6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/err.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
26 #include <linux/cache.h>
27 #include <linux/audit.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #include "xfrm_hash.h"
37 DEFINE_MUTEX(xfrm_cfg_mutex);
38 EXPORT_SYMBOL(xfrm_cfg_mutex);
40 static DEFINE_RWLOCK(xfrm_policy_lock);
42 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
43 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
45 static struct kmem_cache *xfrm_dst_cache __read_mostly;
47 static HLIST_HEAD(xfrm_policy_gc_list);
48 static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
50 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
51 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
52 static void xfrm_init_pmtu(struct dst_entry *dst);
55 __xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
57 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
58 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
59 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
60 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
61 (fl->proto == sel->proto || !sel->proto) &&
62 (fl->oif == sel->ifindex || !sel->ifindex);
66 __xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
68 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
69 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
70 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
71 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
72 (fl->proto == sel->proto || !sel->proto) &&
73 (fl->oif == sel->ifindex || !sel->ifindex);
76 int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
77 unsigned short family)
81 return __xfrm4_selector_match(sel, fl);
83 return __xfrm6_selector_match(sel, fl);
88 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
89 xfrm_address_t *saddr,
90 xfrm_address_t *daddr,
93 struct xfrm_policy_afinfo *afinfo;
94 struct dst_entry *dst;
96 afinfo = xfrm_policy_get_afinfo(family);
97 if (unlikely(afinfo == NULL))
98 return ERR_PTR(-EAFNOSUPPORT);
100 dst = afinfo->dst_lookup(net, tos, saddr, daddr);
102 xfrm_policy_put_afinfo(afinfo);
107 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, int tos,
108 xfrm_address_t *prev_saddr,
109 xfrm_address_t *prev_daddr,
112 struct net *net = xs_net(x);
113 xfrm_address_t *saddr = &x->props.saddr;
114 xfrm_address_t *daddr = &x->id.daddr;
115 struct dst_entry *dst;
117 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
121 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
126 dst = __xfrm_dst_lookup(net, tos, saddr, daddr, family);
129 if (prev_saddr != saddr)
130 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
131 if (prev_daddr != daddr)
132 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
138 static inline unsigned long make_jiffies(long secs)
140 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
141 return MAX_SCHEDULE_TIMEOUT-1;
146 static void xfrm_policy_timer(unsigned long data)
148 struct xfrm_policy *xp = (struct xfrm_policy*)data;
149 unsigned long now = get_seconds();
150 long next = LONG_MAX;
154 read_lock(&xp->lock);
159 dir = xfrm_policy_id2dir(xp->index);
161 if (xp->lft.hard_add_expires_seconds) {
162 long tmo = xp->lft.hard_add_expires_seconds +
163 xp->curlft.add_time - now;
169 if (xp->lft.hard_use_expires_seconds) {
170 long tmo = xp->lft.hard_use_expires_seconds +
171 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
177 if (xp->lft.soft_add_expires_seconds) {
178 long tmo = xp->lft.soft_add_expires_seconds +
179 xp->curlft.add_time - now;
182 tmo = XFRM_KM_TIMEOUT;
187 if (xp->lft.soft_use_expires_seconds) {
188 long tmo = xp->lft.soft_use_expires_seconds +
189 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
192 tmo = XFRM_KM_TIMEOUT;
199 km_policy_expired(xp, dir, 0, 0);
200 if (next != LONG_MAX &&
201 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
205 read_unlock(&xp->lock);
210 read_unlock(&xp->lock);
211 if (!xfrm_policy_delete(xp, dir))
212 km_policy_expired(xp, dir, 1, 0);
217 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
221 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
223 struct xfrm_policy *policy;
225 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
228 write_pnet(&policy->xp_net, net);
229 INIT_LIST_HEAD(&policy->walk.all);
230 INIT_HLIST_NODE(&policy->bydst);
231 INIT_HLIST_NODE(&policy->byidx);
232 rwlock_init(&policy->lock);
233 atomic_set(&policy->refcnt, 1);
234 setup_timer(&policy->timer, xfrm_policy_timer,
235 (unsigned long)policy);
239 EXPORT_SYMBOL(xfrm_policy_alloc);
241 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
243 void xfrm_policy_destroy(struct xfrm_policy *policy)
245 BUG_ON(!policy->walk.dead);
247 BUG_ON(policy->bundles);
249 if (del_timer(&policy->timer))
252 security_xfrm_policy_free(policy->security);
255 EXPORT_SYMBOL(xfrm_policy_destroy);
257 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
259 struct dst_entry *dst;
261 while ((dst = policy->bundles) != NULL) {
262 policy->bundles = dst->next;
266 if (del_timer(&policy->timer))
267 atomic_dec(&policy->refcnt);
269 if (atomic_read(&policy->refcnt) > 1)
272 xfrm_pol_put(policy);
275 static void xfrm_policy_gc_task(struct work_struct *work)
277 struct xfrm_policy *policy;
278 struct hlist_node *entry, *tmp;
279 struct hlist_head gc_list;
281 spin_lock_bh(&xfrm_policy_gc_lock);
282 gc_list.first = xfrm_policy_gc_list.first;
283 INIT_HLIST_HEAD(&xfrm_policy_gc_list);
284 spin_unlock_bh(&xfrm_policy_gc_lock);
286 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
287 xfrm_policy_gc_kill(policy);
289 static DECLARE_WORK(xfrm_policy_gc_work, xfrm_policy_gc_task);
291 /* Rule must be locked. Release descentant resources, announce
292 * entry dead. The rule must be unlinked from lists to the moment.
295 static void xfrm_policy_kill(struct xfrm_policy *policy)
299 write_lock_bh(&policy->lock);
300 dead = policy->walk.dead;
301 policy->walk.dead = 1;
302 write_unlock_bh(&policy->lock);
304 if (unlikely(dead)) {
309 spin_lock_bh(&xfrm_policy_gc_lock);
310 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list);
311 spin_unlock_bh(&xfrm_policy_gc_lock);
313 schedule_work(&xfrm_policy_gc_work);
316 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
318 static inline unsigned int idx_hash(struct net *net, u32 index)
320 return __idx_hash(index, net->xfrm.policy_idx_hmask);
323 static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir)
325 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
326 unsigned int hash = __sel_hash(sel, family, hmask);
328 return (hash == hmask + 1 ?
