4 #include <linux/compiler.h>
5 #include <linux/xfrm.h>
6 #include <linux/spinlock.h>
7 #include <linux/list.h>
8 #include <linux/skbuff.h>
9 #include <linux/socket.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/ipsec.h>
12 #include <linux/in6.h>
13 #include <linux/mutex.h>
14 #include <linux/audit.h>
19 #include <net/route.h>
21 #include <net/ip6_fib.h>
23 #define XFRM_PROTO_ESP 50
24 #define XFRM_PROTO_AH 51
25 #define XFRM_PROTO_COMP 108
26 #define XFRM_PROTO_IPIP 4
27 #define XFRM_PROTO_IPV6 41
28 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
29 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
31 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
32 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
33 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
34 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
35 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
37 extern struct sock *xfrm_nl;
38 extern u32 sysctl_xfrm_aevent_etime;
39 extern u32 sysctl_xfrm_aevent_rseqth;
40 extern int sysctl_xfrm_larval_drop;
41 extern u32 sysctl_xfrm_acq_expires;
43 extern struct mutex xfrm_cfg_mutex;
45 /* Organization of SPD aka "XFRM rules"
46 ------------------------------------
49 - policy rule, struct xfrm_policy (=SPD entry)
50 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
51 - instance of a transformer, struct xfrm_state (=SA)
52 - template to clone xfrm_state, struct xfrm_tmpl
54 SPD is plain linear list of xfrm_policy rules, ordered by priority.
55 (To be compatible with existing pfkeyv2 implementations,
56 many rules with priority of 0x7fffffff are allowed to exist and
57 such rules are ordered in an unpredictable way, thanks to bsd folks.)
59 Lookup is plain linear search until the first match with selector.
61 If "action" is "block", then we prohibit the flow, otherwise:
62 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
63 policy entry has list of up to XFRM_MAX_DEPTH transformations,
64 described by templates xfrm_tmpl. Each template is resolved
65 to a complete xfrm_state (see below) and we pack bundle of transformations
66 to a dst_entry returned to requestor.
68 dst -. xfrm .-> xfrm_state #1
69 |---. child .-> dst -. xfrm .-> xfrm_state #2
70 |---. child .-> dst -. xfrm .-> xfrm_state #3
73 Bundles are cached at xrfm_policy struct (field ->bundles).
76 Resolution of xrfm_tmpl
77 -----------------------
79 1. ->mode Mode: transport or tunnel
80 2. ->id.proto Protocol: AH/ESP/IPCOMP
81 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
82 Q: allow to resolve security gateway?
83 4. ->id.spi If not zero, static SPI.
84 5. ->saddr Local tunnel endpoint, ignored for transport mode.
85 6. ->algos List of allowed algos. Plain bitmask now.
86 Q: ealgos, aalgos, calgos. What a mess...
87 7. ->share Sharing mode.
88 Q: how to implement private sharing mode? To add struct sock* to
91 Having this template we search through SAD searching for entries
92 with appropriate mode/proto/algo, permitted by selector.
93 If no appropriate entry found, it is requested from key manager.
96 Q: How to find all the bundles referring to a physical path for
97 PMTU discovery? Seems, dst should contain list of all parents...
98 and enter to infinite locking hierarchy disaster.
99 No! It is easier, we will not search for them, let them find us.
100 We add genid to each dst plus pointer to genid of raw IP route,
101 pmtu disc will update pmtu on raw IP route and increase its genid.
