4 #include <linux/compiler.h>
5 #include <linux/xfrm.h>
6 #include <linux/spinlock.h>
7 #include <linux/list.h>
8 #include <linux/skbuff.h>
9 #include <linux/socket.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/ipsec.h>
12 #include <linux/in6.h>
13 #include <linux/mutex.h>
14 #include <linux/audit.h>
19 #include <net/route.h>
21 #include <net/ip6_fib.h>
23 #define XFRM_PROTO_ESP 50
24 #define XFRM_PROTO_AH 51
25 #define XFRM_PROTO_COMP 108
26 #define XFRM_PROTO_IPIP 4
27 #define XFRM_PROTO_IPV6 41
28 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
29 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
31 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
32 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
33 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
34 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
35 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
37 extern struct sock *xfrm_nl;
38 extern u32 sysctl_xfrm_aevent_etime;
39 extern u32 sysctl_xfrm_aevent_rseqth;
40 extern int sysctl_xfrm_larval_drop;
41 extern u32 sysctl_xfrm_acq_expires;
43 extern struct mutex xfrm_cfg_mutex;
45 /* Organization of SPD aka "XFRM rules"
46 ------------------------------------
49 - policy rule, struct xfrm_policy (=SPD entry)
50 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
51 - instance of a transformer, struct xfrm_state (=SA)
52 - template to clone xfrm_state, struct xfrm_tmpl
54 SPD is plain linear list of xfrm_policy rules, ordered by priority.
55 (To be compatible with existing pfkeyv2 implementations,
56 many rules with priority of 0x7fffffff are allowed to exist and
57 such rules are ordered in an unpredictable way, thanks to bsd folks.)
59 Lookup is plain linear search until the first match with selector.
61 If "action" is "block", then we prohibit the flow, otherwise:
62 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
63 policy entry has list of up to XFRM_MAX_DEPTH transformations,
64 described by templates xfrm_tmpl. Each template is resolved
65 to a complete xfrm_state (see below) and we pack bundle of transformations
66 to a dst_entry returned to requestor.
68 dst -. xfrm .-> xfrm_state #1
69 |---. child .-> dst -. xfrm .-> xfrm_state #2
70 |---. child .-> dst -. xfrm .-> xfrm_state #3
73 Bundles are cached at xrfm_policy struct (field ->bundles).
76 Resolution of xrfm_tmpl
77 -----------------------
79 1. ->mode Mode: transport or tunnel
80 2. ->id.proto Protocol: AH/ESP/IPCOMP
81 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
82 Q: allow to resolve security gateway?
83 4. ->id.spi If not zero, static SPI.
84 5. ->saddr Local tunnel endpoint, ignored for transport mode.
85 6. ->algos List of allowed algos. Plain bitmask now.
86 Q: ealgos, aalgos, calgos. What a mess...
87 7. ->share Sharing mode.
88 Q: how to implement private sharing mode? To add struct sock* to
91 Having this template we search through SAD searching for entries
92 with appropriate mode/proto/algo, permitted by selector.
93 If no appropriate entry found, it is requested from key manager.
96 Q: How to find all the bundles referring to a physical path for
97 PMTU discovery? Seems, dst should contain list of all parents...
98 and enter to infinite locking hierarchy disaster.
99 No! It is easier, we will not search for them, let them find us.
100 We add genid to each dst plus pointer to genid of raw IP route,
101 pmtu disc will update pmtu on raw IP route and increase its genid.