329 &net->xfrm.policy_inexact[dir] :
330 net->xfrm.policy_bydst[dir].table + hash);
333 static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
335 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
336 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
338 return net->xfrm.policy_bydst[dir].table + hash;
341 static void xfrm_dst_hash_transfer(struct hlist_head *list,
342 struct hlist_head *ndsttable,
343 unsigned int nhashmask)
345 struct hlist_node *entry, *tmp, *entry0 = NULL;
346 struct xfrm_policy *pol;
350 hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) {
353 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
354 pol->family, nhashmask);
357 hlist_add_head(&pol->bydst, ndsttable+h);
363 hlist_add_after(entry0, &pol->bydst);
367 if (!hlist_empty(list)) {
373 static void xfrm_idx_hash_transfer(struct hlist_head *list,
374 struct hlist_head *nidxtable,
375 unsigned int nhashmask)
377 struct hlist_node *entry, *tmp;
378 struct xfrm_policy *pol;
380 hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) {
383 h = __idx_hash(pol->index, nhashmask);
384 hlist_add_head(&pol->byidx, nidxtable+h);
388 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
390 return ((old_hmask + 1) << 1) - 1;
393 static void xfrm_bydst_resize(struct net *net, int dir)
395 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
396 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
397 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
398 struct hlist_head *odst = net->xfrm.policy_bydst[dir].table;
399 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
405 write_lock_bh(&xfrm_policy_lock);
407 for (i = hmask; i >= 0; i--)
408 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
410 net->xfrm.policy_bydst[dir].table = ndst;
411 net->xfrm.policy_bydst[dir].hmask = nhashmask;
413 write_unlock_bh(&xfrm_policy_lock);
415 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
418 static void xfrm_byidx_resize(struct net *net, int total)
420 unsigned int hmask = net->xfrm.policy_idx_hmask;
421 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
422 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
423 struct hlist_head *oidx = net->xfrm.policy_byidx;
424 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
430 write_lock_bh(&xfrm_policy_lock);
432 for (i = hmask; i >= 0; i--)
433 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
435 net->xfrm.policy_byidx = nidx;
436 net->xfrm.policy_idx_hmask = nhashmask;
438 write_unlock_bh(&xfrm_policy_lock);
440 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
443 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
445 unsigned int cnt = net->xfrm.policy_count[dir];
446 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
451 if ((hmask + 1) < xfrm_policy_hashmax &&
458 static inline int xfrm_byidx_should_resize(struct net *net, int total)
460 unsigned int hmask = net->xfrm.policy_idx_hmask;
462 if ((hmask + 1) < xfrm_policy_hashmax &&
469 void xfrm_spd_getinfo(struct xfrmk_spdinfo *si)
471 read_lock_bh(&xfrm_policy_lock);
472 si->incnt = init_net.xfrm.policy_count[XFRM_POLICY_IN];
473 si->outcnt = init_net.xfrm.policy_count[XFRM_POLICY_OUT];
474 si->fwdcnt = init_net.xfrm.policy_count[XFRM_POLICY_FWD];
475 si->inscnt = init_net.xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
476 si->outscnt = init_net.xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
477 si->fwdscnt = init_net.xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
478 si->spdhcnt = init_net.xfrm.policy_idx_hmask;
479 si->spdhmcnt = xfrm_policy_hashmax;
480 read_unlock_bh(&xfrm_policy_lock);
482 EXPORT_SYMBOL(xfrm_spd_getinfo);
484 static DEFINE_MUTEX(hash_resize_mutex);
485 static void xfrm_hash_resize(struct work_struct *work)
487 struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
490 mutex_lock(&hash_resize_mutex);
493 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
494 if (xfrm_bydst_should_resize(net, dir, &total))
495 xfrm_bydst_resize(net, dir);
497 if (xfrm_byidx_should_resize(net, total))
498 xfrm_byidx_resize(net, total);
500 mutex_unlock(&hash_resize_mutex);
503 /* Generate new index... KAME seems to generate them ordered by cost
504 * of an absolute inpredictability of ordering of rules. This will not pass. */
505 static u32 xfrm_gen_index(struct net *net, int dir)
507 static u32 idx_generator;
510 struct hlist_node *entry;
511 struct hlist_head *list;
512 struct xfrm_policy *p;
516 idx = (idx_generator | dir);
520 list = net->xfrm.policy_byidx + idx_hash(net, idx);
522 hlist_for_each_entry(p, entry, list, byidx) {
523 if (p->index == idx) {
533 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
535 u32 *p1 = (u32 *) s1;
536 u32 *p2 = (u32 *) s2;
537 int len = sizeof(struct xfrm_selector) / sizeof(u32);
540 for (i = 0; i < len; i++) {
548 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
550 struct net *net = xp_net(policy);
551 struct xfrm_policy *pol;
552 struct xfrm_policy *delpol;
553 struct hlist_head *chain;
554 struct hlist_node *entry, *newpos;
555 struct dst_entry *gc_list;
557 write_lock_bh(&xfrm_policy_lock);
558 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
561 hlist_for_each_entry(pol, entry, chain, bydst) {
562 if (pol->type == policy->type &&
563 !selector_cmp(&pol->selector, &policy->selector) &&
564 xfrm_sec_ctx_match(pol->security, policy->security) &&
567 write_unlock_bh(&xfrm_policy_lock);
571 if (policy->priority > pol->priority)
573 } else if (policy->priority >= pol->priority) {
574 newpos = &pol->bydst;
581 hlist_add_after(newpos, &policy->bydst);
583 hlist_add_head(&policy->bydst, chain);
584 xfrm_pol_hold(policy);
585 net->xfrm.policy_count[dir]++;
586 atomic_inc(&flow_cache_genid);
588 hlist_del(&delpol->bydst);
589 hlist_del(&delpol->byidx);
590 list_del(&delpol->walk.all);
591 net->xfrm.policy_count[dir]--;
593 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
594 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
595 policy->curlft.add_time = get_seconds();
596 policy->curlft.use_time = 0;
597 if (!mod_timer(&policy->timer, jiffies + HZ))
598 xfrm_pol_hold(policy);
599 list_add(&policy->walk.all, &net->xfrm.policy_all);
600 write_unlock_bh(&xfrm_policy_lock);
603 xfrm_policy_kill(delpol);
604 else if (xfrm_bydst_should_resize(net, dir, NULL))
605 schedule_work(&net->xfrm.policy_hash_work);
607 read_lock_bh(&xfrm_policy_lock);
609 entry = &policy->bydst;
610 hlist_for_each_entry_continue(policy, entry, bydst) {
611 struct dst_entry *dst;
613 write_lock(&policy->lock);
614 dst = policy->bundles;
616 struct dst_entry *tail = dst;
619 tail->next = gc_list;
622 policy->bundles = NULL;
624 write_unlock(&policy->lock);
626 read_unlock_bh(&xfrm_policy_lock);
629 struct dst_entry *dst = gc_list;
