1#ifndef _NET_XFRM_H 2#define _NET_XFRM_H 3 4#include <linux/compiler.h> 5#include <linux/in.h> 6#include <linux/xfrm.h> 7#include <linux/spinlock.h> 8#include <linux/list.h> 9#include <linux/skbuff.h> 10#include <linux/socket.h> 11#include <linux/pfkeyv2.h> 12#include <linux/ipsec.h> 13#include <linux/in6.h> 14#include <linux/mutex.h> 15 16#include <net/sock.h> 17#include <net/dst.h> 18#include <net/route.h> 19#include <net/ipv6.h> 20#include <net/ip6_fib.h> 21 22#define XFRM_ALIGN8(len) (((len) + 7) & ~7) 23#define MODULE_ALIAS_XFRM_MODE(family, encap) \ 24 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap)) 25 26extern struct sock *xfrm_nl; 27extern u32 sysctl_xfrm_aevent_etime; 28extern u32 sysctl_xfrm_aevent_rseqth; 29 30extern struct mutex xfrm_cfg_mutex; 31 32/* Organization of SPD aka "XFRM rules" 33 ------------------------------------ 34 35 Basic objects: 36 - policy rule, struct xfrm_policy (=SPD entry) 37 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle) 38 - instance of a transformer, struct xfrm_state (=SA) 39 - template to clone xfrm_state, struct xfrm_tmpl 40 41 SPD is plain linear list of xfrm_policy rules, ordered by priority. 42 (To be compatible with existing pfkeyv2 implementations, 43 many rules with priority of 0x7fffffff are allowed to exist and 44 such rules are ordered in an unpredictable way, thanks to bsd folks.) 45 46 Lookup is plain linear search until the first match with selector. 47 48 If "action" is "block", then we prohibit the flow, otherwise: 49 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise, 50 policy entry has list of up to XFRM_MAX_DEPTH transformations, 51 described by templates xfrm_tmpl. Each template is resolved 52 to a complete xfrm_state (see below) and we pack bundle of transformations 53 to a dst_entry returned to requestor. 54 55 dst -. xfrm .-> xfrm_state #1 56 |---. child .-> dst -. xfrm .-> xfrm_state #2 57 |---. child .-> dst -. xfrm .-> xfrm_state #3 58 |---. child .-> NULL 59 60 Bundles are cached at xrfm_policy struct (field ->bundles). 61 62 63 Resolution of xrfm_tmpl 64 ----------------------- 65 Template contains: 66 1. ->mode Mode: transport or tunnel 67 2. ->id.proto Protocol: AH/ESP/IPCOMP 68 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode. 69 Q: allow to resolve security gateway? 70 4. ->id.spi If not zero, static SPI. 71 5. ->saddr Local tunnel endpoint, ignored for transport mode. 72 6. ->algos List of allowed algos. Plain bitmask now. 73 Q: ealgos, aalgos, calgos. What a mess... 74 7. ->share Sharing mode. 75 Q: how to implement private sharing mode? To add struct sock* to 76 flow id? 77 78 Having this template we search through SAD searching for entries 79 with appropriate mode/proto/algo, permitted by selector. 80 If no appropriate entry found, it is requested from key manager. 81 82 PROBLEMS: 83 Q: How to find all the bundles referring to a physical path for 84 PMTU discovery? Seems, dst should contain list of all parents... 85 and enter to infinite locking hierarchy disaster. 86 No! It is easier, we will not search for them, let them find us. 87 We add genid to each dst plus pointer to genid of raw IP route, 88 pmtu disc will update pmtu on raw IP route and increase its genid. 89 dst_check() will see this for top level and trigger resyncing 90 metrics. Plus, it will be made via sk->sk_dst_cache. Solved. 91 */ 92 93/* Full description of state of transformer. */ 94struct xfrm_state 95{ 96 /* Note: bydst is re-used during gc */ 97 struct hlist_node bydst; 98 struct hlist_node bysrc; 99 struct hlist_node byspi; 100 101 atomic_t refcnt; 102 spinlock_t lock; 103 104 struct xfrm_id id; 105 struct xfrm_selector sel; 106 107 u32 genid; 108 109 /* Key manger bits */ 110 struct { 111 u8 state; 112 u8 dying; 113 u32 seq; 114 } km; 115 116 /* Parameters of this state. */ 117 struct { 118 u32 reqid; 119 u8 mode; 120 u8 replay_window; 121 u8 aalgo, ealgo, calgo; 122 u8 flags; 123 u16 family; 124 xfrm_address_t saddr; 125 int header_len; 126 int trailer_len; 127 } props; 128 129 struct