102 dst_check() will see this for top level and trigger resyncing
103 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
106 /* Full description of state of transformer. */
109 /* Note: bydst is re-used during gc */
110 struct hlist_node bydst;
111 struct hlist_node bysrc;
112 struct hlist_node byspi;
118 struct xfrm_selector sel;
122 /* Key manger bits */
129 /* Parameters of this state. */
134 u8 aalgo, ealgo, calgo;
137 xfrm_address_t saddr;
142 struct xfrm_lifetime_cfg lft;
144 /* Data for transformer */
145 struct xfrm_algo *aalg;
146 struct xfrm_algo *ealg;
147 struct xfrm_algo *calg;
149 /* Data for encapsulator */
150 struct xfrm_encap_tmpl *encap;
152 /* Data for care-of address */
153 xfrm_address_t *coaddr;
155 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
156 struct xfrm_state *tunnel;
158 /* If a tunnel, number of users + 1 */
159 atomic_t tunnel_users;
161 /* State for replay detection */
162 struct xfrm_replay_state replay;
164 /* Replay detection state at the time we sent the last notification */
165 struct xfrm_replay_state preplay;
167 /* internal flag that only holds state for delayed aevent at the
172 /* Replay detection notification settings */
176 /* Replay detection notification timer */
177 struct timer_list rtimer;
180 struct xfrm_stats stats;
182 struct xfrm_lifetime_cur curlft;
183 struct timer_list timer;
188 /* Reference to data common to all the instances of this
190 struct xfrm_type *type;
191 struct xfrm_mode *inner_mode;
192 struct xfrm_mode *outer_mode;
194 /* Security context */
195 struct xfrm_sec_ctx *security;
197 /* Private data of this transformer, format is opaque,
198 * interpreted by xfrm_type methods. */
202 /* xflags - make enum if more show up */
203 #define XFRM_TIME_DEFER 1
214 /* callback structure passed from either netlink or pfkey */
233 struct xfrm_policy_afinfo {
234 unsigned short family;
235 struct dst_ops *dst_ops;
236 void (*garbage_collect)(void);
237 struct dst_entry *(*dst_lookup)(int tos, xfrm_address_t *saddr,
238 xfrm_address_t *daddr);
239 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
240 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
241 void (*decode_session)(struct sk_buff *skb,
243 int (*get_tos)(struct flowi *fl);
244 int (*fill_dst)(struct xfrm_dst *xdst,
245 struct net_device *dev);
248 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
249 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
250 extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
251 extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
254 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
255 extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
256 extern int __xfrm_state_delete(struct xfrm_state *x);
258 struct xfrm_state_afinfo {
261 unsigned int eth_proto;
262 struct module *owner;
263 struct xfrm_type *type_map[IPPROTO_MAX];
264 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
265 int (*init_flags)(struct xfrm_state *x);
266 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
267 struct xfrm_tmpl *tmpl,
268 xfrm_address_t *daddr, xfrm_address_t *saddr);
269 int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
270 int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
271 int (*output)(struct sk_buff *skb);
272 int (*extract_input)(struct xfrm_state *x,
273 struct sk_buff *skb);
274 int (*extract_output)(struct xfrm_state *x,
275 struct sk_buff *skb);
278 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
279 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
281 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
286 struct module *owner;
289 #define XFRM_TYPE_NON_FRAGMENT 1
290 #define XFRM_TYPE_REPLAY_PROT 2
291 #define XFRM_TYPE_LOCAL_COADDR 4
292 #define XFRM_TYPE_REMOTE_COADDR 8
294 int (*init_state)(struct xfrm_state *x);
295 void (*destructor)(struct xfrm_state *);
296 int (*input)(struct xfrm_state *, struct sk_buff *skb);
297 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
298 int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
299 int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
300 /* Estimate maximal size of result of transformation of a dgram */
301 u32 (*get_mtu)(struct xfrm_state *, int size);
304 extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
305 extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
309 * Remove encapsulation header.
311 * The IP header will be moved over the top of the encapsulation
314 * On entry, the transport header shall point to where the IP header
315 * should be and the network header shall be set to where the IP
316 * header currently is. skb->data shall point to the start of the
319 int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
322 * This is the actual input entry point.
324 * For transport mode and equivalent this would be identical to
325 * input2 (which does not need to be set). While tunnel mode
326 * and equivalent would set this to the tunnel encapsulation function
327 * xfrm4_prepare_input that would in turn call input2.
329 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
332 * Add encapsulation header.
334 * On exit, the transport header will be set to the start of the
335 * encapsulation header to be filled in by x->type->output and
336 * the mac header will be set to the nextheader (protocol for
337 * IPv4) field of the extension header directly preceding the
338 * encapsulation header, or in its absence, that of the top IP
339 * header. The value of the network header will always point
340 * to the top IP header while skb->data will point to the payload.
342 int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
345 * This is the actual output entry point.
347 * For transport mode and equivalent this would be identical to
348 * output2 (which does not need to be set). While tunnel mode
349 * and equivalent would set this to a tunnel encapsulation function
350 * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
353 int (*output)(struct xfrm_state *x, struct sk_buff *skb);
355 struct xfrm_state_afinfo *afinfo;
356 struct module *owner;
361 /* Flags for xfrm_mode. */
363 XFRM_MODE_FLAG_TUNNEL = 1,
366 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
367 extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
371 /* id in template is interpreted as:
372 * daddr - destination of tunnel, may be zero for transport mode.