637 EXPORT_SYMBOL(xfrm_policy_insert);
639 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir,
640 struct xfrm_selector *sel,
641 struct xfrm_sec_ctx *ctx, int delete,
644 struct xfrm_policy *pol, *ret;
645 struct hlist_head *chain;
646 struct hlist_node *entry;
649 write_lock_bh(&xfrm_policy_lock);
650 chain = policy_hash_bysel(net, sel, sel->family, dir);
652 hlist_for_each_entry(pol, entry, chain, bydst) {
653 if (pol->type == type &&
654 !selector_cmp(sel, &pol->selector) &&
655 xfrm_sec_ctx_match(ctx, pol->security)) {
658 *err = security_xfrm_policy_delete(
661 write_unlock_bh(&xfrm_policy_lock);
664 hlist_del(&pol->bydst);
665 hlist_del(&pol->byidx);
666 list_del(&pol->walk.all);
667 net->xfrm.policy_count[dir]--;
673 write_unlock_bh(&xfrm_policy_lock);
676 atomic_inc(&flow_cache_genid);
677 xfrm_policy_kill(ret);
681 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
683 struct xfrm_policy *xfrm_policy_byid(struct net *net, u8 type, int dir, u32 id,
684 int delete, int *err)
686 struct xfrm_policy *pol, *ret;
687 struct hlist_head *chain;
688 struct hlist_node *entry;
691 if (xfrm_policy_id2dir(id) != dir)
695 write_lock_bh(&xfrm_policy_lock);
696 chain = net->xfrm.policy_byidx + idx_hash(net, id);
698 hlist_for_each_entry(pol, entry, chain, byidx) {
699 if (pol->type == type && pol->index == id) {
702 *err = security_xfrm_policy_delete(
705 write_unlock_bh(&xfrm_policy_lock);
708 hlist_del(&pol->bydst);
709 hlist_del(&pol->byidx);
710 list_del(&pol->walk.all);
711 net->xfrm.policy_count[dir]--;
717 write_unlock_bh(&xfrm_policy_lock);
720 atomic_inc(&flow_cache_genid);
721 xfrm_policy_kill(ret);
725 EXPORT_SYMBOL(xfrm_policy_byid);
727 #ifdef CONFIG_SECURITY_NETWORK_XFRM
729 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
733 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
734 struct xfrm_policy *pol;
735 struct hlist_node *entry;
738 hlist_for_each_entry(pol, entry,
739 &net->xfrm.policy_inexact[dir], bydst) {
740 if (pol->type != type)
742 err = security_xfrm_policy_delete(pol->security);
744 xfrm_audit_policy_delete(pol, 0,
745 audit_info->loginuid,
746 audit_info->sessionid,
751 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
752 hlist_for_each_entry(pol, entry,
753 net->xfrm.policy_bydst[dir].table + i,
755 if (pol->type != type)
757 err = security_xfrm_policy_delete(
760 xfrm_audit_policy_delete(pol, 0,
761 audit_info->loginuid,
762 audit_info->sessionid,
773 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
779 int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
783 write_lock_bh(&xfrm_policy_lock);
785 err = xfrm_policy_flush_secctx_check(net, type, audit_info);
789 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
790 struct xfrm_policy *pol;
791 struct hlist_node *entry;
796 hlist_for_each_entry(pol, entry,
797 &net->xfrm.policy_inexact[dir], bydst) {
798 if (pol->type != type)
800 hlist_del(&pol->bydst);
801 hlist_del(&pol->byidx);
802 list_del(&pol->walk.all);
803 write_unlock_bh(&xfrm_policy_lock);
805 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
806 audit_info->sessionid,
809 xfrm_policy_kill(pol);
812 write_lock_bh(&xfrm_policy_lock);
816 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
818 hlist_for_each_entry(pol, entry,
819 net->xfrm.policy_bydst[dir].table + i,
821 if (pol->type != type)
823 hlist_del(&pol->bydst);
824 hlist_del(&pol->byidx);
825 list_del(&pol->walk.all);
826 write_unlock_bh(&xfrm_policy_lock);
828 xfrm_audit_policy_delete(pol, 1,
829 audit_info->loginuid,
830 audit_info->sessionid,
832 xfrm_policy_kill(pol);
835 write_lock_bh(&xfrm_policy_lock);
840 net->xfrm.policy_count[dir] -= killed;
842 atomic_inc(&flow_cache_genid);
844 write_unlock_bh(&xfrm_policy_lock);
847 EXPORT_SYMBOL(xfrm_policy_flush);
849 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
850 int (*func)(struct xfrm_policy *, int, int, void*),
853 struct xfrm_policy *pol;
854 struct xfrm_policy_walk_entry *x;
857 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
858 walk->type != XFRM_POLICY_TYPE_ANY)
861 if (list_empty(&walk->walk.all) && walk->seq != 0)
864 write_lock_bh(&xfrm_policy_lock);
865 if (list_empty(&walk->walk.all))
866 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
868 x = list_entry(&walk->walk.all, struct xfrm_policy_walk_entry, all);
869 list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
872 pol = container_of(x, struct xfrm_policy, walk);
873 if (walk->type != XFRM_POLICY_TYPE_ANY &&
874 walk->type != pol->type)
876 error = func(pol, xfrm_policy_id2dir(pol->index),
879 list_move_tail(&walk->walk.all, &x->all);
884 if (walk->seq == 0) {
888 list_del_init(&walk->walk.all);
890 write_unlock_bh(&xfrm_policy_lock);
893 EXPORT_SYMBOL(xfrm_policy_walk);
895 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
897 INIT_LIST_HEAD(&walk->walk.all);
902 EXPORT_SYMBOL(xfrm_policy_walk_init);
904 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk)
906 if (list_empty(&walk->walk.all))
909 write_lock_bh(&xfrm_policy_lock);
910 list_del(&walk->walk.all);
911 write_unlock_bh(&xfrm_policy_lock);
913 EXPORT_SYMBOL(xfrm_policy_walk_done);
916 * Find policy to apply to this flow.
918 * Returns 0 if policy found, else an -errno.
920 static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
921 u8 type, u16 family, int dir)
923 struct xfrm_selector *sel = &pol->selector;
924 int match, ret = -ESRCH;
926 if (pol->family != family ||
930 match = xfrm_selector_match(sel, fl, family);
932 ret = security_xfrm_policy_lookup(pol->security, fl->secid,
938 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
943 struct xfrm_policy *pol, *ret;
944 xfrm_address_t *daddr, *saddr;
945 struct hlist_node *entry;
946 struct hlist_head *chain;
949 daddr = xfrm_flowi_daddr(fl, family);
950 saddr = xfrm_flowi_saddr(fl, family);
951 if (unlikely(!daddr || !saddr))
954 read_lock_bh(&xfrm_policy_lock);
955 chain = policy_hash_direct(net, daddr, saddr, family, dir);
957 hlist_for_each_entry(pol, entry, chain, bydst) {
958 err = xfrm_policy_match(pol, fl, type, family, dir);
968 priority = ret->priority;
972 chain = &net->xfrm.policy_inexact[dir];
973 hlist_for_each_entry(pol, entry, chain, bydst) {
974 err = xfrm_policy_match(pol, fl, type, family, dir);
982 } else if (pol->priority < priority) {
990 read_unlock_bh(&xfrm_policy_lock);
995 static int xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family,
996 u8 dir, void **objp, atomic_t **obj_refp)
998 struct xfrm_policy *pol;
1001 #ifdef CONFIG_XFRM_SUB_POLICY
1002 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
1010 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1015 #ifdef CONFIG_XFRM_SUB_POLICY
1018 if ((*objp = (void *) pol) != NULL)
1019 *obj_refp = &pol->refcnt;
1023 static inline int policy_to_flow_dir(int dir)