xfrm_lifetime_cfg lft; 130 131 /* Data for transformer */ 132 struct xfrm_algo *aalg; 133 struct xfrm_algo *ealg; 134 struct xfrm_algo *calg; 135 136 /* Data for encapsulator */ 137 struct xfrm_encap_tmpl *encap; 138 139 /* Data for care-of address */ 140 xfrm_address_t *coaddr; 141 142 /* IPComp needs an IPIP tunnel for handling uncompressed packets */ 143 struct xfrm_state *tunnel; 144 145 /* If a tunnel, number of users + 1 */ 146 atomic_t tunnel_users; 147 148 /* State for replay detection */ 149 struct xfrm_replay_state replay; 150 151 /* Replay detection state at the time we sent the last notification */ 152 struct xfrm_replay_state preplay; 153 154 /* internal flag that only holds state for delayed aevent at the 155 * moment 156 */ 157 u32 xflags; 158 159 /* Replay detection notification settings */ 160 u32 replay_maxage; 161 u32 replay_maxdiff; 162 163 /* Replay detection notification timer */ 164 struct timer_list rtimer; 165 166 /* Statistics */ 167 struct xfrm_stats stats; 168 169 struct xfrm_lifetime_cur curlft; 170 struct timer_list timer; 171 172 /* Last used time */ 173 u64 lastused; 174 175 /* Reference to data common to all the instances of this 176 * transformer. */ 177 struct xfrm_type *type; 178 struct xfrm_mode *mode; 179 180 /* Security context */ 181 struct xfrm_sec_ctx *security; 182 183 /* Private data of this transformer, format is opaque, 184 * interpreted by xfrm_type methods. */ 185 void *data; 186}; 187 188/* xflags - make enum if more show up */ 189#define XFRM_TIME_DEFER 1 190 191enum { 192 XFRM_STATE_VOID, 193 XFRM_STATE_ACQ, 194 XFRM_STATE_VALID, 195 XFRM_STATE_ERROR, 196 XFRM_STATE_EXPIRED, 197 XFRM_STATE_DEAD 198}; 199 200/* callback structure passed from either netlink or pfkey */ 201struct km_event 202{ 203 union { 204 u32 hard; 205 u32 proto; 206 u32 byid; 207 u32 aevent; 208 u32 type; 209 } data; 210 211 u32 seq; 212 u32 pid; 213 u32 event; 214}; 215 216struct xfrm_type; 217struct xfrm_dst; 218struct xfrm_policy_afinfo { 219 unsigned short family; 220 struct xfrm_type *type_map[IPPROTO_MAX]; 221 struct xfrm_mode *mode_map[XFRM_MODE_MAX]; 222 struct dst_ops *dst_ops; 223 void (*garbage_collect)(void); 224 int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl); 225 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); 226 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); 227 int (*bundle_create)(struct xfrm_policy *policy, 228 struct xfrm_state **xfrm, 229 int nx, 230 struct flowi *fl, 231 struct dst_entry **dst_p); 232 void (*decode_session)(struct sk_buff *skb, 233 struct flowi *fl); 234}; 235 236extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo); 237extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo); 238extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c); 239extern void km_state_notify(struct xfrm_state *x, struct km_event *c); 240 241struct xfrm_tmpl; 242extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 243extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid); 244extern int __xfrm_state_delete(struct xfrm_state *x); 245 246struct xfrm_state_afinfo { 247 unsigned short family; 248 int (*init_flags)(struct xfrm_state *x); 249 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl, 250 struct xfrm_tmpl *tmpl, 251 xfrm_address_t *daddr, xfrm_address_t *saddr); 252 int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n); 253 int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n); 254 int (*output)(struct sk_buff *skb); 255}; 256 257extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo); 258extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo); 259extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family); 260extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 261 262extern void xfrm_state_delete_tunnel(struct xfrm_state *x); 263 264struct xfrm_type 265{ 266 char *description; 267 struct module *owner; 268 __u8 proto; 269 __u8 flags; 270#define XFRM_TYPE_NON_FRAGMENT 1 271 272 int (*init_state)(struct xfrm_state *x); 273 void (*destructor)(struct xfrm_state *); 274 int (*input)(struct