102 dst_check() will see this for top level and trigger resyncing
103 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
106 /* Full description of state of transformer. */
109 /* Note: bydst is re-used during gc */
110 struct hlist_node bydst;
111 struct hlist_node bysrc;
112 struct hlist_node byspi;
118 struct xfrm_selector sel;
122 /* Key manger bits */
129 /* Parameters of this state. */
134 u8 aalgo, ealgo, calgo;
137 xfrm_address_t saddr;
142 struct xfrm_lifetime_cfg lft;
144 /* Data for transformer */
145 struct xfrm_algo *aalg;
146 struct xfrm_algo *ealg;
147 struct xfrm_algo *calg;
149 /* Data for encapsulator */
150 struct xfrm_encap_tmpl *encap;
152 /* Data for care-of address */
153 xfrm_address_t *coaddr;
155 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
156 struct xfrm_state *tunnel;
158 /* If a tunnel, number of users + 1 */
159 atomic_t tunnel_users;
161 /* State for replay detection */
162 struct xfrm_replay_state replay;
164 /* Replay detection state at the time we sent the last notification */
165 struct xfrm_replay_state preplay;
167 /* internal flag that only holds state for delayed aevent at the
172 /* Replay detection notification settings */
176 /* Replay detection notification timer */
177 struct timer_list rtimer;
180 struct xfrm_stats stats;
182 struct xfrm_lifetime_cur curlft;
183 struct timer_list timer;
186 unsigned long lastused;
188 /* Reference to data common to all the instances of this
190 struct xfrm_type *type;
191 struct xfrm_mode *inner_mode;
192 struct xfrm_mode *outer_mode;
194 /* Security context */
195 struct xfrm_sec_ctx *security;
197 /* Private data of this transformer, format is opaque,
198 * interpreted by xfrm_type methods. */
202 /* xflags - make enum if more show up */
203 #define XFRM_TIME_DEFER 1
214 /* callback structure passed from either netlink or pfkey */
233 struct xfrm_policy_afinfo {
234 unsigned short family;
235 struct dst_ops *dst_ops;
236 void (*garbage_collect)(void);
237 struct dst_entry *(*dst_lookup)(int tos, xfrm_address_t *saddr,
238 xfrm_address_t *daddr);
239 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
240 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
241 void (*decode_session)(struct sk_buff *skb,
244 int (*get_tos)(struct flowi *fl);
245 int (*init_path)(struct xfrm_dst *path,
246 struct dst_entry *dst,
248 int (*fill_dst)(struct xfrm_dst *xdst,
249 struct net_device *dev);
252 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
253 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
254 extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
255 extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
258 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
259 extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
260 extern int __xfrm_state_delete(struct xfrm_state *x);
262 struct xfrm_state_afinfo {
265 unsigned int eth_proto;
266 struct module *owner;
267 struct xfrm_type *type_map[IPPROTO_MAX];
268 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
269 int (*init_flags)(struct xfrm_state *x);
270 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
271 struct xfrm_tmpl *tmpl,
272 xfrm_address_t *daddr, xfrm_address_t *saddr);
273 int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
274 int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
275 int (*output)(struct sk_buff *skb);
276 int (*extract_input)(struct xfrm_state *x,
277 struct sk_buff *skb);
278 int (*extract_output)(struct xfrm_state *x,
279 struct sk_buff *skb);
280 int (*transport_finish)(struct sk_buff *skb,
284 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
285 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
287 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
292 struct module *owner;
295 #define XFRM_TYPE_NON_FRAGMENT 1
296 #define XFRM_TYPE_REPLAY_PROT 2
297 #define XFRM_TYPE_LOCAL_COADDR 4
298 #define XFRM_TYPE_REMOTE_COADDR 8
300 int (*init_state)(struct xfrm_state *x);
301 void (*destructor)(struct xfrm_state *);
302 int (*input)(struct xfrm_state *, struct sk_buff *skb);
303 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
304 int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
305 int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
306 /* Estimate maximal size of result of transformation of a dgram */
307 u32 (*get_mtu)(struct xfrm_state *, int size);
310 extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
311 extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
315 * Remove encapsulation header.
317 * The IP header will be moved over the top of the encapsulation
320 * On entry, the transport header shall point to where the IP header
321 * should be and the network header shall be set to where the IP
322 * header currently is. skb->data shall point to the start of the
325 int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
328 * This is the actual input entry point.
330 * For transport mode and equivalent this would be identical to
331 * input2 (which does not need to be set). While tunnel mode
332 * and equivalent would set this to the tunnel encapsulation function
333 * xfrm4_prepare_input that would in turn call input2.
335 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
338 * Add encapsulation header.
340 * On exit, the transport header will be set to the start of the
341 * encapsulation header to be filled in by x->type->output and
342 * the mac header will be set to the nextheader (protocol for
343 * IPv4) field of the extension header directly preceding the
344 * encapsulation header, or in its absence, that of the top IP
345 * header. The value of the network header will always point
346 * to the top IP header while skb->data will point to the payload.
348 int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
351 * This is the actual output entry point.
353 * For transport mode and equivalent this would be identical to
354 * output2 (which does not need to be set). While tunnel mode
355 * and equivalent would set this to a tunnel encapsulation function
356 * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
359 int (*output)(struct xfrm_state *x, struct sk_buff *skb);
361 struct xfrm_state_afinfo *afinfo;
362 struct module *owner;
367 /* Flags for xfrm_mode. */
369 XFRM_MODE_FLAG_TUNNEL = 1,
372 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
373 extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
377 /* id in template is interpreted as:
378 * daddr - destination of tunnel, may be zero for transport mode.