1025 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1026 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1027 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1031 case XFRM_POLICY_IN:
1033 case XFRM_POLICY_OUT:
1034 return FLOW_DIR_OUT;
1035 case XFRM_POLICY_FWD:
1036 return FLOW_DIR_FWD;
1040 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
1042 struct xfrm_policy *pol;
1044 read_lock_bh(&xfrm_policy_lock);
1045 if ((pol = sk->sk_policy[dir]) != NULL) {
1046 int match = xfrm_selector_match(&pol->selector, fl,
1051 err = security_xfrm_policy_lookup(pol->security,
1053 policy_to_flow_dir(dir));
1056 else if (err == -ESRCH)
1063 read_unlock_bh(&xfrm_policy_lock);
1067 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
1069 struct net *net = xp_net(pol);
1070 struct hlist_head *chain = policy_hash_bysel(net, &pol->selector,
1073 list_add(&pol->walk.all, &net->xfrm.policy_all);
1074 hlist_add_head(&pol->bydst, chain);
1075 hlist_add_head(&pol->byidx, net->xfrm.policy_byidx+idx_hash(net, pol->index));
1076 net->xfrm.policy_count[dir]++;
1079 if (xfrm_bydst_should_resize(net, dir, NULL))
1080 schedule_work(&net->xfrm.policy_hash_work);
1083 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1086 struct net *net = xp_net(pol);
1088 if (hlist_unhashed(&pol->bydst))
1091 hlist_del(&pol->bydst);
1092 hlist_del(&pol->byidx);
1093 list_del(&pol->walk.all);
1094 net->xfrm.policy_count[dir]--;
1099 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1101 write_lock_bh(&xfrm_policy_lock);
1102 pol = __xfrm_policy_unlink(pol, dir);
1103 write_unlock_bh(&xfrm_policy_lock);
1105 if (dir < XFRM_POLICY_MAX)
1106 atomic_inc(&flow_cache_genid);
1107 xfrm_policy_kill(pol);
1112 EXPORT_SYMBOL(xfrm_policy_delete);
1114 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1116 struct net *net = xp_net(pol);
1117 struct xfrm_policy *old_pol;
1119 #ifdef CONFIG_XFRM_SUB_POLICY
1120 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
1124 write_lock_bh(&xfrm_policy_lock);
1125 old_pol = sk->sk_policy[dir];
1126 sk->sk_policy[dir] = pol;
1128 pol->curlft.add_time = get_seconds();
1129 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir);
1130 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1133 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1134 write_unlock_bh(&xfrm_policy_lock);
1137 xfrm_policy_kill(old_pol);
1142 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
1144 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1147 newp->selector = old->selector;
1148 if (security_xfrm_policy_clone(old->security,
1151 return NULL; /* ENOMEM */
1153 newp->lft = old->lft;
1154 newp->curlft = old->curlft;
1155 newp->action = old->action;
1156 newp->flags = old->flags;
1157 newp->xfrm_nr = old->xfrm_nr;
1158 newp->index = old->index;
1159 newp->type = old->type;
1160 memcpy(newp->xfrm_vec, old->xfrm_vec,
1161 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1162 write_lock_bh(&xfrm_policy_lock);
1163 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
1164 write_unlock_bh(&xfrm_policy_lock);
1170 int __xfrm_sk_clone_policy(struct sock *sk)
1172 struct xfrm_policy *p0 = sk->sk_policy[0],
1173 *p1 = sk->sk_policy[1];
1175 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
1176 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
1178 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
1184 xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1185 unsigned short family)
1188 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1190 if (unlikely(afinfo == NULL))
1192 err = afinfo->get_saddr(net, local, remote);
1193 xfrm_policy_put_afinfo(afinfo);
1197 /* Resolve list of templates for the flow, given policy. */
1200 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
1201 struct xfrm_state **xfrm,
1202 unsigned short family)
1204 struct net *net = xp_net(policy);
1207 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
1208 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
1211 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
1212 struct xfrm_state *x;
1213 xfrm_address_t *remote = daddr;
1214 xfrm_address_t *local = saddr;
1215 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
1217 if (tmpl->mode == XFRM_MODE_TUNNEL ||
1218 tmpl->mode == XFRM_MODE_BEET) {
1219 remote = &tmpl->id.daddr;
1220 local = &tmpl->saddr;
1221 family = tmpl->encap_family;
1222 if (xfrm_addr_any(local, family)) {
1223 error = xfrm_get_saddr(net, &tmp, remote, family);
1230 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
1232 if (x && x->km.state == XFRM_STATE_VALID) {
1239 error = (x->km.state == XFRM_STATE_ERROR ?
1243 else if (error == -ESRCH)
1246 if (!tmpl->optional)
1252 for (nx--; nx>=0; nx--)
1253 xfrm_state_put(xfrm[nx]);
1258 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1259 struct xfrm_state **xfrm,
1260 unsigned short family)
1262 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1263 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
1269 for (i = 0; i < npols; i++) {
1270 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
1275 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
1283 /* found states are sorted for outbound processing */
1285 xfrm_state_sort(xfrm, tpp, cnx, family);
1290 for (cnx--; cnx>=0; cnx--)
1291 xfrm_state_put(tpp[cnx]);
1296 /* Check that the bundle accepts the flow and its components are
1300 static struct dst_entry *
1301 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
1303 struct dst_entry *x;
1304 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1305 if (unlikely(afinfo == NULL))
1306 return ERR_PTR(-EINVAL);
1307 x = afinfo->find_bundle(fl, policy);
1308 xfrm_policy_put_afinfo(afinfo);
1312 static inline int xfrm_get_tos(struct flowi *fl, int family)
1314 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1320 tos = afinfo->get_tos(fl);
1322 xfrm_policy_put_afinfo(afinfo);
1327 static inline struct xfrm_dst *xfrm_alloc_dst(int family)
1329 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1330 struct xfrm_dst *xdst;
1333 return ERR_PTR(-EINVAL);
1335 xdst = dst_alloc(afinfo->dst_ops) ?: ERR_PTR(-ENOBUFS);
1337 xfrm_policy_put_afinfo(afinfo);
1342 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1345 struct xfrm_policy_afinfo *afinfo =
1346 xfrm_policy_get_afinfo(dst->ops->family);
1352 err = afinfo->init_path(path, dst, nfheader_len);
1354 xfrm_policy_put_afinfo(afinfo);
1359 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
1361 struct xfrm_policy_afinfo *afinfo =
1362 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
1368 err = afinfo->fill_dst(xdst, dev);
1370 xfrm_policy_put_afinfo(afinfo);
1375 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
1376 * all the metrics... Shortly, bundle a bundle.