xfrm_state *, struct sk_buff *skb); 275 int (*output)(struct xfrm_state *, struct sk_buff *pskb); 276 int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *); 277 int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **); 278 xfrm_address_t *(*local_addr)(struct xfrm_state *, xfrm_address_t *); 279 xfrm_address_t *(*remote_addr)(struct xfrm_state *, xfrm_address_t *); 280 /* Estimate maximal size of result of transformation of a dgram */ 281 u32 (*get_mtu)(struct xfrm_state *, int size); 282}; 283 284extern int xfrm_register_type(struct xfrm_type *type, unsigned short family); 285extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family); 286extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family); 287extern void xfrm_put_type(struct xfrm_type *type); 288 289struct xfrm_mode { 290 int (*input)(struct xfrm_state *x, struct sk_buff *skb); 291 int (*output)(struct xfrm_state *x,struct sk_buff *skb); 292 293 struct module *owner; 294 unsigned int encap; 295}; 296 297extern int xfrm_register_mode(struct xfrm_mode *mode, int family); 298extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family); 299extern struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family); 300extern void xfrm_put_mode(struct xfrm_mode *mode); 301 302struct xfrm_tmpl 303{ 304/* id in template is interpreted as: 305 * daddr - destination of tunnel, may be zero for transport mode. 306 * spi - zero to acquire spi. Not zero if spi is static, then 307 * daddr must be fixed too. 308 * proto - AH/ESP/IPCOMP 309 */ 310 struct xfrm_id id; 311 312/* Source address of tunnel. Ignored, if it is not a tunnel. */ 313 xfrm_address_t saddr; 314 315 unsigned short encap_family; 316 317 __u32 reqid; 318 319/* Mode: transport, tunnel etc. */ 320 __u8 mode; 321 322/* Sharing mode: unique, this session only, this user only etc. */ 323 __u8 share; 324 325/* May skip this transfomration if no SA is found */ 326 __u8 optional; 327 328/* Bit mask of algos allowed for acquisition */ 329 __u32 aalgos; 330 __u32 ealgos; 331 __u32 calgos; 332}; 333 334#define XFRM_MAX_DEPTH 6 335 336struct xfrm_policy 337{ 338 struct xfrm_policy *next; 339 struct hlist_node bydst; 340 struct hlist_node byidx; 341 342 /* This lock only affects elements except for entry. */ 343 rwlock_t lock; 344 atomic_t refcnt; 345 struct timer_list timer; 346 347 u32 priority; 348 u32 index; 349 struct xfrm_selector selector; 350 struct xfrm_lifetime_cfg lft; 351 struct xfrm_lifetime_cur curlft; 352 struct dst_entry *bundles; 353 u16 family; 354 u8 type; 355 u8 action; 356 u8 flags; 357 u8 dead; 358 u8 xfrm_nr; 359 struct xfrm_sec_ctx *security; 360 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 361}; 362 363struct xfrm_migrate { 364 xfrm_address_t old_daddr; 365 xfrm_address_t old_saddr; 366 xfrm_address_t new_daddr; 367 xfrm_address_t new_saddr; 368 u8 proto; 369 u8 mode; 370 u16 reserved; 371 u32 reqid; 372 u16 old_family; 373 u16 new_family; 374}; 375 376#define XFRM_KM_TIMEOUT 30 377/* which seqno */ 378#define XFRM_REPLAY_SEQ 1 379#define XFRM_REPLAY_OSEQ 2 380#define XFRM_REPLAY_SEQ_MASK 3 381/* what happened */ 382#define XFRM_REPLAY_UPDATE XFRM_AE_CR 383#define XFRM_REPLAY_TIMEOUT XFRM_AE_CE 384 385/* default aevent timeout in units of 100ms */ 386#define XFRM_AE_ETIME 10 387/* Async Event timer multiplier */ 388#define XFRM_AE_ETH_M 10 389/* default seq threshold size */ 390#define XFRM_AE_SEQT_SIZE 2 391 392struct xfrm_mgr 393{ 394 struct list_head list; 395 char *id; 396 int (*notify)(struct xfrm_state *x, struct km_event *c); 397 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir); 398 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir); 399 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 400 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c); 401 int (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); 402 int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles); 403}; 404 405extern int xfrm_register_km(struct xfrm_mgr *km); 406extern int xfrm_unregister_km(struct xfrm_mgr *km); 407 408extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; 409 410/* Audit Information */ 411struct xfrm_audit 412{ 413 uid_t loginuid; 414 u32 secid; 415}; 416 417#ifdef CONFIG_AUDITSYSCALL 418extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, 419 struct xfrm_policy *xp, struct xfrm_state *x); 420#else 421#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) 422#endif /* CONFIG_AUDITSYSCALL */ 423 424static inline void xfrm_pol_hold(struct xfrm_policy *policy) 425{ 426 if (likely(policy != NULL)) 427 atomic_inc(&policy->refcnt); 428} 429 430extern void __xfrm_policy_destroy(struct xfrm_policy *policy); 431 432static inline void xfrm_pol_put(struct xfrm_policy *policy) 433{ 434 if (atomic_dec_and_test(&policy->refcnt)) 435 __xfrm_policy_destroy(policy); 436} 437 438#ifdef CONFIG_XFRM_SUB_POLICY 439static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) 440{ 441 int i; 442 for (i = npols - 1; i >= 0; --i) 443 xfrm_pol_put(pols[i]); 444} 445#else 446static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) 447{ 448 xfrm_pol_put(pols[0]); 449} 450#endif 451 452extern void __xfrm_state_destroy(struct xfrm_state *); 453 454static inline void __xfrm_state_put(struct xfrm_state *x) 455{ 456 atomic_dec(&x->refcnt); 457} 458 459static inline void xfrm_state_put(struct xfrm_state *x) 460{ 461 if (atomic_dec_and_test(&x->refcnt)) 462 __xfrm_state_destroy(x); 463} 464 465static inline void xfrm_state_hold(struct xfrm_state *x) 466{ 467 atomic_inc(&x->refcnt); 468} 469 470static __inline__ int addr_match(void *token1, void *token2, int prefixlen) 471{ 472 __be32 *a1 = token1; 473 __be32 *a2 = token2; 474 int pdw; 475 int pbi; 476 477 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */ 478 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */ 479 480 if (pdw) 481 if (memcmp(a1, a2, pdw << 2)) 482 return 0; 483 484 if (pbi) { 485 __be32 mask; 486 487 mask = htonl((0xffffffff) << (32 - pbi)); 488 489 if ((a1[pdw] ^ a2[pdw]) & mask) 490 return 0; 491 } 492 493 return 1; 494} 495 496static __inline__ 497__be16 xfrm_flowi_sport(struct flowi *fl) 498{ 499 __be16 port; 500 switch(fl->proto) { 501 case IPPROTO_TCP: 502 case IPPROTO_UDP: 503 case IPPROTO_UDPLITE: 504 case IPPROTO_SCTP: 505 port = fl->fl_ip_sport; 506 break; 507 case IPPROTO_ICMP: 508 case IPPROTO_ICMPV6: 509 port = htons(fl->fl_icmp_type); 510 break; 511#ifdef CONFIG_IPV6_MIP6 512 case IPPROTO_MH: 513 port = htons(fl->fl_mh_type); 514 break; 515#endif 516 default: 517 port = 0; 518 } 519 return port; 520} 521 522static __inline__ 523__be16 xfrm_flowi_dport(struct flowi *fl) 524{ 525 __be16 port; 526 switch(fl->proto) { 527 case IPPROTO_TCP: 528 case IPPROTO_UDP: 529 case IPPROTO_UDPLITE: 530 case IPPROTO_SCTP: 531 port = fl->fl_ip_dport; 532 break; 533 case IPPROTO_ICMP: 534 case IPPROTO_ICMPV6: 535 port = htons(fl->fl_icmp_code); 536 break; 537 default: 538 port = 0; 539 } 540 return port; 541} 542 543extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 544 unsigned short family); 545 546#ifdef CONFIG_SECURITY_NETWORK_XFRM 547/* If neither has a context --> match 548 * Otherwise, both must have a context and the sids, doi, alg must match 549 */ 550static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 551{ 552 return ((!s1 && !s2) || 553 (s1 && s2 && 554 (s1->ctx_sid == s2->ctx_sid) && 555 (s1->ctx_doi == s2->ctx_doi) && 556 (s1->ctx_alg == s2->ctx_alg))); 557} 558#else 559static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 560{ 561 return 1; 562} 563#endif 564 565/* A struct encoding bundle of transformations to apply to some set of flow. 566 * 567 * dst->child points to the next element of bundle. 568 * dst->xfrm points to an instanse of transformer. 