6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <asm/uaccess.h>
24 #include "xfrm_hash.h"
27 EXPORT_SYMBOL(xfrm_nl);
29 u32 sysctl_xfrm_aevent_etime = XFRM_AE_ETIME;
30 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
32 u32 sysctl_xfrm_aevent_rseqth = XFRM_AE_SEQT_SIZE;
33 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
35 /* Each xfrm_state may be linked to two tables:
37 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
38 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
39 destination/tunnel endpoint. (output)
42 static DEFINE_SPINLOCK(xfrm_state_lock);
44 /* Hash table to find appropriate SA towards given target (endpoint
45 * of tunnel or destination of transport mode) allowed by selector.
47 * Main use is finding SA after policy selected tunnel or transport mode.
48 * Also, it can be used by ah/esp icmp error handler to find offending SA.
50 static struct hlist_head *xfrm_state_bydst __read_mostly;
51 static struct hlist_head *xfrm_state_bysrc __read_mostly;
52 static struct hlist_head *xfrm_state_byspi __read_mostly;
53 static unsigned int xfrm_state_hmask __read_mostly;
54 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
55 static unsigned int xfrm_state_num;
56 static unsigned int xfrm_state_genid;
58 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
59 xfrm_address_t *saddr,
61 unsigned short family)
63 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
66 static inline unsigned int xfrm_src_hash(xfrm_address_t *addr,
67 unsigned short family)
69 return __xfrm_src_hash(addr, family, xfrm_state_hmask);
72 static inline unsigned int
73 xfrm_spi_hash(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family)
75 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
78 static void xfrm_hash_transfer(struct hlist_head *list,
79 struct hlist_head *ndsttable,
80 struct hlist_head *nsrctable,
81 struct hlist_head *nspitable,
82 unsigned int nhashmask)
84 struct hlist_node *entry, *tmp;
87 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
90 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
91 x->props.reqid, x->props.family,
93 hlist_add_head(&x->bydst, ndsttable+h);
95 h = __xfrm_src_hash(&x->props.saddr, x->props.family,
97 hlist_add_head(&x->bysrc, nsrctable+h);
99 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
100 x->props.family, nhashmask);
101 hlist_add_head(&x->byspi, nspitable+h);
105 static unsigned long xfrm_hash_new_size(void)
107 return ((xfrm_state_hmask + 1) << 1) *
108 sizeof(struct hlist_head);
111 static DEFINE_MUTEX(hash_resize_mutex);
113 static void xfrm_hash_resize(void *__unused)
115 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
116 unsigned long nsize, osize;
117 unsigned int nhashmask, ohashmask;
120 mutex_lock(&hash_resize_mutex);
122 nsize = xfrm_hash_new_size();
123 ndst = xfrm_hash_alloc(nsize);
126 nsrc = xfrm_hash_alloc(nsize);
128 xfrm_hash_free(ndst, nsize);
131 nspi = xfrm_hash_alloc(nsize);
133 xfrm_hash_free(ndst, nsize);
134 xfrm_hash_free(nsrc, nsize);
138 spin_lock_bh(&xfrm_state_lock);
140 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
141 for (i = xfrm_state_hmask; i >= 0; i--)
142 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
145 odst = xfrm_state_bydst;
146 osrc = xfrm_state_bysrc;
147 ospi = xfrm_state_byspi;
148 ohashmask = xfrm_state_hmask;
150 xfrm_state_bydst = ndst;
151 xfrm_state_bysrc = nsrc;
152 xfrm_state_byspi = nspi;
153 xfrm_state_hmask = nhashmask;
155 spin_unlock_bh(&xfrm_state_lock);
157 osize = (ohashmask + 1) * sizeof(struct hlist_head);
158 xfrm_hash_free(odst, osize);
159 xfrm_hash_free(osrc, osize);
160 xfrm_hash_free(ospi, osize);
163 mutex_unlock(&hash_resize_mutex);
166 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize, NULL);
168 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
169 EXPORT_SYMBOL(km_waitq);
171 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
172 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