1379 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1380 struct xfrm_state **xfrm, int nx,
1382 struct dst_entry *dst)
1384 unsigned long now = jiffies;
1385 struct net_device *dev;
1386 struct dst_entry *dst_prev = NULL;
1387 struct dst_entry *dst0 = NULL;
1391 int nfheader_len = 0;
1392 int trailer_len = 0;
1394 int family = policy->selector.family;
1395 xfrm_address_t saddr, daddr;
1397 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
1399 tos = xfrm_get_tos(fl, family);
1406 for (; i < nx; i++) {
1407 struct xfrm_dst *xdst = xfrm_alloc_dst(family);
1408 struct dst_entry *dst1 = &xdst->u.dst;
1410 err = PTR_ERR(xdst);
1419 dst_prev->child = dst_clone(dst1);
1420 dst1->flags |= DST_NOHASH;
1424 memcpy(&dst1->metrics, &dst->metrics, sizeof(dst->metrics));
1426 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1427 family = xfrm[i]->props.family;
1428 dst = xfrm_dst_lookup(xfrm[i], tos, &saddr, &daddr,
1436 dst1->xfrm = xfrm[i];
1437 xdst->genid = xfrm[i]->genid;
1439 dst1->obsolete = -1;
1440 dst1->flags |= DST_HOST;
1441 dst1->lastuse = now;
1443 dst1->input = dst_discard;
1444 dst1->output = xfrm[i]->outer_mode->afinfo->output;
1446 dst1->next = dst_prev;
1449 header_len += xfrm[i]->props.header_len;
1450 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
1451 nfheader_len += xfrm[i]->props.header_len;
1452 trailer_len += xfrm[i]->props.trailer_len;
1455 dst_prev->child = dst;
1463 /* Copy neighbout for reachability confirmation */
1464 dst0->neighbour = neigh_clone(dst->neighbour);
1466 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
1467 xfrm_init_pmtu(dst_prev);
1469 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1470 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1472 err = xfrm_fill_dst(xdst, dev);
1476 dst_prev->header_len = header_len;
1477 dst_prev->trailer_len = trailer_len;
1478 header_len -= xdst->u.dst.xfrm->props.header_len;
1479 trailer_len -= xdst->u.dst.xfrm->props.trailer_len;
1487 xfrm_state_put(xfrm[i]);
1491 dst0 = ERR_PTR(err);
1496 xfrm_dst_alloc_copy(void **target, void *src, int size)
1499 *target = kmalloc(size, GFP_ATOMIC);
1503 memcpy(*target, src, size);
1508 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
1510 #ifdef CONFIG_XFRM_SUB_POLICY
1511 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1512 return xfrm_dst_alloc_copy((void **)&(xdst->partner),
1520 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1522 #ifdef CONFIG_XFRM_SUB_POLICY
1523 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1524 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
1530 static int stale_bundle(struct dst_entry *dst);
1532 /* Main function: finds/creates a bundle for given flow.
1534 * At the moment we eat a raw IP route. Mostly to speed up lookups
1535 * on interfaces with disabled IPsec.
1537 int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1538 struct sock *sk, int flags)
1540 struct xfrm_policy *policy;
1541 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1546 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1547 struct dst_entry *dst, *dst_orig = *dst_p;
1552 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1555 genid = atomic_read(&flow_cache_genid);
1557 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
1563 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
1564 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1565 err = PTR_ERR(policy);
1566 if (IS_ERR(policy)) {
1567 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1573 /* To accelerate a bit... */
1574 if ((dst_orig->flags & DST_NOXFRM) ||
1575 !net->xfrm.policy_count[XFRM_POLICY_OUT])
1578 policy = flow_cache_lookup(net, fl, dst_orig->ops->family,
1579 dir, xfrm_policy_lookup);
1580 err = PTR_ERR(policy);
1581 if (IS_ERR(policy)) {
1582 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1590 family = dst_orig->ops->family;
1593 xfrm_nr += pols[0]->xfrm_nr;
1596 if ((flags & XFRM_LOOKUP_ICMP) && !(policy->flags & XFRM_POLICY_ICMP))
1599 policy->curlft.use_time = get_seconds();
1601 switch (policy->action) {
1603 case XFRM_POLICY_BLOCK:
1604 /* Prohibit the flow */
1605 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1609 case XFRM_POLICY_ALLOW:
1610 #ifndef CONFIG_XFRM_SUB_POLICY
1611 if (policy->xfrm_nr == 0) {
1612 /* Flow passes not transformed. */
1613 xfrm_pol_put(policy);
1618 /* Try to find matching bundle.
1620 * LATER: help from flow cache. It is optional, this
1621 * is required only for output policy.
1623 dst = xfrm_find_bundle(fl, policy, family);
1625 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1633 #ifdef CONFIG_XFRM_SUB_POLICY
1634 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1635 pols[1] = xfrm_policy_lookup_bytype(net,
1636 XFRM_POLICY_TYPE_MAIN,
1640 if (IS_ERR(pols[1])) {
1641 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1642 err = PTR_ERR(pols[1]);
1645 if (pols[1]->action == XFRM_POLICY_BLOCK) {
1646 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1651 xfrm_nr += pols[1]->xfrm_nr;
1656 * Because neither flowi nor bundle information knows about
1657 * transformation template size. On more than one policy usage
1658 * we can realize whether all of them is bypass or not after
1659 * they are searched. See above not-transformed bypass
1660 * is surrounded by non-sub policy configuration, too.
1663 /* Flow passes not transformed. */
1664 xfrm_pols_put(pols, npols);
1669 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1671 if (unlikely(nx<0)) {
1673 if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) {
1674 /* EREMOTE tells the caller to generate
1675 * a one-shot blackhole route.
1677 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1678 xfrm_pol_put(policy);
1681 if (err == -EAGAIN && (flags & XFRM_LOOKUP_WAIT)) {
1682 DECLARE_WAITQUEUE(wait, current);
1684 add_wait_queue(&net->xfrm.km_waitq, &wait);
1685 set_current_state(TASK_INTERRUPTIBLE);
1687 set_current_state(TASK_RUNNING);
1688 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1690 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1692 if (nx == -EAGAIN && signal_pending(current)) {
1693 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1697 if (nx == -EAGAIN ||
1698 genid != atomic_read(&flow_cache_genid)) {
1699 xfrm_pols_put(pols, npols);
1705 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1710 /* Flow passes not transformed. */
1711 xfrm_pols_put(pols, npols);
1715 dst = xfrm_bundle_create(policy, xfrm, nx, fl, dst_orig);
1718 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1722 for (pi = 0; pi < npols; pi++) {
1723 read_lock_bh(&pols[pi]->lock);
1724 pol_dead |= pols[pi]->walk.dead;
1725 read_unlock_bh(&pols[pi]->lock);
1728 write_lock_bh(&policy->lock);
1729 if (unlikely(pol_dead || stale_bundle(dst))) {
1730 /* Wow! While we worked on resolving, this
1731 * policy has gone. Retry. It is not paranoia,
1732 * we just cannot enlist new bundle to dead object.
1733 * We can't enlist stable bundles either.
1735 write_unlock_bh(&policy->lock);
1739 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLDEAD);
1741 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1742 err = -EHOSTUNREACH;
1747 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1749 err = xfrm_dst_update_origin(dst, fl);
1750 if (unlikely(err)) {
1751 write_unlock_bh(&policy->lock);
1753 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1757 dst->next = policy->bundles;
1758 policy->bundles = dst;
1760 write_unlock_bh(&policy->lock);
1763 dst_release(dst_orig);
1764 xfrm_pols_put(pols, npols);
1768 xfrm_pols_put(pols, npols);
1770 dst_release(dst_orig);
1776 if (flags & XFRM_LOOKUP_ICMP)
1780 EXPORT_SYMBOL(__xfrm_lookup);
1782 int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1783 struct sock *sk, int flags)
1785 int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
1787 if (err == -EREMOTE) {
1788 dst_release(*dst_p);
1795 EXPORT_SYMBOL(xfrm_lookup);
1798 xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
1800 struct xfrm_state *x;
1802 if (!skb->sp || idx < 0 || idx >= skb->sp->len)
1804 x = skb->sp->xvec[idx];
1805 if (!x->type->reject)
1807 return x->type->reject(x, skb, fl);
1810 /* When skb is transformed back to its "native" form, we have to
1811 * check policy restrictions. At the moment we make this in maximally
1812 * stupid way. Shame on me. :-) Of course, connected sockets must
1813 * have policy cached at them.