373 * spi - zero to acquire spi. Not zero if spi is static, then
374 * daddr must be fixed too.
375 * proto - AH/ESP/IPCOMP
379 /* Source address of tunnel. Ignored, if it is not a tunnel. */
380 xfrm_address_t saddr;
382 unsigned short encap_family;
386 /* Mode: transport, tunnel etc. */
389 /* Sharing mode: unique, this session only, this user only etc. */
392 /* May skip this transfomration if no SA is found */
395 /* Bit mask of algos allowed for acquisition */
401 #define XFRM_MAX_DEPTH 6
405 struct xfrm_policy *next;
406 struct hlist_node bydst;
407 struct hlist_node byidx;
409 /* This lock only affects elements except for entry. */
412 struct timer_list timer;
416 struct xfrm_selector selector;
417 struct xfrm_lifetime_cfg lft;
418 struct xfrm_lifetime_cur curlft;
419 struct dst_entry *bundles;
426 /* XXX 1 byte hole, try to pack */
427 struct xfrm_sec_ctx *security;
428 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
431 struct xfrm_migrate {
432 xfrm_address_t old_daddr;
433 xfrm_address_t old_saddr;
434 xfrm_address_t new_daddr;
435 xfrm_address_t new_saddr;
444 #define XFRM_KM_TIMEOUT 30
446 #define XFRM_REPLAY_SEQ 1
447 #define XFRM_REPLAY_OSEQ 2
448 #define XFRM_REPLAY_SEQ_MASK 3
450 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
451 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
453 /* default aevent timeout in units of 100ms */
454 #define XFRM_AE_ETIME 10
455 /* Async Event timer multiplier */
456 #define XFRM_AE_ETH_M 10
457 /* default seq threshold size */
458 #define XFRM_AE_SEQT_SIZE 2
462 struct list_head list;
464 int (*notify)(struct xfrm_state *x, struct km_event *c);
465 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
466 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
467 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
468 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
469 int (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
470 int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles);
473 extern int xfrm_register_km(struct xfrm_mgr *km);
474 extern int xfrm_unregister_km(struct xfrm_mgr *km);
476 extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
479 * This structure is used for the duration where packets are being
480 * transformed by IPsec. As soon as the packet leaves IPsec the
481 * area beyond the generic IP part may be overwritten.
485 struct inet_skb_parm h4;
486 struct inet6_skb_parm h6;
489 /* Sequence number for replay protection. */
493 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
496 * This structure is used by the afinfo prepare_input/prepare_output functions
497 * to transmit header information to the mode input/output functions.
499 struct xfrm_mode_skb_cb {
501 struct inet_skb_parm h4;
502 struct inet6_skb_parm h6;
505 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
509 /* TOS for IPv4, class for IPv6. */
512 /* TTL for IPv4, hop limitfor IPv6. */
515 /* Protocol for IPv4, NH for IPv6. */
518 /* Used by IPv6 only, zero for IPv4. */
522 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
524 /* Audit Information */
531 #ifdef CONFIG_AUDITSYSCALL
532 static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
534 struct audit_buffer *audit_buf = NULL;
538 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
539 AUDIT_MAC_IPSEC_EVENT);
540 if (audit_buf == NULL)
543 audit_log_format(audit_buf, "auid=%u", auid);
546 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
547 audit_log_format(audit_buf, " subj=%s", secctx);
548 security_release_secctx(secctx, secctx_len);
550 audit_log_task_context(audit_buf);
554 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
556 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
558 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
560 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
563 #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
564 #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
565 #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
566 #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
567 #endif /* CONFIG_AUDITSYSCALL */
569 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
571 if (likely(policy != NULL))
572 atomic_inc(&policy->refcnt);
575 extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
577 static inline void xfrm_pol_put(struct xfrm_policy *policy)
579 if (atomic_dec_and_test(&policy->refcnt))
580 __xfrm_policy_destroy(policy);
583 #ifdef CONFIG_XFRM_SUB_POLICY
584 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
587 for (i = npols - 1; i >= 0; --i)
588 xfrm_pol_put(pols[i]);
591 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
593 xfrm_pol_put(pols[0]);
597 extern void __xfrm_state_destroy(struct xfrm_state *);
599 static inline void __xfrm_state_put(struct xfrm_state *x)
601 atomic_dec(&x->refcnt);
604 static inline void xfrm_state_put(struct xfrm_state *x)
606 if (atomic_dec_and_test(&x->refcnt))
607 __xfrm_state_destroy(x);
610 static inline void xfrm_state_hold(struct xfrm_state *x)
612 atomic_inc(&x->refcnt);
615 static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