174 static struct work_struct xfrm_state_gc_work;
175 static HLIST_HEAD(xfrm_state_gc_list);
176 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
178 int __xfrm_state_delete(struct xfrm_state *x);
180 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
181 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
183 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
184 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
186 static void xfrm_state_gc_destroy(struct xfrm_state *x)
188 del_timer_sync(&x->timer);
189 del_timer_sync(&x->rtimer);
196 xfrm_put_mode(x->mode);
198 x->type->destructor(x);
199 xfrm_put_type(x->type);
201 security_xfrm_state_free(x);
205 static void xfrm_state_gc_task(void *data)
207 struct xfrm_state *x;
208 struct hlist_node *entry, *tmp;
209 struct hlist_head gc_list;
211 spin_lock_bh(&xfrm_state_gc_lock);
212 gc_list.first = xfrm_state_gc_list.first;
213 INIT_HLIST_HEAD(&xfrm_state_gc_list);
214 spin_unlock_bh(&xfrm_state_gc_lock);
216 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
217 xfrm_state_gc_destroy(x);
222 static inline unsigned long make_jiffies(long secs)
224 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
225 return MAX_SCHEDULE_TIMEOUT-1;
230 static void xfrm_timer_handler(unsigned long data)
232 struct xfrm_state *x = (struct xfrm_state*)data;
233 unsigned long now = (unsigned long)xtime.tv_sec;
234 long next = LONG_MAX;
238 if (x->km.state == XFRM_STATE_DEAD)
240 if (x->km.state == XFRM_STATE_EXPIRED)
242 if (x->lft.hard_add_expires_seconds) {
243 long tmo = x->lft.hard_add_expires_seconds +
244 x->curlft.add_time - now;
250 if (x->lft.hard_use_expires_seconds) {
251 long tmo = x->lft.hard_use_expires_seconds +
252 (x->curlft.use_time ? : now) - now;
260 if (x->lft.soft_add_expires_seconds) {
261 long tmo = x->lft.soft_add_expires_seconds +
262 x->curlft.add_time - now;
268 if (x->lft.soft_use_expires_seconds) {
269 long tmo = x->lft.soft_use_expires_seconds +
270 (x->curlft.use_time ? : now) - now;
279 km_state_expired(x, 0, 0);
281 if (next != LONG_MAX)
282 mod_timer(&x->timer, jiffies + make_jiffies(next));
287 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
288 x->km.state = XFRM_STATE_EXPIRED;
293 if (!__xfrm_state_delete(x) && x->id.spi)
294 km_state_expired(x, 1, 0);
297 spin_unlock(&x->lock);
300 static void xfrm_replay_timer_handler(unsigned long data);
302 struct xfrm_state *xfrm_state_alloc(void)
304 struct xfrm_state *x;
306 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
309 atomic_set(&x->refcnt, 1);
310 atomic_set(&x->tunnel_users, 0);
311 INIT_HLIST_NODE(&x->bydst);
312 INIT_HLIST_NODE(&x->bysrc);
313 INIT_HLIST_NODE(&x->byspi);
314 init_timer(&x->timer);
315 x->timer.function = xfrm_timer_handler;
316 x->timer.data = (unsigned long)x;
317 init_timer(&x->rtimer);
318 x->rtimer.function = xfrm_replay_timer_handler;
319 x->rtimer.data = (unsigned long)x;
320 x->curlft.add_time = (unsigned long)xtime.tv_sec;
321 x->lft.soft_byte_limit = XFRM_INF;
322 x->lft.soft_packet_limit = XFRM_INF;
323 x->lft.hard_byte_limit = XFRM_INF;
324 x->lft.hard_packet_limit = XFRM_INF;
325 x->replay_maxage = 0;
326 x->replay_maxdiff = 0;
327 spin_lock_init(&x->lock);
331 EXPORT_SYMBOL(xfrm_state_alloc);
333 void __xfrm_state_destroy(struct xfrm_state *x)
335 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
337 spin_lock_bh(&xfrm_state_gc_lock);
338 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
339 spin_unlock_bh(&xfrm_state_gc_lock);
340 schedule_work(&xfrm_state_gc_work);
342 EXPORT_SYMBOL(__xfrm_state_destroy);
344 int __xfrm_state_delete(struct xfrm_state *x)
348 if (x->km.state != XFRM_STATE_DEAD) {
349 x->km.state = XFRM_STATE_DEAD;
350 spin_lock(&xfrm_state_lock);
351 hlist_del(&x->bydst);
352 hlist_del(&x->bysrc);
354 hlist_del(&x->byspi);
356 spin_unlock(&xfrm_state_lock);
358 /* All xfrm_state objects are created by xfrm_state_alloc.