379 * spi - zero to acquire spi. Not zero if spi is static, then
380 * daddr must be fixed too.
381 * proto - AH/ESP/IPCOMP
385 /* Source address of tunnel. Ignored, if it is not a tunnel. */
386 xfrm_address_t saddr;
388 unsigned short encap_family;
392 /* Mode: transport, tunnel etc. */
395 /* Sharing mode: unique, this session only, this user only etc. */
398 /* May skip this transfomration if no SA is found */
401 /* Bit mask of algos allowed for acquisition */
407 #define XFRM_MAX_DEPTH 6
411 struct xfrm_policy *next;
412 struct hlist_node bydst;
413 struct hlist_node byidx;
415 /* This lock only affects elements except for entry. */
418 struct timer_list timer;
422 struct xfrm_selector selector;
423 struct xfrm_lifetime_cfg lft;
424 struct xfrm_lifetime_cur curlft;
425 struct dst_entry *bundles;
432 /* XXX 1 byte hole, try to pack */
433 struct xfrm_sec_ctx *security;
434 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
437 struct xfrm_migrate {
438 xfrm_address_t old_daddr;
439 xfrm_address_t old_saddr;
440 xfrm_address_t new_daddr;
441 xfrm_address_t new_saddr;
450 #define XFRM_KM_TIMEOUT 30
452 #define XFRM_REPLAY_SEQ 1
453 #define XFRM_REPLAY_OSEQ 2
454 #define XFRM_REPLAY_SEQ_MASK 3
456 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
457 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
459 /* default aevent timeout in units of 100ms */
460 #define XFRM_AE_ETIME 10
461 /* Async Event timer multiplier */
462 #define XFRM_AE_ETH_M 10
463 /* default seq threshold size */
464 #define XFRM_AE_SEQT_SIZE 2
468 struct list_head list;
470 int (*notify)(struct xfrm_state *x, struct km_event *c);
471 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
472 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
473 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
474 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
475 int (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
476 int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles);
479 extern int xfrm_register_km(struct xfrm_mgr *km);
480 extern int xfrm_unregister_km(struct xfrm_mgr *km);
482 extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
485 * This structure is used for the duration where packets are being
486 * transformed by IPsec. As soon as the packet leaves IPsec the
487 * area beyond the generic IP part may be overwritten.
491 struct inet_skb_parm h4;
492 struct inet6_skb_parm h6;
495 /* Sequence number for replay protection. */
499 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
502 * This structure is used by the afinfo prepare_input/prepare_output functions
503 * to transmit header information to the mode input/output functions.
505 struct xfrm_mode_skb_cb {
507 struct inet_skb_parm h4;
508 struct inet6_skb_parm h6;
511 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
515 /* TOS for IPv4, class for IPv6. */
518 /* TTL for IPv4, hop limitfor IPv6. */
521 /* Protocol for IPv4, NH for IPv6. */
524 /* Used by IPv6 only, zero for IPv4. */
528 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
531 * This structure is used by the input processing to locate the SPI and
532 * related information.
534 struct xfrm_spi_skb_cb {
536 struct inet_skb_parm h4;
537 struct inet6_skb_parm h6;
540 unsigned int daddroff;
544 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
546 /* Audit Information */
553 #ifdef CONFIG_AUDITSYSCALL
554 static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
556 struct audit_buffer *audit_buf = NULL;
560 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
561 AUDIT_MAC_IPSEC_EVENT);
562 if (audit_buf == NULL)
565 audit_log_format(audit_buf, "auid=%u", auid);
568 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
569 audit_log_format(audit_buf, " subj=%s", secctx);
570 security_release_secctx(secctx, secctx_len);
572 audit_log_task_context(audit_buf);
576 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
578 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
580 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
582 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
585 #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
586 #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
587 #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
588 #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
589 #endif /* CONFIG_AUDITSYSCALL */
591 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
593 if (likely(policy != NULL))
594 atomic_inc(&policy->refcnt);
597 extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
599 static inline void xfrm_pol_put(struct xfrm_policy *policy)
601 if (atomic_dec_and_test(&policy->refcnt))
602 __xfrm_policy_destroy(policy);
605 #ifdef CONFIG_XFRM_SUB_POLICY
606 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
609 for (i = npols - 1; i >= 0; --i)
610 xfrm_pol_put(pols[i]);
613 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
615 xfrm_pol_put(pols[0]);
619 extern void __xfrm_state_destroy(struct xfrm_state *);
621 static inline void __xfrm_state_put(struct xfrm_state *x)
623 atomic_dec(&x->refcnt);
626 static inline void xfrm_state_put(struct xfrm_state *x)
628 if (atomic_dec_and_test(&x->refcnt))
629 __xfrm_state_destroy(x);
632 static inline void xfrm_state_hold(struct xfrm_state *x)
634 atomic_inc(&x->refcnt);
637 static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
644 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
645 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
648 if (memcmp(a1, a2, pdw << 2))