622 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
623 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
626 if (memcmp(a1, a2, pdw << 2))
632 mask = htonl((0xffffffff) << (32 - pbi));
634 if ((a1[pdw] ^ a2[pdw]) & mask)
642 __be16 xfrm_flowi_sport(struct flowi *fl)
648 case IPPROTO_UDPLITE:
650 port = fl->fl_ip_sport;
654 port = htons(fl->fl_icmp_type);
657 port = htons(fl->fl_mh_type);
666 __be16 xfrm_flowi_dport(struct flowi *fl)
672 case IPPROTO_UDPLITE:
674 port = fl->fl_ip_dport;
678 port = htons(fl->fl_icmp_code);
686 extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
687 unsigned short family);
689 #ifdef CONFIG_SECURITY_NETWORK_XFRM
690 /* If neither has a context --> match
691 * Otherwise, both must have a context and the sids, doi, alg must match
693 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
695 return ((!s1 && !s2) ||
697 (s1->ctx_sid == s2->ctx_sid) &&
698 (s1->ctx_doi == s2->ctx_doi) &&
699 (s1->ctx_alg == s2->ctx_alg)));
702 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
708 /* A struct encoding bundle of transformations to apply to some set of flow.
710 * dst->child points to the next element of bundle.
711 * dst->xfrm points to an instanse of transformer.
713 * Due to unfortunate limitations of current routing cache, which we
714 * have no time to fix, it mirrors struct rtable and bound to the same
715 * routing key, including saddr,daddr. However, we can have many of
716 * bundles differing by session id. All the bundles grow from a parent
722 struct dst_entry dst;
726 struct dst_entry *route;
727 #ifdef CONFIG_XFRM_SUB_POLICY
728 struct flowi *origin;
729 struct xfrm_selector *partner;
732 u32 route_mtu_cached;
733 u32 child_mtu_cached;
738 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
740 dst_release(xdst->route);
741 if (likely(xdst->u.dst.xfrm))
742 xfrm_state_put(xdst->u.dst.xfrm);
743 #ifdef CONFIG_XFRM_SUB_POLICY
746 kfree(xdst->partner);
747 xdst->partner = NULL;
751 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
757 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
760 static inline struct sec_path *
761 secpath_get(struct sec_path *sp)
764 atomic_inc(&sp->refcnt);
768 extern void __secpath_destroy(struct sec_path *sp);
771 secpath_put(struct sec_path *sp)
773 if (sp && atomic_dec_and_test(&sp->refcnt))
774 __secpath_destroy(sp);
777 extern struct sec_path *secpath_dup(struct sec_path *src);
780 secpath_reset(struct sk_buff *skb)
783 secpath_put(skb->sp);
789 xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
793 return addr->a4 == 0;
795 return ipv6_addr_any((struct in6_addr *)&addr->a6);
801 __xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
803 return (tmpl->saddr.a4 &&
804 tmpl->saddr.a4 != x->props.saddr.a4);
808 __xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
810 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
811 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
815 xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
819 return __xfrm4_state_addr_cmp(tmpl, x);
821 return __xfrm6_state_addr_cmp(tmpl, x);
828 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
830 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
832 if (sk && sk->sk_policy[XFRM_POLICY_IN])
833 return __xfrm_policy_check(sk, dir, skb, family);
835 return (!xfrm_policy_count[dir] && !skb->sp) ||
836 (skb->dst->flags & DST_NOPOLICY) ||
837 __xfrm_policy_check(sk, dir, skb, family);
840 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
842 return xfrm_policy_check(sk, dir, skb, AF_INET);
845 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
847 return xfrm_policy_check(sk, dir, skb, AF_INET6);
850 extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
851 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
853 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
855 return !xfrm_policy_count[XFRM_POLICY_OUT] ||
856 (skb->dst->flags & DST_NOXFRM) ||
857 __xfrm_route_forward(skb, family);
860 static inline int xfrm4_route_forward(struct sk_buff *skb)
862 return xfrm_route_forward(skb, AF_INET);
865 static inline int xfrm6_route_forward(struct sk_buff *skb)
867 return xfrm_route_forward(skb, AF_INET6);
870 extern int __xfrm_sk_clone_policy(struct sock *sk);
872 static inline int xfrm_sk_clone_policy(struct sock *sk)
874 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
875 return __xfrm_sk_clone_policy(sk);
879 extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
881 static inline void xfrm_sk_free_policy(struct sock *sk)
883 if (unlikely(sk->sk_policy[0] != NULL)) {
884 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
885 sk->sk_policy[0] = NULL;
887 if (unlikely(sk->sk_policy[1] != NULL)) {
888 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
889 sk->sk_policy[1] = NULL;
895 static inline void xfrm_sk_free_policy(struct sock *sk) {}
896 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
897 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
898 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
899 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