359 * The xfrm_state_alloc call gives a reference, and that
360 * is what we are dropping here.
368 EXPORT_SYMBOL(__xfrm_state_delete);
370 int xfrm_state_delete(struct xfrm_state *x)
374 spin_lock_bh(&x->lock);
375 err = __xfrm_state_delete(x);
376 spin_unlock_bh(&x->lock);
380 EXPORT_SYMBOL(xfrm_state_delete);
382 void xfrm_state_flush(u8 proto)
386 spin_lock_bh(&xfrm_state_lock);
387 for (i = 0; i <= xfrm_state_hmask; i++) {
388 struct hlist_node *entry;
389 struct xfrm_state *x;
391 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
392 if (!xfrm_state_kern(x) &&
393 xfrm_id_proto_match(x->id.proto, proto)) {
395 spin_unlock_bh(&xfrm_state_lock);
397 xfrm_state_delete(x);
400 spin_lock_bh(&xfrm_state_lock);
405 spin_unlock_bh(&xfrm_state_lock);
408 EXPORT_SYMBOL(xfrm_state_flush);
411 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
412 struct xfrm_tmpl *tmpl,
413 xfrm_address_t *daddr, xfrm_address_t *saddr,
414 unsigned short family)
416 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
419 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
420 xfrm_state_put_afinfo(afinfo);
424 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
426 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
427 struct xfrm_state *x;
428 struct hlist_node *entry;
430 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
431 if (x->props.family != family ||
433 x->id.proto != proto)
438 if (x->id.daddr.a4 != daddr->a4)
442 if (!ipv6_addr_equal((struct in6_addr *)daddr,
456 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
458 unsigned int h = xfrm_src_hash(saddr, family);
459 struct xfrm_state *x;
460 struct hlist_node *entry;
462 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
463 if (x->props.family != family ||
464 x->id.proto != proto)
469 if (x->id.daddr.a4 != daddr->a4 ||
470 x->props.saddr.a4 != saddr->a4)
474 if (!ipv6_addr_equal((struct in6_addr *)daddr,
477 !ipv6_addr_equal((struct in6_addr *)saddr,
491 static inline struct xfrm_state *
492 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
495 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
496 x->id.proto, family);
498 return __xfrm_state_lookup_byaddr(&x->id.daddr,
500 x->id.proto, family);
504 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
505 struct flowi *fl, struct xfrm_tmpl *tmpl,
506 struct xfrm_policy *pol, int *err,
507 unsigned short family)
509 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
510 struct hlist_node *entry;
511 struct xfrm_state *x, *x0;
512 int acquire_in_progress = 0;
514 struct xfrm_state *best = NULL;
516 spin_lock_bh(&xfrm_state_lock);
517 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
518 if (x->props.family == family &&
519 x->props.reqid == tmpl->reqid &&
520 !(x->props.flags & XFRM_STATE_WILDRECV) &&
521 xfrm_state_addr_check(x, daddr, saddr, family) &&
522 tmpl->mode == x->props.mode &&
523 tmpl->id.proto == x->id.proto &&
524 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
526 1. There is a valid state with matching selector.
528 2. Valid state with inappropriate selector. Skip.