654 mask = htonl((0xffffffff) << (32 - pbi));
656 if ((a1[pdw] ^ a2[pdw]) & mask)
664 __be16 xfrm_flowi_sport(struct flowi *fl)
670 case IPPROTO_UDPLITE:
672 port = fl->fl_ip_sport;
676 port = htons(fl->fl_icmp_type);
679 port = htons(fl->fl_mh_type);
688 __be16 xfrm_flowi_dport(struct flowi *fl)
694 case IPPROTO_UDPLITE:
696 port = fl->fl_ip_dport;
700 port = htons(fl->fl_icmp_code);
708 extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
709 unsigned short family);
711 #ifdef CONFIG_SECURITY_NETWORK_XFRM
712 /* If neither has a context --> match
713 * Otherwise, both must have a context and the sids, doi, alg must match
715 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
717 return ((!s1 && !s2) ||
719 (s1->ctx_sid == s2->ctx_sid) &&
720 (s1->ctx_doi == s2->ctx_doi) &&
721 (s1->ctx_alg == s2->ctx_alg)));
724 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
730 /* A struct encoding bundle of transformations to apply to some set of flow.
732 * dst->child points to the next element of bundle.
733 * dst->xfrm points to an instanse of transformer.
735 * Due to unfortunate limitations of current routing cache, which we
736 * have no time to fix, it mirrors struct rtable and bound to the same
737 * routing key, including saddr,daddr. However, we can have many of
738 * bundles differing by session id. All the bundles grow from a parent
744 struct dst_entry dst;
748 struct dst_entry *route;
749 #ifdef CONFIG_XFRM_SUB_POLICY
750 struct flowi *origin;
751 struct xfrm_selector *partner;
754 u32 route_mtu_cached;
755 u32 child_mtu_cached;
760 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
762 dst_release(xdst->route);
763 if (likely(xdst->u.dst.xfrm))
764 xfrm_state_put(xdst->u.dst.xfrm);
765 #ifdef CONFIG_XFRM_SUB_POLICY
768 kfree(xdst->partner);
769 xdst->partner = NULL;
773 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
779 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
782 static inline struct sec_path *
783 secpath_get(struct sec_path *sp)
786 atomic_inc(&sp->refcnt);
790 extern void __secpath_destroy(struct sec_path *sp);
793 secpath_put(struct sec_path *sp)
795 if (sp && atomic_dec_and_test(&sp->refcnt))
796 __secpath_destroy(sp);
799 extern struct sec_path *secpath_dup(struct sec_path *src);
802 secpath_reset(struct sk_buff *skb)
805 secpath_put(skb->sp);
811 xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
815 return addr->a4 == 0;
817 return ipv6_addr_any((struct in6_addr *)&addr->a6);
823 __xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
825 return (tmpl->saddr.a4 &&
826 tmpl->saddr.a4 != x->props.saddr.a4);
830 __xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
832 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
833 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
837 xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
841 return __xfrm4_state_addr_cmp(tmpl, x);
843 return __xfrm6_state_addr_cmp(tmpl, x);
849 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
851 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
853 unsigned int family, int reverse)
855 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
857 if (sk && sk->sk_policy[XFRM_POLICY_IN])
858 return __xfrm_policy_check(sk, ndir, skb, family);
860 return (!xfrm_policy_count[dir] && !skb->sp) ||
861 (skb->dst->flags & DST_NOPOLICY) ||
862 __xfrm_policy_check(sk, ndir, skb, family);
865 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
867 return __xfrm_policy_check2(sk, dir, skb, family, 0);
870 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
872 return xfrm_policy_check(sk, dir, skb, AF_INET);
875 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
877 return xfrm_policy_check(sk, dir, skb, AF_INET6);
880 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
883 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
886 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
889 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
892 extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
893 unsigned int family, int reverse);
895 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
898 return __xfrm_decode_session(skb, fl, family, 0);
901 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
905 return __xfrm_decode_session(skb, fl, family, 1);
908 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
910 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
912 return !xfrm_policy_count[XFRM_POLICY_OUT] ||
913 (skb->dst->flags & DST_NOXFRM) ||
914 __xfrm_route_forward(skb, family);
917 static inline int xfrm4_route_forward(struct sk_buff *skb)
919 return xfrm_route_forward(skb, AF_INET);
922 static inline int xfrm6_route_forward(struct sk_buff *skb)
924 return xfrm_route_forward(skb, AF_INET6);
927 extern int __xfrm_sk_clone_policy(struct sock *sk);
929 static inline int xfrm_sk_clone_policy(struct sock *sk)
931 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
932 return __xfrm_sk_clone_policy(sk);
936 extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
938 static inline void xfrm_sk_free_policy(struct sock *sk)
940 if (unlikely(sk->sk_policy[0] != NULL)) {
941 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
942 sk->sk_policy[0] = NULL;
944 if (unlikely(sk->sk_policy[1] != NULL)) {
945 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
946 sk->sk_policy[1] = NULL;
952 static inline void xfrm_sk_free_policy(struct sock *sk) {}
953 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
954 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