1817 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1818 unsigned short family)
1820 if (xfrm_state_kern(x))
1821 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
1822 return x->id.proto == tmpl->id.proto &&
1823 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
1824 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
1825 x->props.mode == tmpl->mode &&
1826 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
1827 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
1828 !(x->props.mode != XFRM_MODE_TRANSPORT &&
1829 xfrm_state_addr_cmp(tmpl, x, family));
1833 * 0 or more than 0 is returned when validation is succeeded (either bypass
1834 * because of optional transport mode, or next index of the mathced secpath
1835 * state with the template.
1836 * -1 is returned when no matching template is found.
1837 * Otherwise "-2 - errored_index" is returned.
1840 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
1841 unsigned short family)
1845 if (tmpl->optional) {
1846 if (tmpl->mode == XFRM_MODE_TRANSPORT)
1850 for (; idx < sp->len; idx++) {
1851 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
1853 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
1862 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1863 unsigned int family, int reverse)
1865 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1868 if (unlikely(afinfo == NULL))
1869 return -EAFNOSUPPORT;
1871 afinfo->decode_session(skb, fl, reverse);
1872 err = security_xfrm_decode_session(skb, &fl->secid);
1873 xfrm_policy_put_afinfo(afinfo);
1876 EXPORT_SYMBOL(__xfrm_decode_session);
1878 static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
1880 for (; k < sp->len; k++) {
1881 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
1890 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1891 unsigned short family)
1893 struct net *net = dev_net(skb->dev);
1894 struct xfrm_policy *pol;
1895 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1904 reverse = dir & ~XFRM_POLICY_MASK;
1905 dir &= XFRM_POLICY_MASK;
1906 fl_dir = policy_to_flow_dir(dir);
1908 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) {
1909 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
1913 nf_nat_decode_session(skb, &fl, family);
1915 /* First, check used SA against their selectors. */
1919 for (i=skb->sp->len-1; i>=0; i--) {
1920 struct xfrm_state *x = skb->sp->xvec[i];
1921 if (!xfrm_selector_match(&x->sel, &fl, family)) {
1922 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
1929 if (sk && sk->sk_policy[dir]) {
1930 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
1932 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
1938 pol = flow_cache_lookup(net, &fl, family, fl_dir,
1939 xfrm_policy_lookup);
1942 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
1947 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
1948 xfrm_secpath_reject(xerr_idx, skb, &fl);
1949 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
1955 pol->curlft.use_time = get_seconds();
1959 #ifdef CONFIG_XFRM_SUB_POLICY
1960 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1961 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
1965 if (IS_ERR(pols[1])) {
1966 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
1969 pols[1]->curlft.use_time = get_seconds();
1975 if (pol->action == XFRM_POLICY_ALLOW) {
1976 struct sec_path *sp;
1977 static struct sec_path dummy;
1978 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
1979 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
1980 struct xfrm_tmpl **tpp = tp;
1984 if ((sp = skb->sp) == NULL)
1987 for (pi = 0; pi < npols; pi++) {
1988 if (pols[pi] != pol &&
1989 pols[pi]->action != XFRM_POLICY_ALLOW) {
1990 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
1993 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
1994 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
1997 for (i = 0; i < pols[pi]->xfrm_nr; i++)
1998 tpp[ti++] = &pols[pi]->xfrm_vec[i];
2002 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
2006 /* For each tunnel xfrm, find the first matching tmpl.
2007 * For each tmpl before that, find corresponding xfrm.
2008 * Order is _important_. Later we will implement
2009 * some barriers, but at the moment barriers
2010 * are implied between each two transformations.
2012 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
2013 k = xfrm_policy_ok(tpp[i], sp, k, family);
2016 /* "-2 - errored_index" returned */
2018 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2023 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
2024 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2028 xfrm_pols_put(pols, npols);
2031 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2034 xfrm_secpath_reject(xerr_idx, skb, &fl);
2036 xfrm_pols_put(pols, npols);
2039 EXPORT_SYMBOL(__xfrm_policy_check);
2041 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2043 struct net *net = dev_net(skb->dev);
2046 if (xfrm_decode_session(skb, &fl, family) < 0) {
2047 /* XXX: we should have something like FWDHDRERROR here. */
2048 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
2052 return xfrm_lookup(net, &skb->dst, &fl, NULL, 0) == 0;
2054 EXPORT_SYMBOL(__xfrm_route_forward);
2056 /* Optimize later using cookies and generation ids. */
2058 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2060 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
2061 * to "-1" to force all XFRM destinations to get validated by
2062 * dst_ops->check on every use. We do this because when a
2063 * normal route referenced by an XFRM dst is obsoleted we do
2064 * not go looking around for all parent referencing XFRM dsts
2065 * so that we can invalidate them. It is just too much work.
2066 * Instead we make the checks here on every use. For example:
2068 * XFRM dst A --> IPv4 dst X
2070 * X is the "xdst->route" of A (X is also the "dst->path" of A
2071 * in this example). If X is marked obsolete, "A" will not
2072 * notice. That's what we are validating here via the
2073 * stale_bundle() check.
2075 * When a policy's bundle is pruned, we dst_free() the XFRM
2076 * dst which causes it's ->obsolete field to be set to a
2077 * positive non-zero integer. If an XFRM dst has been pruned
2078 * like this, we want to force a new route lookup.