530 Entering area of "sysdeps".
532 3. If state is not valid, selector is temporary,
533 it selects only session which triggered
534 previous resolution. Key manager will do
535 something to install a state with proper
538 if (x->km.state == XFRM_STATE_VALID) {
539 if (!xfrm_selector_match(&x->sel, fl, family) ||
540 !security_xfrm_state_pol_flow_match(x, pol, fl))
543 best->km.dying > x->km.dying ||
544 (best->km.dying == x->km.dying &&
545 best->curlft.add_time < x->curlft.add_time))
547 } else if (x->km.state == XFRM_STATE_ACQ) {
548 acquire_in_progress = 1;
549 } else if (x->km.state == XFRM_STATE_ERROR ||
550 x->km.state == XFRM_STATE_EXPIRED) {
551 if (xfrm_selector_match(&x->sel, fl, family) &&
552 security_xfrm_state_pol_flow_match(x, pol, fl))
559 if (!x && !error && !acquire_in_progress) {
561 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
562 tmpl->id.proto, family)) != NULL) {
567 x = xfrm_state_alloc();
572 /* Initialize temporary selector matching only
573 * to current session. */
574 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
576 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
578 x->km.state = XFRM_STATE_DEAD;
584 if (km_query(x, tmpl, pol) == 0) {
585 x->km.state = XFRM_STATE_ACQ;
586 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
587 h = xfrm_src_hash(saddr, family);
588 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
590 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
591 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
593 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
594 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
595 add_timer(&x->timer);
597 x->km.state = XFRM_STATE_DEAD;
607 *err = acquire_in_progress ? -EAGAIN : error;
608 spin_unlock_bh(&xfrm_state_lock);
612 static void __xfrm_state_insert(struct xfrm_state *x)
616 x->genid = ++xfrm_state_genid;
618 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
619 x->props.reqid, x->props.family);
620 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
622 h = xfrm_src_hash(&x->props.saddr, x->props.family);
623 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
625 if (xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY)) {
626 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
629 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
632 mod_timer(&x->timer, jiffies + HZ);
633 if (x->replay_maxage)
634 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
640 if (x->bydst.next != NULL &&
641 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
642 xfrm_state_num > xfrm_state_hmask)
643 schedule_work(&xfrm_hash_work);
646 /* xfrm_state_lock is held */
647 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
649 unsigned short family = xnew->props.family;
650 u32 reqid = xnew->props.reqid;
651 struct xfrm_state *x;
652 struct hlist_node *entry;
655 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
656 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
657 if (x->props.family == family &&
658 x->props.reqid == reqid &&
659 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
660 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
661 x->genid = xfrm_state_genid;
665 void xfrm_state_insert(struct xfrm_state *x)
667 spin_lock_bh(&xfrm_state_lock);
668 __xfrm_state_bump_genids(x);
669 __xfrm_state_insert(x);
670 spin_unlock_bh(&xfrm_state_lock);
672 EXPORT_SYMBOL(xfrm_state_insert);
674 /* xfrm_state_lock is held */
675 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
677 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
678 struct hlist_node *entry;
679 struct xfrm_state *x;
681 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
682 if (x->props.reqid != reqid ||
683 x->props.mode != mode ||
684 x->props.family != family ||
685 x->km.state != XFRM_STATE_ACQ ||
691 if (x->id.daddr.a4 != daddr->a4 ||
692 x->props.saddr.a4 != saddr->a4)
696 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
697 (struct in6_addr *)daddr) ||
