~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/include/net/xfrm.h

Version: ~ [ linux-5.12-rc7 ] ~ [ linux-5.11.13 ] ~ [ linux-5.10.29 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.111 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.186 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.230 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.266 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.266 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /* SPDX-License-Identifier: GPL-2.0 */
  2 #ifndef _NET_XFRM_H
  3 #define _NET_XFRM_H
  4 
  5 #include <linux/compiler.h>
  6 #include <linux/xfrm.h>
  7 #include <linux/spinlock.h>
  8 #include <linux/list.h>
  9 #include <linux/skbuff.h>
 10 #include <linux/socket.h>
 11 #include <linux/pfkeyv2.h>
 12 #include <linux/ipsec.h>
 13 #include <linux/in6.h>
 14 #include <linux/mutex.h>
 15 #include <linux/audit.h>
 16 #include <linux/slab.h>
 17 #include <linux/refcount.h>
 18 
 19 #include <net/sock.h>
 20 #include <net/dst.h>
 21 #include <net/ip.h>
 22 #include <net/route.h>
 23 #include <net/ipv6.h>
 24 #include <net/ip6_fib.h>
 25 #include <net/flow.h>
 26 #include <net/gro_cells.h>
 27 
 28 #include <linux/interrupt.h>
 29 
 30 #ifdef CONFIG_XFRM_STATISTICS
 31 #include <net/snmp.h>
 32 #endif
 33 
 34 #define XFRM_PROTO_ESP          50
 35 #define XFRM_PROTO_AH           51
 36 #define XFRM_PROTO_COMP         108
 37 #define XFRM_PROTO_IPIP         4
 38 #define XFRM_PROTO_IPV6         41
 39 #define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
 40 #define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
 41 
 42 #define XFRM_ALIGN4(len)        (((len) + 3) & ~3)
 43 #define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
 44 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
 45         MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
 46 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
 47         MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
 48 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
 49         MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
 50 
 51 #ifdef CONFIG_XFRM_STATISTICS
 52 #define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
 53 #else
 54 #define XFRM_INC_STATS(net, field)      ((void)(net))
 55 #endif
 56 
 57 
 58 /* Organization of SPD aka "XFRM rules"
 59    ------------------------------------
 60 
 61    Basic objects:
 62    - policy rule, struct xfrm_policy (=SPD entry)
 63    - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
 64    - instance of a transformer, struct xfrm_state (=SA)
 65    - template to clone xfrm_state, struct xfrm_tmpl
 66 
 67    SPD is plain linear list of xfrm_policy rules, ordered by priority.
 68    (To be compatible with existing pfkeyv2 implementations,
 69    many rules with priority of 0x7fffffff are allowed to exist and
 70    such rules are ordered in an unpredictable way, thanks to bsd folks.)
 71 
 72    Lookup is plain linear search until the first match with selector.
 73 
 74    If "action" is "block", then we prohibit the flow, otherwise:
 75    if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
 76    policy entry has list of up to XFRM_MAX_DEPTH transformations,
 77    described by templates xfrm_tmpl. Each template is resolved
 78    to a complete xfrm_state (see below) and we pack bundle of transformations
 79    to a dst_entry returned to requestor.
 80 
 81    dst -. xfrm  .-> xfrm_state #1
 82     |---. child .-> dst -. xfrm .-> xfrm_state #2
 83                      |---. child .-> dst -. xfrm .-> xfrm_state #3
 84                                       |---. child .-> NULL
 85 
 86    Bundles are cached at xrfm_policy struct (field ->bundles).
 87 
 88 
 89    Resolution of xrfm_tmpl
 90    -----------------------
 91    Template contains:
 92    1. ->mode            Mode: transport or tunnel
 93    2. ->id.proto        Protocol: AH/ESP/IPCOMP
 94    3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
 95       Q: allow to resolve security gateway?
 96    4. ->id.spi          If not zero, static SPI.
 97    5. ->saddr           Local tunnel endpoint, ignored for transport mode.
 98    6. ->algos           List of allowed algos. Plain bitmask now.
 99       Q: ealgos, aalgos, calgos. What a mess...
100    7. ->share           Sharing mode.
101       Q: how to implement private sharing mode? To add struct sock* to
102       flow id?
103 
104    Having this template we search through SAD searching for entries
105    with appropriate mode/proto/algo, permitted by selector.
106    If no appropriate entry found, it is requested from key manager.
107 
108    PROBLEMS:
109    Q: How to find all the bundles referring to a physical path for
110       PMTU discovery? Seems, dst should contain list of all parents...
111       and enter to infinite locking hierarchy disaster.