569 * 570 * Due to unfortunate limitations of current routing cache, which we 571 * have no time to fix, it mirrors struct rtable and bound to the same 572 * routing key, including saddr,daddr. However, we can have many of 573 * bundles differing by session id. All the bundles grow from a parent 574 * policy rule. 575 */ 576struct xfrm_dst 577{ 578 union { 579 struct xfrm_dst *next; 580 struct dst_entry dst; 581 struct rtable rt; 582 struct rt6_info rt6; 583 } u; 584 struct dst_entry *route; 585#ifdef CONFIG_XFRM_SUB_POLICY 586 struct flowi *origin; 587 struct xfrm_selector *partner; 588#endif 589 u32 genid; 590 u32 route_mtu_cached; 591 u32 child_mtu_cached; 592 u32 route_cookie; 593 u32 path_cookie; 594}; 595 596static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) 597{ 598 dst_release(xdst->route); 599 if (likely(xdst->u.dst.xfrm)) 600 xfrm_state_put(xdst->u.dst.xfrm); 601#ifdef CONFIG_XFRM_SUB_POLICY 602 kfree(xdst->origin); 603 xdst->origin = NULL; 604 kfree(xdst->partner); 605 xdst->partner = NULL; 606#endif 607} 608 609extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 610 611struct sec_path 612{ 613 atomic_t refcnt; 614 int len; 615 struct xfrm_state *xvec[XFRM_MAX_DEPTH]; 616}; 617 618static inline struct sec_path * 619secpath_get(struct sec_path *sp) 620{ 621 if (sp) 622 atomic_inc(&sp->refcnt); 623 return sp; 624} 625 626extern void __secpath_destroy(struct sec_path *sp); 627 628static inline void 629secpath_put(struct sec_path *sp) 630{ 631 if (sp && atomic_dec_and_test(&sp->refcnt)) 632 __secpath_destroy(sp); 633} 634 635extern struct sec_path *secpath_dup(struct sec_path *src); 636 637static inline void 638secpath_reset(struct sk_buff *skb) 639{ 640#ifdef CONFIG_XFRM 641 secpath_put(skb->sp); 642 skb->sp = NULL; 643#endif 644} 645 646static inline int 647xfrm_addr_any(xfrm_address_t *addr, unsigned short family) 648{ 649 switch (family) { 650 case AF_INET: 651 return addr->a4 == 0; 652 case AF_INET6: 653 return ipv6_addr_any((struct in6_addr *)&addr->a6); 654 } 655 return 0; 656} 657 658static inline int 659__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x) 660{ 661 return (tmpl->saddr.a4 && 662 tmpl->saddr.a4 != x->props.saddr.a4); 663} 664 665static inline int 666__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x) 667{ 668 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && 669 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); 670} 671 672static inline int 673xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family) 674{ 675 switch (family) { 676 case AF_INET: 677 return __xfrm4_state_addr_cmp(tmpl, x); 678 case AF_INET6: 679 return __xfrm6_state_addr_cmp(tmpl, x); 680 } 681 return !0; 682} 683 684#ifdef CONFIG_XFRM 685 686extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); 687 688static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 689{ 690 if (sk && sk->sk_policy[XFRM_POLICY_IN]) 691 return __xfrm_policy_check(sk, dir, skb, family); 692 693 return (!xfrm_policy_count[dir] && !skb->sp) || 694 (skb->dst->flags & DST_NOPOLICY) || 695 __xfrm_policy_check(sk, dir, skb, family); 696} 697 698static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 699{ 700 return xfrm_policy_check(sk, dir, skb, AF_INET); 701} 702 703static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 704{ 705 return xfrm_policy_check(sk, dir, skb, AF_INET6); 706} 707 708extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); 709extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); 710 711static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) 712{ 713 return !xfrm_policy_count[XFRM_POLICY_OUT] || 714 (skb->dst->flags & DST_NOXFRM) || 715 __xfrm_route_forward(skb, family); 716} 717 718static inline int xfrm4_route_forward(struct sk_buff *skb) 719{ 720 return xfrm_route_forward(skb, AF_INET); 721} 722 723static inline int xfrm6_route_forward(struct sk_buff *skb) 724{ 725 return xfrm_route_forward(skb, AF_INET6); 726} 727 728extern int __xfrm_sk_clone_policy(struct sock *sk); 729 730static inline int xfrm_sk_clone_policy(struct sock *sk) 731{ 732 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1])) 733 return __xfrm_sk_clone_policy(sk); 734 return 0; 735} 736 737extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir); 738 739static inline void xfrm_sk_free_policy(struct sock *sk) 740{ 741 if (unlikely(sk->sk_policy[0] != NULL)) { 742 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX); 