698 !ipv6_addr_equal((struct in6_addr *)
700 (struct in6_addr *)saddr))
712 x = xfrm_state_alloc();
716 x->sel.daddr.a4 = daddr->a4;
717 x->sel.saddr.a4 = saddr->a4;
718 x->sel.prefixlen_d = 32;
719 x->sel.prefixlen_s = 32;
720 x->props.saddr.a4 = saddr->a4;
721 x->id.daddr.a4 = daddr->a4;
725 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
726 (struct in6_addr *)daddr);
727 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
728 (struct in6_addr *)saddr);
729 x->sel.prefixlen_d = 128;
730 x->sel.prefixlen_s = 128;
731 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
732 (struct in6_addr *)saddr);
733 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
734 (struct in6_addr *)daddr);
738 x->km.state = XFRM_STATE_ACQ;
740 x->props.family = family;
741 x->props.mode = mode;
742 x->props.reqid = reqid;
743 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
745 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
746 add_timer(&x->timer);
747 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
748 h = xfrm_src_hash(saddr, family);
749 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
756 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
758 int xfrm_state_add(struct xfrm_state *x)
760 struct xfrm_state *x1;
763 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
765 family = x->props.family;
767 spin_lock_bh(&xfrm_state_lock);
769 x1 = __xfrm_state_locate(x, use_spi, family);
777 if (use_spi && x->km.seq) {
778 x1 = __xfrm_find_acq_byseq(x->km.seq);
779 if (x1 && xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family)) {
786 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
788 &x->id.daddr, &x->props.saddr, 0);
790 __xfrm_state_bump_genids(x);
791 __xfrm_state_insert(x);
795 spin_unlock_bh(&xfrm_state_lock);
798 xfrm_state_delete(x1);
804 EXPORT_SYMBOL(xfrm_state_add);
806 int xfrm_state_update(struct xfrm_state *x)
808 struct xfrm_state *x1;
810 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
812 spin_lock_bh(&xfrm_state_lock);
813 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
819 if (xfrm_state_kern(x1)) {
825 if (x1->km.state == XFRM_STATE_ACQ) {
826 __xfrm_state_insert(x);
832 spin_unlock_bh(&xfrm_state_lock);
838 xfrm_state_delete(x1);
844 spin_lock_bh(&x1->lock);
845 if (likely(x1->km.state == XFRM_STATE_VALID)) {
846 if (x->encap && x1->encap)
847 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
848 if (x->coaddr && x1->coaddr) {
849 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
851 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
852 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
853 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
856 mod_timer(&x1->timer, jiffies + HZ);
857 if (x1->curlft.use_time)
858 xfrm_state_check_expire(x1);
862 spin_unlock_bh(&x1->lock);
868 EXPORT_SYMBOL(xfrm_state_update);
870 int xfrm_state_check_expire(struct xfrm_state *x)
872 if (!x->curlft.use_time)
873 x->curlft.use_time = (unsigned long)xtime.tv_sec;
875 if (x->km.state != XFRM_STATE_VALID)
878 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
879 x->curlft.packets >= x->lft.hard_packet_limit) {
880 x->km.state = XFRM_STATE_EXPIRED;
881 mod_timer(&x->timer, jiffies);
886 (x->curlft.bytes >= x->lft.soft_byte_limit ||
887 x->curlft.packets >= x->lft.soft_packet_limit)) {
889 km_state_expired(x, 0, 0);
893 EXPORT_SYMBOL(xfrm_state_check_expire);
895 static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
897 int nhead = x->props.header_len + LL_RESERVED_SPACE(skb->dst->dev)
901 return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
903 /* Check tail too... */
907 int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb)
909 int err = xfrm_state_check_expire(x);
912 err = xfrm_state_check_space(x, skb);
916 EXPORT_SYMBOL(xfrm_state_check);
919 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
920 unsigned short family)
922 struct xfrm_state *x;
924 spin_lock_bh(&xfrm_state_lock);
925 x = __xfrm_state_lookup(daddr, spi, proto, family);