2080 if (dst->obsolete < 0 && !stale_bundle(dst))
2086 static int stale_bundle(struct dst_entry *dst)
2088 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
2091 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
2093 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
2094 dst->dev = dev_net(dev)->loopback_dev;
2099 EXPORT_SYMBOL(xfrm_dst_ifdown);
2101 static void xfrm_link_failure(struct sk_buff *skb)
2103 /* Impossible. Such dst must be popped before reaches point of failure. */
2107 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2110 if (dst->obsolete) {
2118 static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p)
2120 struct dst_entry *dst, **dstp;
2122 write_lock(&pol->lock);
2123 dstp = &pol->bundles;
2124 while ((dst=*dstp) != NULL) {
2127 dst->next = *gc_list_p;
2133 write_unlock(&pol->lock);
2136 static void xfrm_prune_bundles(struct net *net, int (*func)(struct dst_entry *))
2138 struct dst_entry *gc_list = NULL;
2141 read_lock_bh(&xfrm_policy_lock);
2142 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2143 struct xfrm_policy *pol;
2144 struct hlist_node *entry;
2145 struct hlist_head *table;
2148 hlist_for_each_entry(pol, entry,
2149 &net->xfrm.policy_inexact[dir], bydst)
2150 prune_one_bundle(pol, func, &gc_list);
2152 table = net->xfrm.policy_bydst[dir].table;
2153 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
2154 hlist_for_each_entry(pol, entry, table + i, bydst)
2155 prune_one_bundle(pol, func, &gc_list);
2158 read_unlock_bh(&xfrm_policy_lock);
2161 struct dst_entry *dst = gc_list;
2162 gc_list = dst->next;
2167 static int unused_bundle(struct dst_entry *dst)
2169 return !atomic_read(&dst->__refcnt);
2172 static void __xfrm_garbage_collect(struct net *net)
2174 xfrm_prune_bundles(net, unused_bundle);
2177 static int xfrm_flush_bundles(struct net *net)
2179 xfrm_prune_bundles(net, stale_bundle);
2183 static void xfrm_init_pmtu(struct dst_entry *dst)
2186 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2187 u32 pmtu, route_mtu_cached;
2189 pmtu = dst_mtu(dst->child);
2190 xdst->child_mtu_cached = pmtu;
2192 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
2194 route_mtu_cached = dst_mtu(xdst->route);
2195 xdst->route_mtu_cached = route_mtu_cached;
2197 if (pmtu > route_mtu_cached)
2198 pmtu = route_mtu_cached;
2200 dst->metrics[RTAX_MTU-1] = pmtu;
2201 } while ((dst = dst->next));
2204 /* Check that the bundle accepts the flow and its components are
2208 int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2209 struct flowi *fl, int family, int strict)
2211 struct dst_entry *dst = &first->u.dst;
2212 struct xfrm_dst *last;
2215 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2216 (dst->dev && !netif_running(dst->dev)))
2218 #ifdef CONFIG_XFRM_SUB_POLICY
2220 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2222 if (first->partner &&
2223 !xfrm_selector_match(first->partner, fl, family))
2231 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2233 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2236 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2238 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2240 if (xdst->genid != dst->xfrm->genid)
2244 !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2245 !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
2248 mtu = dst_mtu(dst->child);
2249 if (xdst->child_mtu_cached != mtu) {
2251 xdst->child_mtu_cached = mtu;
2254 if (!dst_check(xdst->route, xdst->route_cookie))
2256 mtu = dst_mtu(xdst->route);
2257 if (xdst->route_mtu_cached != mtu) {
2259 xdst->route_mtu_cached = mtu;
2263 } while (dst->xfrm);
2268 mtu = last->child_mtu_cached;
2272 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2273 if (mtu > last->route_mtu_cached)
2274 mtu = last->route_mtu_cached;
2275 dst->metrics[RTAX_MTU-1] = mtu;
2280 last = (struct xfrm_dst *)last->u.dst.next;
2281 last->child_mtu_cached = mtu;
2287 EXPORT_SYMBOL(xfrm_bundle_ok);
2289 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2292 if (unlikely(afinfo == NULL))
2294 if (unlikely(afinfo->family >= NPROTO))
2295 return -EAFNOSUPPORT;
2296 write_lock_bh(&xfrm_policy_afinfo_lock);
2297 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
2300 struct dst_ops *dst_ops = afinfo->dst_ops;
2301 if (likely(dst_ops->kmem_cachep == NULL))
2302 dst_ops->kmem_cachep = xfrm_dst_cache;
2303 if (likely(dst_ops->check == NULL))
2304 dst_ops->check = xfrm_dst_check;
2305 if (likely(dst_ops->negative_advice == NULL))
2306 dst_ops->negative_advice = xfrm_negative_advice;
2307 if (likely(dst_ops->link_failure == NULL))
2308 dst_ops->link_failure = xfrm_link_failure;
2309 if (likely(afinfo->garbage_collect == NULL))
2310 afinfo->garbage_collect = __xfrm_garbage_collect;
2311 xfrm_policy_afinfo[afinfo->family] = afinfo;
2313 write_unlock_bh(&xfrm_policy_afinfo_lock);
2316 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
2318 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
2321 if (unlikely(afinfo == NULL))
2323 if (unlikely(afinfo->family >= NPROTO))
2324 return -EAFNOSUPPORT;
2325 write_lock_bh(&xfrm_policy_afinfo_lock);
2326 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
2327 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
2330 struct dst_ops *dst_ops = afinfo->dst_ops;
2331 xfrm_policy_afinfo[afinfo->family] = NULL;
2332 dst_ops->kmem_cachep = NULL;
2333 dst_ops->check = NULL;
2334 dst_ops->negative_advice = NULL;
2335 dst_ops->link_failure = NULL;
2336 afinfo->garbage_collect = NULL;
2339 write_unlock_bh(&xfrm_policy_afinfo_lock);
2342 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
2344 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
2346 struct xfrm_policy_afinfo *afinfo;
2347 if (unlikely(family >= NPROTO))
2349 read_lock(&xfrm_policy_afinfo_lock);
2350 afinfo = xfrm_policy_afinfo[family];
2351 if (unlikely(!afinfo))
2352 read_unlock(&xfrm_policy_afinfo_lock);
2356 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
2358 read_unlock(&xfrm_policy_afinfo_lock);
2361 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
2363 struct net_device *dev = ptr;
2367 xfrm_flush_bundles(dev_net(dev));
2372 static struct notifier_block xfrm_dev_notifier = {
2373 .notifier_call = xfrm_dev_event,
2376 #ifdef CONFIG_XFRM_STATISTICS
2377 static int __net_init xfrm_statistics_init(struct net *net)
2381 if (snmp_mib_init((void **)net->mib.xfrm_statistics,
2382 sizeof(struct linux_xfrm_mib)) < 0)
2384 rv = xfrm_proc_init(net);
2386 snmp_mib_free((void **)net->mib.xfrm_statistics);
2390 static void xfrm_statistics_fini(struct net *net)
2392 xfrm_proc_fini(net);
2393 snmp_mib_free((void **)net->mib.xfrm_statistics);
2396 static int __net_init xfrm_statistics_init(struct net *net)
2401 static void xfrm_statistics_fini(struct net *net)
2406 static int __net_init xfrm_policy_init(struct net *net)
2408 unsigned int hmask, sz;
2411 if (net_eq(net, &init_net))
2412 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
2413 sizeof(struct xfrm_dst),
2414 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2418 sz = (hmask+1) * sizeof(struct hlist_head);
2420 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
2421 if (!net->xfrm.policy_byidx)
2423 net->xfrm.policy_idx_hmask = hmask;
2425 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2426 struct xfrm_policy_hash *htab;
2428 net->xfrm.policy_count[dir] = 0;
2429 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
2431 htab = &net->xfrm.policy_bydst[dir];
2432 htab->table = xfrm_hash_alloc(sz);
2435 htab->hmask = hmask;
2438 INIT_LIST_HEAD(&net->xfrm.policy_all);
2439 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
2440 if (net_eq(net, &init_net))
2441 register_netdevice_notifier(&xfrm_dev_notifier);
2445 for (dir--; dir >= 0; dir--) {
2446 struct xfrm_policy_hash *htab;
2448 htab = &net->xfrm.policy_bydst[dir];
2449 xfrm_hash_free(htab->table, sz);
2451 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2456 static void xfrm_policy_fini(struct net *net)
2458 struct xfrm_audit audit_info;
2462 flush_work(&net->xfrm.policy_hash_work);
2463 #ifdef CONFIG_XFRM_SUB_POLICY
2464 audit_info.loginuid = -1;
2465 audit_info.sessionid = -1;
2466 audit_info.secid = 0;
2467 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2469 audit_info.loginuid = -1;