743 sk->sk_policy[0] = NULL; 744 } 745 if (unlikely(sk->sk_policy[1] != NULL)) { 746 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1); 747 sk->sk_policy[1] = NULL; 748 } 749} 750 751#else 752 753static inline void xfrm_sk_free_policy(struct sock *sk) {} 754static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; } 755static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } 756static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 757static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 758{ 759 return 1; 760} 761static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 762{ 763 return 1; 764} 765static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 766{ 767 return 1; 768} 769#endif 770 771static __inline__ 772xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family) 773{ 774 switch (family){ 775 case AF_INET: 776 return (xfrm_address_t *)&fl->fl4_dst; 777 case AF_INET6: 778 return (xfrm_address_t *)&fl->fl6_dst; 779 } 780 return NULL; 781} 782 783static __inline__ 784xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family) 785{ 786 switch (family){ 787 case AF_INET: 788 return (xfrm_address_t *)&fl->fl4_src; 789 case AF_INET6: 790 return (xfrm_address_t *)&fl->fl6_src; 791 } 792 return NULL; 793} 794 795static __inline__ int 796__xfrm4_state_addr_check(struct xfrm_state *x, 797 xfrm_address_t *daddr, xfrm_address_t *saddr) 798{ 799 if (daddr->a4 == x->id.daddr.a4 && 800 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) 801 return 1; 802 return 0; 803} 804 805static __inline__ int 806__xfrm6_state_addr_check(struct xfrm_state *x, 807 xfrm_address_t *daddr, xfrm_address_t *saddr) 808{ 809 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && 810 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 811 ipv6_addr_any((struct in6_addr *)saddr) || 812 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) 813 return 1; 814 return 0; 815} 816 817static __inline__ int 818xfrm_state_addr_check(struct xfrm_state *x, 819 xfrm_address_t *daddr, xfrm_address_t *saddr, 820 unsigned short family) 821{ 822 switch (family) { 823 case AF_INET: 824 return __xfrm4_state_addr_check(x, daddr, saddr); 825 case AF_INET6: 826 return __xfrm6_state_addr_check(x, daddr, saddr); 827 } 828 return 0; 829} 830 831static __inline__ int 832xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl, 833 unsigned short family) 834{ 835 switch (family) { 836 case AF_INET: 837 return __xfrm4_state_addr_check(x, 838 (xfrm_address_t *)&fl->fl4_dst, 839 (xfrm_address_t *)&fl->fl4_src); 840 case AF_INET6: 841 return __xfrm6_state_addr_check(x, 842 (xfrm_address_t *)&fl->fl6_dst, 843 (xfrm_address_t *)&fl->fl6_src); 844 } 845 return 0; 846} 847 848static inline int xfrm_state_kern(struct xfrm_state *x) 849{ 850 return atomic_read(&x->tunnel_users); 851} 852 853static inline int xfrm_id_proto_match(u8 proto, u8 userproto) 854{ 855 return (!userproto || proto == userproto || 856 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH || 857 proto == IPPROTO_ESP || 858 proto == IPPROTO_COMP))); 859} 860 861/* 862 * xfrm algorithm information 863 */ 864struct xfrm_algo_auth_info { 865 u16 icv_truncbits; 866 u16 icv_fullbits; 867}; 868 869struct xfrm_algo_encr_info { 870 u16 blockbits; 871 u16 defkeybits; 872}; 873 874struct xfrm_algo_comp_info { 875 u16 threshold; 876}; 877 878struct xfrm_algo_desc { 879 char *name; 880 char *compat; 881 u8 available:1; 882 union { 883 struct xfrm_algo_auth_info auth; 884 struct xfrm_algo_encr_info encr; 885 struct xfrm_algo_comp_info comp; 886 } uinfo; 887 struct sadb_alg desc; 888}; 889 890/* XFRM tunnel handlers. */ 891struct xfrm_tunnel { 892 int (*handler)(struct sk_buff *skb); 893 int (*err_handler)(struct sk_buff *skb, __u32 info); 894 895 struct xfrm_tunnel *next; 896 int priority; 897}; 898 899struct xfrm6_tunnel { 900 int (*handler)(struct sk_buff *skb); 901 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 902 int type, int code, int offset, __be32 info); 903 struct xfrm6_tunnel *next; 904 int priority; 905}; 906 