926 spin_unlock_bh(&xfrm_state_lock);
929 EXPORT_SYMBOL(xfrm_state_lookup);
932 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
933 u8 proto, unsigned short family)
935 struct xfrm_state *x;
937 spin_lock_bh(&xfrm_state_lock);
938 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
939 spin_unlock_bh(&xfrm_state_lock);
942 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
945 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
946 xfrm_address_t *daddr, xfrm_address_t *saddr,
947 int create, unsigned short family)
949 struct xfrm_state *x;
951 spin_lock_bh(&xfrm_state_lock);
952 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
953 spin_unlock_bh(&xfrm_state_lock);
957 EXPORT_SYMBOL(xfrm_find_acq);
959 #ifdef CONFIG_XFRM_SUB_POLICY
961 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
962 unsigned short family)
965 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
967 return -EAFNOSUPPORT;
969 spin_lock_bh(&xfrm_state_lock);
970 if (afinfo->tmpl_sort)
971 err = afinfo->tmpl_sort(dst, src, n);
972 spin_unlock_bh(&xfrm_state_lock);
973 xfrm_state_put_afinfo(afinfo);
976 EXPORT_SYMBOL(xfrm_tmpl_sort);
979 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
980 unsigned short family)
983 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
985 return -EAFNOSUPPORT;
987 spin_lock_bh(&xfrm_state_lock);
988 if (afinfo->state_sort)
989 err = afinfo->state_sort(dst, src, n);
990 spin_unlock_bh(&xfrm_state_lock);
991 xfrm_state_put_afinfo(afinfo);
994 EXPORT_SYMBOL(xfrm_state_sort);
997 /* Silly enough, but I'm lazy to build resolution list */
999 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1003 for (i = 0; i <= xfrm_state_hmask; i++) {
1004 struct hlist_node *entry;
1005 struct xfrm_state *x;
1007 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1008 if (x->km.seq == seq &&
1009 x->km.state == XFRM_STATE_ACQ) {
1018 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1020 struct xfrm_state *x;
1022 spin_lock_bh(&xfrm_state_lock);
1023 x = __xfrm_find_acq_byseq(seq);
1024 spin_unlock_bh(&xfrm_state_lock);
1027 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1029 u32 xfrm_get_acqseq(void)
1033 static DEFINE_SPINLOCK(acqseq_lock);
1035 spin_lock_bh(&acqseq_lock);
1036 res = (++acqseq ? : ++acqseq);
1037 spin_unlock_bh(&acqseq_lock);
1040 EXPORT_SYMBOL(xfrm_get_acqseq);
1043 xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi)
1046 struct xfrm_state *x0;
1051 if (minspi == maxspi) {
1052 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1060 u32 low = ntohl(minspi);
1061 u32 high = ntohl(maxspi);
1062 for (h=0; h<high-low+1; h++) {
1063 spi = low + net_random()%(high-low+1);
1064 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1066 x->id.spi = htonl(spi);
1073 spin_lock_bh(&xfrm_state_lock);
1074 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1075 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1076 spin_unlock_bh(&xfrm_state_lock);
1080 EXPORT_SYMBOL(xfrm_alloc_spi);
1082 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1086 struct xfrm_state *x;
1087 struct hlist_node *entry;
1091 spin_lock_bh(&xfrm_state_lock);
1092 for (i = 0; i <= xfrm_state_hmask; i++) {
1093 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1094 if (xfrm_id_proto_match(x->id.proto, proto))
1103 for (i = 0; i <= xfrm_state_hmask; i++) {
1104 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1105 if (!xfrm_id_proto_match(x->id.proto, proto))
1107 err = func(x, --count, data);
1113 spin_unlock_bh(&xfrm_state_lock);
1116 EXPORT_SYMBOL(xfrm_state_walk);
1119 void xfrm_replay_notify(struct xfrm_state *x, int event)
1122 /* we send notify messages in case
1123 * 1. we updated on of the sequence numbers, and the seqno difference
1124 * is at least x->replay_maxdiff, in this case we also update the
1125 * timeout of our timer function
1126 * 2. if x->replay_maxage has elapsed since last update,
1127 * and there were changes
1129 * The state structure must be locked!