955 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
956 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
960 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
964 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
968 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
974 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
979 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
987 xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
991 return (xfrm_address_t *)&fl->fl4_dst;
993 return (xfrm_address_t *)&fl->fl6_dst;
999 xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1003 return (xfrm_address_t *)&fl->fl4_src;
1005 return (xfrm_address_t *)&fl->fl6_src;
1010 static __inline__ int
1011 __xfrm4_state_addr_check(struct xfrm_state *x,
1012 xfrm_address_t *daddr, xfrm_address_t *saddr)
1014 if (daddr->a4 == x->id.daddr.a4 &&
1015 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1020 static __inline__ int
1021 __xfrm6_state_addr_check(struct xfrm_state *x,
1022 xfrm_address_t *daddr, xfrm_address_t *saddr)
1024 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1025 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
1026 ipv6_addr_any((struct in6_addr *)saddr) ||
1027 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1032 static __inline__ int
1033 xfrm_state_addr_check(struct xfrm_state *x,
1034 xfrm_address_t *daddr, xfrm_address_t *saddr,
1035 unsigned short family)
1039 return __xfrm4_state_addr_check(x, daddr, saddr);
1041 return __xfrm6_state_addr_check(x, daddr, saddr);
1046 static __inline__ int
1047 xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1048 unsigned short family)
1052 return __xfrm4_state_addr_check(x,
1053 (xfrm_address_t *)&fl->fl4_dst,
1054 (xfrm_address_t *)&fl->fl4_src);
1056 return __xfrm6_state_addr_check(x,
1057 (xfrm_address_t *)&fl->fl6_dst,
1058 (xfrm_address_t *)&fl->fl6_src);
1063 static inline int xfrm_state_kern(struct xfrm_state *x)
1065 return atomic_read(&x->tunnel_users);
1068 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1070 return (!userproto || proto == userproto ||
1071 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1072 proto == IPPROTO_ESP ||
1073 proto == IPPROTO_COMP)));
1077 * xfrm algorithm information
1079 struct xfrm_algo_auth_info {
1084 struct xfrm_algo_encr_info {
1089 struct xfrm_algo_comp_info {
1093 struct xfrm_algo_desc {
1098 struct xfrm_algo_auth_info auth;
1099 struct xfrm_algo_encr_info encr;
1100 struct xfrm_algo_comp_info comp;
1102 struct sadb_alg desc;
1105 /* XFRM tunnel handlers. */
1106 struct xfrm_tunnel {
1107 int (*handler)(struct sk_buff *skb);
1108 int (*err_handler)(struct sk_buff *skb, __u32 info);
1110 struct xfrm_tunnel *next;
1114 struct xfrm6_tunnel {
1115 int (*handler)(struct sk_buff *skb);
1116 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1117 int type, int code, int offset, __be32 info);
1118 struct xfrm6_tunnel *next;
1122 extern void xfrm_init(void);
1123 extern void xfrm4_init(void);
1124 extern void xfrm_state_init(void);
1125 extern void xfrm4_state_init(void);
1127 extern int xfrm6_init(void);
1128 extern void xfrm6_fini(void);
1129 extern int xfrm6_state_init(void);
1130 extern void xfrm6_state_fini(void);
1132 static inline int xfrm6_init(void)
1136 static inline void xfrm6_fini(void)
1142 extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
1143 extern struct xfrm_state *xfrm_state_alloc(void);
1144 extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
1145 struct flowi *fl, struct xfrm_tmpl *tmpl,
1146 struct xfrm_policy *pol, int *err,
1147 unsigned short family);
1148 extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr,
1149 xfrm_address_t *saddr,
1150 unsigned short family,
1151 u8 mode, u8 proto, u32 reqid);
1152 extern int xfrm_state_check_expire(struct xfrm_state *x);
1153 extern void xfrm_state_insert(struct xfrm_state *x);
1154 extern int xfrm_state_add(struct xfrm_state *x);
1155 extern int xfrm_state_update(struct xfrm_state *x);
1156 extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1157 extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1158 #ifdef CONFIG_XFRM_SUB_POLICY
1159 extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1160 int n, unsigned short family);
1161 extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1162 int n, unsigned short family);
1164 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1165 int n, unsigned short family)
1170 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1171 int n, unsigned short family)
1177 struct xfrmk_sadinfo {
1178 u32 sadhcnt; /* current hash bkts */
1179 u32 sadhmcnt; /* max allowed hash bkts */
1180 u32 sadcnt; /* current running count */
1183 struct xfrmk_spdinfo {
1194 extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
1195 extern int xfrm_state_delete(struct xfrm_state *x);
1196 extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1197 extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1198 extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1199 extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
1200 extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1201 extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1202 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1203 extern int xfrm_init_state(struct xfrm_state *x);
1204 extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1205 extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1207 extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1208 extern int xfrm_output_resume(struct sk_buff *skb, int err);