2470 audit_info.sessionid = -1;
2471 audit_info.secid = 0;
2472 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2473 flush_work(&xfrm_policy_gc_work);
2475 WARN_ON(!list_empty(&net->xfrm.policy_all));
2477 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2478 struct xfrm_policy_hash *htab;
2480 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
2482 htab = &net->xfrm.policy_bydst[dir];
2483 sz = (htab->hmask + 1);
2484 WARN_ON(!hlist_empty(htab->table));
2485 xfrm_hash_free(htab->table, sz);
2488 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
2489 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
2490 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2493 static int __net_init xfrm_net_init(struct net *net)
2497 rv = xfrm_statistics_init(net);
2499 goto out_statistics;
2500 rv = xfrm_state_init(net);
2503 rv = xfrm_policy_init(net);
2506 rv = xfrm_sysctl_init(net);
2512 xfrm_policy_fini(net);
2514 xfrm_state_fini(net);
2516 xfrm_statistics_fini(net);
2521 static void __net_exit xfrm_net_exit(struct net *net)
2523 xfrm_sysctl_fini(net);
2524 xfrm_policy_fini(net);
2525 xfrm_state_fini(net);
2526 xfrm_statistics_fini(net);
2529 static struct pernet_operations __net_initdata xfrm_net_ops = {
2530 .init = xfrm_net_init,
2531 .exit = xfrm_net_exit,
2534 void __init xfrm_init(void)
2536 register_pernet_subsys(&xfrm_net_ops);
2540 #ifdef CONFIG_AUDITSYSCALL
2541 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2542 struct audit_buffer *audit_buf)
2544 struct xfrm_sec_ctx *ctx = xp->security;
2545 struct xfrm_selector *sel = &xp->selector;
2548 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2549 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2551 switch(sel->family) {
2553 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
2554 if (sel->prefixlen_s != 32)
2555 audit_log_format(audit_buf, " src_prefixlen=%d",
2557 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
2558 if (sel->prefixlen_d != 32)
2559 audit_log_format(audit_buf, " dst_prefixlen=%d",
2563 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
2564 if (sel->prefixlen_s != 128)
2565 audit_log_format(audit_buf, " src_prefixlen=%d",
2567 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
2568 if (sel->prefixlen_d != 128)
2569 audit_log_format(audit_buf, " dst_prefixlen=%d",
2575 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2576 uid_t auid, u32 sessionid, u32 secid)
2578 struct audit_buffer *audit_buf;
2580 audit_buf = xfrm_audit_start("SPD-add");
2581 if (audit_buf == NULL)
2583 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2584 audit_log_format(audit_buf, " res=%u", result);
2585 xfrm_audit_common_policyinfo(xp, audit_buf);
2586 audit_log_end(audit_buf);
2588 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2590 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2591 uid_t auid, u32 sessionid, u32 secid)
2593 struct audit_buffer *audit_buf;
2595 audit_buf = xfrm_audit_start("SPD-delete");
2596 if (audit_buf == NULL)
2598 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2599 audit_log_format(audit_buf, " res=%u", result);
2600 xfrm_audit_common_policyinfo(xp, audit_buf);
2601 audit_log_end(audit_buf);
2603 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2606 #ifdef CONFIG_XFRM_MIGRATE
2607 static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2608 struct xfrm_selector *sel_tgt)
2610 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2611 if (sel_tgt->family == sel_cmp->family &&
2612 xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr,
2613 sel_cmp->family) == 0 &&
2614 xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr,
2615 sel_cmp->family) == 0 &&
2616 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
2617 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
2621 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
2628 static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
2631 struct xfrm_policy *pol, *ret = NULL;
2632 struct hlist_node *entry;
2633 struct hlist_head *chain;
2636 read_lock_bh(&xfrm_policy_lock);
2637 chain = policy_hash_direct(&init_net, &sel->daddr, &sel->saddr, sel->family, dir);
2638 hlist_for_each_entry(pol, entry, chain, bydst) {
2639 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2640 pol->type == type) {
2642 priority = ret->priority;
2646 chain = &init_net.xfrm.policy_inexact[dir];
2647 hlist_for_each_entry(pol, entry, chain, bydst) {
2648 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2649 pol->type == type &&
2650 pol->priority < priority) {
2659 read_unlock_bh(&xfrm_policy_lock);
2664 static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t)
2668 if (t->mode == m->mode && t->id.proto == m->proto &&
2669 (m->reqid == 0 || t->reqid == m->reqid)) {
2671 case XFRM_MODE_TUNNEL:
2672 case XFRM_MODE_BEET:
2673 if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr,
2674 m->old_family) == 0 &&
2675 xfrm_addr_cmp(&t->saddr, &m->old_saddr,
2676 m->old_family) == 0) {
2680 case XFRM_MODE_TRANSPORT:
2681 /* in case of transport mode, template does not store
2682 any IP addresses, hence we just compare mode and
2693 /* update endpoint address(es) of template(s) */
2694 static int xfrm_policy_migrate(struct xfrm_policy *pol,
2695 struct xfrm_migrate *m, int num_migrate)
2697 struct xfrm_migrate *mp;
2698 struct dst_entry *dst;
2701 write_lock_bh(&pol->lock);
2702 if (unlikely(pol->walk.dead)) {
2703 /* target policy has been deleted */
2704 write_unlock_bh(&pol->lock);
2708 for (i = 0; i < pol->xfrm_nr; i++) {
2709 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
2710 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
2713 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
2714 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
2716 /* update endpoints */
2717 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
2718 sizeof(pol->xfrm_vec[i].id.daddr));
2719 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
2720 sizeof(pol->xfrm_vec[i].saddr));
2721 pol->xfrm_vec[i].encap_family = mp->new_family;
2723 while ((dst = pol->bundles) != NULL) {
2724 pol->bundles = dst->next;
2730 write_unlock_bh(&pol->lock);
2738 static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
2742 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
2745 for (i = 0; i < num_migrate; i++) {
2746 if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr,
2747 m[i].old_family) == 0) &&
2748 (xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr,
2749 m[i].old_family) == 0))
2751 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
2752 xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
2755 /* check if there is any duplicated entry */
2756 for (j = i + 1; j < num_migrate; j++) {
2757 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
2758 sizeof(m[i].old_daddr)) &&
2759 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
2760 sizeof(m[i].old_saddr)) &&
2761 m[i].proto == m[j].proto &&
2762 m[i].mode == m[j].mode &&
2763 m[i].reqid == m[j].reqid &&
2764 m[i].old_family == m[j].old_family)
2772 int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
2773 struct xfrm_migrate *m, int num_migrate,
2774 struct xfrm_kmaddress *k)
2776 int i, err, nx_cur = 0, nx_new = 0;
2777 struct xfrm_policy *pol = NULL;
2778 struct xfrm_state *x, *xc;
2779 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
2780 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
2781 struct xfrm_migrate *mp;
2783 if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
2786 /* Stage 1 - find policy */
2787 if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) {
2792 /* Stage 2 - find and update state(s) */
2793 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
2794 if ((x = xfrm_migrate_state_find(mp))) {
2797 if ((xc = xfrm_state_migrate(x, mp))) {
2807 /* Stage 3 - update policy */
2808 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
2811 /* Stage 4 - delete old state(s) */
2813 xfrm_states_put(x_cur, nx_cur);
2814 xfrm_states_delete(x_cur, nx_cur);
2817 /* Stage 5 - announce */
2818 km_migrate(sel, dir, type, m, num_migrate, k);
2830 xfrm_states_put(x_cur, nx_cur);
2832 xfrm_states_delete(x_new, nx_new);
2836 EXPORT_SYMBOL(xfrm_migrate);
projects / linux-2.6-omap-h63xx.git / blob