1133 case XFRM_REPLAY_UPDATE:
1134 if (x->replay_maxdiff &&
1135 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1136 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1137 if (x->xflags & XFRM_TIME_DEFER)
1138 event = XFRM_REPLAY_TIMEOUT;
1145 case XFRM_REPLAY_TIMEOUT:
1146 if ((x->replay.seq == x->preplay.seq) &&
1147 (x->replay.bitmap == x->preplay.bitmap) &&
1148 (x->replay.oseq == x->preplay.oseq)) {
1149 x->xflags |= XFRM_TIME_DEFER;
1156 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1157 c.event = XFRM_MSG_NEWAE;
1158 c.data.aevent = event;
1159 km_state_notify(x, &c);
1161 if (x->replay_maxage &&
1162 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1163 x->xflags &= ~XFRM_TIME_DEFER;
1165 EXPORT_SYMBOL(xfrm_replay_notify);
1167 static void xfrm_replay_timer_handler(unsigned long data)
1169 struct xfrm_state *x = (struct xfrm_state*)data;
1171 spin_lock(&x->lock);
1173 if (x->km.state == XFRM_STATE_VALID) {
1174 if (xfrm_aevent_is_on())
1175 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1177 x->xflags |= XFRM_TIME_DEFER;
1180 spin_unlock(&x->lock);
1183 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1186 u32 seq = ntohl(net_seq);
1188 if (unlikely(seq == 0))
1191 if (likely(seq > x->replay.seq))
1194 diff = x->replay.seq - seq;
1195 if (diff >= x->props.replay_window) {
1196 x->stats.replay_window++;
1200 if (x->replay.bitmap & (1U << diff)) {
1206 EXPORT_SYMBOL(xfrm_replay_check);
1208 void xfrm_replay_advance(struct xfrm_state *x, u32 seq)
1214 if (seq > x->replay.seq) {
1215 diff = seq - x->replay.seq;
1216 if (diff < x->props.replay_window)
1217 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1219 x->replay.bitmap = 1;
1220 x->replay.seq = seq;
1222 diff = x->replay.seq - seq;
1223 x->replay.bitmap |= (1U << diff);
1226 if (xfrm_aevent_is_on())
1227 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1229 EXPORT_SYMBOL(xfrm_replay_advance);
1231 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1232 static DEFINE_RWLOCK(xfrm_km_lock);
1234 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1236 struct xfrm_mgr *km;
1238 read_lock(&xfrm_km_lock);
1239 list_for_each_entry(km, &xfrm_km_list, list)
1240 if (km->notify_policy)
1241 km->notify_policy(xp, dir, c);
1242 read_unlock(&xfrm_km_lock);
1245 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1247 struct xfrm_mgr *km;
1248 read_lock(&xfrm_km_lock);
1249 list_for_each_entry(km, &xfrm_km_list, list)
1252 read_unlock(&xfrm_km_lock);
1255 EXPORT_SYMBOL(km_policy_notify);
1256 EXPORT_SYMBOL(km_state_notify);
1258 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1264 c.event = XFRM_MSG_EXPIRE;
1265 km_state_notify(x, &c);
1271 EXPORT_SYMBOL(km_state_expired);
1273 * We send to all registered managers regardless of failure
1274 * We are happy with one success
1276 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1278 int err = -EINVAL, acqret;
1279 struct xfrm_mgr *km;
1281 read_lock(&xfrm_km_lock);
1282 list_for_each_entry(km, &xfrm_km_list, list) {
1283 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1287 read_unlock(&xfrm_km_lock);
1290 EXPORT_SYMBOL(km_query);
1292 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
1295 struct xfrm_mgr *km;
1297 read_lock(&xfrm_km_lock);
1298 list_for_each_entry(km, &xfrm_km_list, list) {
1299 if (km->new_mapping)
1300 err = km->new_mapping(x, ipaddr, sport);
1304 read_unlock(&xfrm_km_lock);
1307 EXPORT_SYMBOL(km_new_mapping);
1309 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1315 c.event = XFRM_MSG_POLEXPIRE;
1316 km_policy_notify(pol, dir, &c);
1321 EXPORT_SYMBOL(km_policy_expired);
1323 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1327 struct xfrm_mgr *km;
1329 read_lock(&xfrm_km_lock);
1330 list_for_each_entry(km, &xfrm_km_list, list) {
1332 ret = km->report(proto, sel, addr);
1337 read_unlock(&xfrm_km_lock);
1340 EXPORT_SYMBOL(km_report);
1342 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1346 struct xfrm_mgr *km;
1347 struct xfrm_policy *pol = NULL;
