Next: 2.1.1 Comments upon problems/limitations
Up: 2 Current KLIPS input/output
Previous: 2 Current KLIPS input/output
- gather private information
- clone skb if necessary
- verify that packet is IPv4
- compute hard header length
- decrement TTL
- lookup in erouting table
- UDP port 500 exception
- start encapsulation loop
- check for DROP or missing eroute
- check for REJECT eroute
- check for PASS eroute
- check for HOLD eroute
- check for TRAP eroute, signal PF_KEY, swap to HOLD eroute
- acquire lock for walking tdb chain
- calculate headroom required for chain
- check if SA is in larval, drop
- check if SA is dead, drop
- check if replay overflowed, expire SA
- check if lifetime counters have overflowed, expire SA
- switch on protocol type, to calculate headroom size.
- if ESP switch on protocol type to calculate tailroom size.
- calculate mtudiff, send ICMP fragment needed. Mark ``note2''
- hack MSS if desired
- copy upper (layer 2) header to safety if it was present
- check if data fits in existing skb, else expand.
- apply grouped transforms
- apply disaster of #ifdefs.
- switch by protocol type, calculate headroom for this stage
- if ESP, then switch by cipher get headroom
- if ESP, then switch by hash to get tailroom
- double check (not in NDEBUG) if there is enough headroom
- push the data ahead
- double check (not in NDEBUG) if there is enough tailroom
- extend the data behind
- see if packet has become too long (bigger than 64K)
- finally move the plaintext as appropriate
- switch on protocol type
- case: ESP
- switch on cipher type, prepare IV
- prepare self-describing padding
- switch on cipher type, do encryption
- switch on cipher type, update IV
- switch on hash type, do authentication
- case: AH
- prep replay info, headroom
- switch on hash type, do authentication
- case: IPIP, apply encap
- case: IPCOMP
- call skb_compress
- do some debugging
- recalculate header checksum
- lookup eroute by new outer header, if we found
something and the src/dst have changed
- send ICMP if packet has become too big
- re-apply link layer header if there was one.
- attempt to re-route the packet
- drop packet if new route leads to us again.
- do connection tracking
- do netfilter localout output call
- call ip_send or IP_SEND depending on kernel version
Subsections
Next: 2.1.1 Comments upon problems/limitations
Up: 2 Current KLIPS input/output
Previous: 2 Current KLIPS input/output
Michael Richardson
2001-11-27