907extern void xfrm_init(void); 908extern void xfrm4_init(void); 909extern void xfrm6_init(void); 910extern void xfrm6_fini(void); 911extern void xfrm_state_init(void); 912extern void xfrm4_state_init(void); 913extern void xfrm6_state_init(void); 914extern void xfrm6_state_fini(void); 915 916extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *); 917extern struct xfrm_state *xfrm_state_alloc(void); 918extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 919 struct flowi *fl, struct xfrm_tmpl *tmpl, 920 struct xfrm_policy *pol, int *err, 921 unsigned short family); 922extern int xfrm_state_check_expire(struct xfrm_state *x); 923extern void xfrm_state_insert(struct xfrm_state *x); 924extern int xfrm_state_add(struct xfrm_state *x); 925extern int xfrm_state_update(struct xfrm_state *x); 926extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family); 927extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family); 928#ifdef CONFIG_XFRM_SUB_POLICY 929extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, 930 int n, unsigned short family); 931extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, 932 int n, unsigned short family); 933#else 934static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, 935 int n, unsigned short family) 936{ 937 return -ENOSYS; 938} 939 940static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, 941 int n, unsigned short family) 942{ 943 return -ENOSYS; 944} 945#endif 946 947struct xfrmk_sadinfo { 948 u32 sadhcnt; /* current hash bkts */ 949 u32 sadhmcnt; /* max allowed hash bkts */ 950 u32 sadcnt; /* current running count */ 951}; 952 953struct xfrmk_spdinfo { 954 u32 incnt; 955 u32 outcnt; 956 u32 fwdcnt; 957 u32 inscnt; 958 u32 outscnt; 959 u32 fwdscnt; 960 u32 spdhcnt; 961 u32 spdhmcnt; 962}; 963 964extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); 965extern int xfrm_state_delete(struct xfrm_state *x); 966extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); 967extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si); 968extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); 969extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); 970extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); 971extern void xfrm_replay_notify(struct xfrm_state *x, int event); 972extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); 973extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); 974extern int xfrm_init_state(struct xfrm_state *x); 975extern int xfrm4_rcv(struct sk_buff *skb); 976extern int xfrm4_output(struct sk_buff *skb); 977extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); 978extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family); 979extern int xfrm6_rcv_spi(struct sk_buff *skb, __be32 spi); 980extern int xfrm6_rcv(struct sk_buff **pskb); 981extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, 982 xfrm_address_t *saddr, u8 proto); 983extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family); 984extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family); 985extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr); 986extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr); 987extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr); 988extern int xfrm6_output(struct sk_buff *skb); 989extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb, 990 u8 **prevhdr); 991 992#ifdef CONFIG_XFRM 993extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type); 994extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen); 995extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family); 996#else 997static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) 998{ 999 return -ENOPROTOOPT; 1000} 1001 1002static inline int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type) 1003{ 1004 /* should not happen */ 1005 kfree_skb(skb); 1006 return 0; 1007} 1008static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family) 1009{ 1010 return -EINVAL; 1011} 1012#endif 1013 1014struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); 