903 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
907 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
914 xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
918 return (xfrm_address_t *)&fl->fl4_dst;
920 return (xfrm_address_t *)&fl->fl6_dst;
926 xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
930 return (xfrm_address_t *)&fl->fl4_src;
932 return (xfrm_address_t *)&fl->fl6_src;
937 static __inline__ int
938 __xfrm4_state_addr_check(struct xfrm_state *x,
939 xfrm_address_t *daddr, xfrm_address_t *saddr)
941 if (daddr->a4 == x->id.daddr.a4 &&
942 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
947 static __inline__ int
948 __xfrm6_state_addr_check(struct xfrm_state *x,
949 xfrm_address_t *daddr, xfrm_address_t *saddr)
951 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
952 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
953 ipv6_addr_any((struct in6_addr *)saddr) ||
954 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
959 static __inline__ int
960 xfrm_state_addr_check(struct xfrm_state *x,
961 xfrm_address_t *daddr, xfrm_address_t *saddr,
962 unsigned short family)
966 return __xfrm4_state_addr_check(x, daddr, saddr);
968 return __xfrm6_state_addr_check(x, daddr, saddr);
973 static __inline__ int
974 xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
975 unsigned short family)
979 return __xfrm4_state_addr_check(x,
980 (xfrm_address_t *)&fl->fl4_dst,
981 (xfrm_address_t *)&fl->fl4_src);
983 return __xfrm6_state_addr_check(x,
984 (xfrm_address_t *)&fl->fl6_dst,
985 (xfrm_address_t *)&fl->fl6_src);
990 static inline int xfrm_state_kern(struct xfrm_state *x)
992 return atomic_read(&x->tunnel_users);
995 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
997 return (!userproto || proto == userproto ||
998 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
999 proto == IPPROTO_ESP ||
1000 proto == IPPROTO_COMP)));
1004 * xfrm algorithm information
1006 struct xfrm_algo_auth_info {
1011 struct xfrm_algo_encr_info {
1016 struct xfrm_algo_comp_info {
1020 struct xfrm_algo_desc {
1025 struct xfrm_algo_auth_info auth;
1026 struct xfrm_algo_encr_info encr;
1027 struct xfrm_algo_comp_info comp;
1029 struct sadb_alg desc;
1032 /* XFRM tunnel handlers. */
1033 struct xfrm_tunnel {
1034 int (*handler)(struct sk_buff *skb);
1035 int (*err_handler)(struct sk_buff *skb, __u32 info);
1037 struct xfrm_tunnel *next;
1041 struct xfrm6_tunnel {
1042 int (*handler)(struct sk_buff *skb);
1043 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1044 int type, int code, int offset, __be32 info);
1045 struct xfrm6_tunnel *next;
1049 extern void xfrm_init(void);
1050 extern void xfrm4_init(void);
1051 extern void xfrm6_init(void);
1052 extern void xfrm6_fini(void);
1053 extern void xfrm_state_init(void);
1054 extern void xfrm4_state_init(void);
1055 extern void xfrm6_state_init(void);
1056 extern void xfrm6_state_fini(void);
1058 extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
1059 extern struct xfrm_state *xfrm_state_alloc(void);
1060 extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
1061 struct flowi *fl, struct xfrm_tmpl *tmpl,
1062 struct xfrm_policy *pol, int *err,
1063 unsigned short family);
1064 extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr,
1065 xfrm_address_t *saddr,
1066 unsigned short family,
1067 u8 mode, u8 proto, u32 reqid);
1068 extern int xfrm_state_check_expire(struct xfrm_state *x);
1069 extern void xfrm_state_insert(struct xfrm_state *x);
1070 extern int xfrm_state_add(struct xfrm_state *x);
1071 extern int xfrm_state_update(struct xfrm_state *x);
1072 extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1073 extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1074 #ifdef CONFIG_XFRM_SUB_POLICY
1075 extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1076 int n, unsigned short family);
1077 extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1078 int n, unsigned short family);
1080 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1081 int n, unsigned short family)
1086 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1087 int n, unsigned short family)
1093 struct xfrmk_sadinfo {
1094 u32 sadhcnt; /* current hash bkts */
1095 u32 sadhmcnt; /* max allowed hash bkts */
1096 u32 sadcnt; /* current running count */
1099 struct xfrmk_spdinfo {
1110 extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
1111 extern int xfrm_state_delete(struct xfrm_state *x);
1112 extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1113 extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1114 extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1115 extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
1116 extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1117 extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1118 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1119 extern int xfrm_init_state(struct xfrm_state *x);
1120 extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1121 extern int xfrm_output(struct sk_buff *skb);
1122 extern int xfrm4_extract_header(struct sk_buff *skb);