1209 extern int xfrm_output(struct sk_buff *skb);
1210 extern int xfrm4_extract_header(struct sk_buff *skb);
1211 extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1212 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1214 extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1215 extern int xfrm4_rcv(struct sk_buff *skb);
1217 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1219 return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1222 extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1223 extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1224 extern int xfrm4_output(struct sk_buff *skb);
1225 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1226 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1227 extern int xfrm6_extract_header(struct sk_buff *skb);
1228 extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1229 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1230 extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1231 extern int xfrm6_rcv(struct sk_buff *skb);
1232 extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1233 xfrm_address_t *saddr, u8 proto);
1234 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1235 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1236 extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1237 extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1238 extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1239 extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1240 extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1241 extern int xfrm6_output(struct sk_buff *skb);
1242 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1246 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1247 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1249 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1251 return -ENOPROTOOPT;
1254 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1256 /* should not happen */
1262 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1263 extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *);
1264 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1265 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
1266 struct xfrm_selector *sel,
1267 struct xfrm_sec_ctx *ctx, int delete,
1269 struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
1270 int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1271 u32 xfrm_get_acqseq(void);
1272 extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1273 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1274 xfrm_address_t *daddr, xfrm_address_t *saddr,
1275 int create, unsigned short family);
1276 extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1277 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1278 extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1279 struct flowi *fl, int family, int strict);
1281 #ifdef CONFIG_XFRM_MIGRATE
1282 extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1283 struct xfrm_migrate *m, int num_bundles);
1284 extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1285 extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1286 struct xfrm_migrate *m);
1287 extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1288 struct xfrm_migrate *m, int num_bundles);
1291 extern wait_queue_head_t km_waitq;
1292 extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1293 extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1294 extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1296 extern void xfrm_input_init(void);
1297 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1299 extern void xfrm_probe_algs(void);
1300 extern int xfrm_count_auth_supported(void);
1301 extern int xfrm_count_enc_supported(void);
1302 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1303 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1304 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1305 extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1306 extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1307 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1308 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1309 extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1313 typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1316 extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1317 int offset, int len, icv_update_fn_t icv_update);
1319 static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1325 return (__force __u32)a->a4 - (__force __u32)b->a4;
1327 return ipv6_addr_cmp((struct in6_addr *)a,
1328 (struct in6_addr *)b);
1332 static inline int xfrm_policy_id2dir(u32 index)
1337 static inline int xfrm_aevent_is_on(void)
1343 nlsk = rcu_dereference(xfrm_nl);
1345 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1350 static inline int xfrm_alg_len(struct xfrm_algo *alg)
1352 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1355 #ifdef CONFIG_XFRM_MIGRATE
1356 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1358 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1361 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1364 for (i = 0; i < n; i++)
1365 xfrm_state_put(*(states + i));
1368 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1371 for (i = 0; i < n; i++)
1372 xfrm_state_delete(*(states + i));
1376 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1378 return skb->sp->xvec[skb->sp->len - 1];
1381 #endif /* _NET_XFRM_H */
projects / linux-2.6 / blob