify that packet is IPv4
  4. compute hard header length
  5. decrement TTL
  6. lookup in erouting table
  7. UDP port 500 exception
  8. start encapsulation loop
    1. check for DROP or missing eroute
    2. check for REJECT eroute
    3. check for PASS eroute
    4. check for HOLD eroute
    5. check for TRAP eroute, signal PF_KEY, swap to HOLD eroute
    6. acquire lock for walking tdb chain
    7. calculate headroom required for chain
      1. check if SA is in larval, drop
      2. check if SA is dead, drop
      3. check if replay overflowed, expire SA
      4. check if lifetime counters have overflowed, expire SA
      5. switch on protocol type, to calculate headroom size.
        1. if ESP switch on protocol type to calculate tailroom size.

    8. calculate mtudiff, send ICMP fragment needed. Mark ``note2''

    9. hack MSS if desired

    10. copy upper (layer 2) header to safety if it was present

    11. check if data fits in existing skb, else expand.
    12. apply grouped transforms
      1. apply disaster of #ifdefs.
      2. switch by protocol type, calculate headroom for this stage
        1. if ESP, then switch by cipher get headroom
        2. if ESP, then switch by hash to get tailroom
      3. double check (not in NDEBUG) if there is enough headroom
      4. push the data ahead
      5. double check (not in NDEBUG) if there is enough tailroom
      6. extend the data behind
      7. see if packet has become too long (bigger than 64K)
      8. finally move the plaintext as appropriate
      9. switch on protocol type
      10. case: ESP
        1. switch on cipher type, prepare IV
        2. prepare self-describing padding
        3. switch on cipher type, do encryption
        4. switch on cipher type, update IV
        5. switch on hash type, do authentication
      11. case: AH
        1. prep replay info, headroom
        2. switch on hash type, do authentication
      12. case: IPIP, apply encap
      13. case: IPCOMP
        1. call skb_compress
        2. do some debugging
      14. recalculate header checksum
    13. lookup eroute by new outer header, if we found something and the src/dst have changed
  9. send ICMP if packet has become too big
  10. re-apply link layer header if there was one.
  11. attempt to re-route the packet
  12. drop packet if new route leads to us again.
  13. do connection tracking
  14. do netfilter localout output call
  15. call ip_send or IP_SEND depending on kernel version


Subsections
next up previous
Next: 2.1.1 Comments upon problems/limitations Up: 2 Current KLIPS input/output Previous: 2 Current KLIPS input/output
Michael Richardson
2001-11-27