1015extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *); 1016int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 1017struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir, 1018 struct xfrm_selector *sel, 1019 struct xfrm_sec_ctx *ctx, int delete, 1020 int *err); 1021struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err); 1022int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); 1023u32 xfrm_get_acqseq(void); 1024void xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi); 1025struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 1026 xfrm_address_t *daddr, xfrm_address_t *saddr, 1027 int create, unsigned short family); 1028extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); 1029extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); 1030extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst, 1031 struct flowi *fl, int family, int strict); 1032extern void xfrm_init_pmtu(struct dst_entry *dst); 1033 1034#ifdef CONFIG_XFRM_MIGRATE 1035extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1036 struct xfrm_migrate *m, int num_bundles); 1037extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m); 1038extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1039 struct xfrm_migrate *m); 1040extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1041 struct xfrm_migrate *m, int num_bundles); 1042#endif 1043 1044extern wait_queue_head_t km_waitq; 1045extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 1046extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid); 1047extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); 1048 1049extern void xfrm_input_init(void); 1050extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq); 1051 1052extern void xfrm_probe_algs(void); 1053extern int xfrm_count_auth_supported(void); 1054extern int xfrm_count_enc_supported(void); 1055extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx); 1056extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); 1057extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); 1058extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id); 1059extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); 1060extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe); 1061extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe); 1062extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe); 1063 1064struct hash_desc; 1065struct scatterlist; 1066typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *, 1067 unsigned int); 1068 1069extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm, 1070 int offset, int len, icv_update_fn_t icv_update); 1071 1072static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b, 1073 int family) 1074{ 1075 switch (family) { 1076 default: 1077 case AF_INET: 1078 return (__force __u32)a->a4 - (__force __u32)b->a4; 1079 case AF_INET6: 1080 return ipv6_addr_cmp((struct in6_addr *)a, 1081 (struct in6_addr *)b); 1082 } 1083} 1084 1085static inline int xfrm_policy_id2dir(u32 index) 1086{ 1087 return index & 7; 1088} 1089 1090static inline int xfrm_aevent_is_on(void) 1091{ 1092 struct sock *nlsk; 1093 int ret = 0; 1094 1095 rcu_read_lock(); 1096 nlsk = rcu_dereference(xfrm_nl); 1097 if (nlsk) 1098 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS); 1099 rcu_read_unlock(); 1100 return ret; 1101} 1102 1103static inline void xfrm_aevent_doreplay(struct xfrm_state *x) 1104{ 1105 if (xfrm_aevent_is_on()) 1106 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); 1107} 1108 1109#ifdef CONFIG_XFRM_MIGRATE 1110static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1111{ 1112 return (struct xfrm_algo *)kmemdup(orig, sizeof(*orig) + orig->alg_key_len, GFP_KERNEL); 1113} 1114 1115static inline void xfrm_states_put(struct xfrm_state **states, int n) 1116{ 1117 int i; 1118 for (i = 0; i < n; i++) 1119 xfrm_state_put(*(states + i)); 1120} 1121 1122static inline void xfrm_states_delete(struct xfrm_state **states, int n) 1123{ 1124 int i; 1125 for (i = 0; i < n; i++) 1126 xfrm_state_delete(*(states + i)); 1127} 1128#endif 1129 1130#endif /* _NET_XFRM_H */ 1131