1349 if (optlen <= 0 || optlen > PAGE_SIZE)
1352 data = kmalloc(optlen, GFP_KERNEL);
1357 if (copy_from_user(data, optval, optlen))
1361 read_lock(&xfrm_km_lock);
1362 list_for_each_entry(km, &xfrm_km_list, list) {
1363 pol = km->compile_policy(sk, optname, data,
1368 read_unlock(&xfrm_km_lock);
1371 xfrm_sk_policy_insert(sk, err, pol);
1380 EXPORT_SYMBOL(xfrm_user_policy);
1382 int xfrm_register_km(struct xfrm_mgr *km)
1384 write_lock_bh(&xfrm_km_lock);
1385 list_add_tail(&km->list, &xfrm_km_list);
1386 write_unlock_bh(&xfrm_km_lock);
1389 EXPORT_SYMBOL(xfrm_register_km);
1391 int xfrm_unregister_km(struct xfrm_mgr *km)
1393 write_lock_bh(&xfrm_km_lock);
1394 list_del(&km->list);
1395 write_unlock_bh(&xfrm_km_lock);
1398 EXPORT_SYMBOL(xfrm_unregister_km);
1400 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1403 if (unlikely(afinfo == NULL))
1405 if (unlikely(afinfo->family >= NPROTO))
1406 return -EAFNOSUPPORT;
1407 write_lock_bh(&xfrm_state_afinfo_lock);
1408 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1411 xfrm_state_afinfo[afinfo->family] = afinfo;
1412 write_unlock_bh(&xfrm_state_afinfo_lock);
1415 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1417 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1420 if (unlikely(afinfo == NULL))
1422 if (unlikely(afinfo->family >= NPROTO))
1423 return -EAFNOSUPPORT;
1424 write_lock_bh(&xfrm_state_afinfo_lock);
1425 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1426 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1429 xfrm_state_afinfo[afinfo->family] = NULL;
1431 write_unlock_bh(&xfrm_state_afinfo_lock);
1434 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1436 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1438 struct xfrm_state_afinfo *afinfo;
1439 if (unlikely(family >= NPROTO))
1441 read_lock(&xfrm_state_afinfo_lock);
1442 afinfo = xfrm_state_afinfo[family];
1443 if (unlikely(!afinfo))
1444 read_unlock(&xfrm_state_afinfo_lock);
1448 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1450 read_unlock(&xfrm_state_afinfo_lock);
1453 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1454 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1457 struct xfrm_state *t = x->tunnel;
1459 if (atomic_read(&t->tunnel_users) == 2)
1460 xfrm_state_delete(t);
1461 atomic_dec(&t->tunnel_users);
1466 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1469 * This function is NOT optimal. For example, with ESP it will give an
1470 * MTU that's usually two bytes short of being optimal. However, it will
1471 * usually give an answer that's a multiple of 4 provided the input is
1472 * also a multiple of 4.
1474 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1478 res -= x->props.header_len;
1486 spin_lock_bh(&x->lock);
1487 if (x->km.state == XFRM_STATE_VALID &&
1488 x->type && x->type->get_max_size)
1489 m = x->type->get_max_size(x, m);
1491 m += x->props.header_len;
1492 spin_unlock_bh(&x->lock);
1502 int xfrm_init_state(struct xfrm_state *x)
1504 struct xfrm_state_afinfo *afinfo;
1505 int family = x->props.family;
1508 err = -EAFNOSUPPORT;
1509 afinfo = xfrm_state_get_afinfo(family);
1514 if (afinfo->init_flags)
1515 err = afinfo->init_flags(x);
1517 xfrm_state_put_afinfo(afinfo);
1522 err = -EPROTONOSUPPORT;
1523 x->type = xfrm_get_type(x->id.proto, family);
1524 if (x->type == NULL)
1527 err = x->type->init_state(x);
1531 x->mode = xfrm_get_mode(x->props.mode, family);
1532 if (x->mode == NULL)
1535 x->km.state = XFRM_STATE_VALID;
1541 EXPORT_SYMBOL(xfrm_init_state);
1543 void __init xfrm_state_init(void)
1547 sz = sizeof(struct hlist_head) * 8;
1549 xfrm_state_bydst = xfrm_hash_alloc(sz);
1550 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1551 xfrm_state_byspi = xfrm_hash_alloc(sz);
1552 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1553 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1554 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1556 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task, NULL);
projects / linux-2.6 / blob