1123 extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1124 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1126 extern int xfrm4_rcv(struct sk_buff *skb);
1128 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1130 return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1133 extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1134 extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1135 extern int xfrm4_output(struct sk_buff *skb);
1136 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1137 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1138 extern int xfrm6_extract_header(struct sk_buff *skb);
1139 extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1140 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1141 extern int xfrm6_rcv(struct sk_buff *skb);
1142 extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1143 xfrm_address_t *saddr, u8 proto);
1144 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1145 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1146 extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1147 extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1148 extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1149 extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1150 extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1151 extern int xfrm6_output(struct sk_buff *skb);
1152 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1156 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1157 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1159 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1161 return -ENOPROTOOPT;
1164 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1166 /* should not happen */
1172 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1173 extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *);
1174 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1175 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
1176 struct xfrm_selector *sel,
1177 struct xfrm_sec_ctx *ctx, int delete,
1179 struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
1180 int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1181 u32 xfrm_get_acqseq(void);
1182 extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1183 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1184 xfrm_address_t *daddr, xfrm_address_t *saddr,
1185 int create, unsigned short family);
1186 extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1187 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1188 extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1189 struct flowi *fl, int family, int strict);
1191 #ifdef CONFIG_XFRM_MIGRATE
1192 extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1193 struct xfrm_migrate *m, int num_bundles);
1194 extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1195 extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1196 struct xfrm_migrate *m);
1197 extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1198 struct xfrm_migrate *m, int num_bundles);
1201 extern wait_queue_head_t km_waitq;
1202 extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1203 extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1204 extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1206 extern void xfrm_input_init(void);
1207 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1209 extern void xfrm_probe_algs(void);
1210 extern int xfrm_count_auth_supported(void);
1211 extern int xfrm_count_enc_supported(void);
1212 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1213 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1214 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1215 extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1216 extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1217 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1218 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1219 extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1223 typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1226 extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1227 int offset, int len, icv_update_fn_t icv_update);
1229 static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1235 return (__force __u32)a->a4 - (__force __u32)b->a4;
1237 return ipv6_addr_cmp((struct in6_addr *)a,
1238 (struct in6_addr *)b);
1242 static inline int xfrm_policy_id2dir(u32 index)
1247 static inline int xfrm_aevent_is_on(void)
1253 nlsk = rcu_dereference(xfrm_nl);
1255 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1260 static inline int xfrm_alg_len(struct xfrm_algo *alg)
1262 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1265 #ifdef CONFIG_XFRM_MIGRATE
1266 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1268 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1271 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1274 for (i = 0; i < n; i++)
1275 xfrm_state_put(*(states + i));
1278 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1281 for (i = 0; i < n; i++)
1282 xfrm_state_delete(*(states + i));
1286 #endif /* _NET_XFRM_H */
projects / linux-2.6-omap-h63xx.git / blob