112       No! It is easier, we will not search for them, let them find us.
113       We add genid to each dst plus pointer to genid of raw IP route,
114       pmtu disc will update pmtu on raw IP route and increase its genid.
115       dst_check() will see this for top level and trigger resyncing
116       metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
117  */
118 
119 struct xfrm_state_walk {
120         struct list_head        all;
121         u8                      state;
122         u8                      dying;
123         u8                      proto;
124         u32                     seq;
125         struct xfrm_address_filter *filter;
126 };
127 
128 struct xfrm_state_offload {
129         struct net_device       *dev;
130         unsigned long           offload_handle;
131         unsigned int            num_exthdrs;
132         u8                      flags;
133 };
134 
135 struct xfrm_mode {
136         u8 encap;
137         u8 family;
138         u8 flags;
139 };
140 
141 /* Flags for xfrm_mode. */
142 enum {
143         XFRM_MODE_FLAG_TUNNEL = 1,
144 };
145 
146 /* Full description of state of transformer. */
147 struct xfrm_state {
148         possible_net_t          xs_net;
149         union {
150                 struct hlist_node       gclist;
151                 struct hlist_node       bydst;
152         };
153         struct hlist_node       bysrc;
154         struct hlist_node       byspi;
155 
156         refcount_t              refcnt;
157         spinlock_t              lock;
158 
159         struct xfrm_id          id;
160         struct xfrm_selector    sel;
161         struct xfrm_mark        mark;
162         u32                     if_id;
163         u32                     tfcpad;
164 
165         u32                     genid;
166 
167         /* Key manager bits */
168         struct xfrm_state_walk  km;
169 
170         /* Parameters of this state. */
171         struct {
172                 u32             reqid;
173                 u8              mode;
174                 u8              replay_window;
175                 u8              aalgo, ealgo, calgo;
176                 u8              flags;
177                 u16             family;
178                 xfrm_address_t  saddr;
179                 int             header_len;
180                 int             trailer_len;
181                 u32             extra_flags;
182                 struct xfrm_mark        smark;
183         } props;
184 
185         struct xfrm_lifetime_cfg lft;
186 
187         /* Data for transformer */
188         struct xfrm_algo_auth   *aalg;
189         struct xfrm_algo        *ealg;
190         struct xfrm_algo        *calg;
191         struct xfrm_algo_aead   *aead;
192         const char              *geniv;
193 
194         /* Data for encapsulator */
195         struct xfrm_encap_tmpl  *encap;
196 
197         /* Data for care-of address */
198         xfrm_address_t  *coaddr;
199 
200         /* IPComp needs an IPIP tunnel for handling uncompressed packets */
201         struct xfrm_state       *tunnel;
202 
203         /* If a tunnel, number of users + 1 */
204         atomic_t                tunnel_users;
205 
206         /* State for replay detection */
207         struct xfrm_replay_state replay;
208         struct xfrm_replay_state_esn *replay_esn;
209 
210         /* Replay detection state at the time we sent the last notification */
211         struct xfrm_replay_state preplay;
212         struct xfrm_replay_state_esn *preplay_esn;
213 
214         /* The functions for replay detection. */
215         const struct xfrm_replay *repl;
216 
217         /* internal flag that only holds state for delayed aevent at the
218          * moment
219         */
220         u32                     xflags;
221 
222         /* Replay detection notification settings */
223         u32                     replay_maxage;
224         u32                     replay_maxdiff;
225 
226         /* Replay detection notification timer */
227         struct timer_list       rtimer;
228 
229         /* Statistics */
230         struct xfrm_stats       stats;
231 
232         struct xfrm_lifetime_cur curlft;
233         struct hrtimer          mtimer;
234 
235         struct xfrm_state_offload xso;
236 
237         /* used to fix curlft->add_time when changing date */
238         long            saved_tmo;
239 
240         /* Last used time */
241         time64_t                lastused;
242 
243         struct page_frag xfrag;
244 
245         /* Reference to data common to all the instances of this
246          * transformer. */
247         const struct xfrm_type  *type;
248         struct xfrm_mode        inner_mode;
249         struct xfrm_mode        inner_mode_iaf;
250         struct xfrm_mode        outer_mode;
251 
252         const struct xfrm_type_offload  *type_offload;
253 
254         /* Security context */
255         struct xfrm_sec_ctx     *security;
256 
257         /* Private data of this transformer, format is opaque,
258          * interpreted by xfrm_type methods. */
259         void                    *data;
260 };
261 
262 static inline struct net *xs_net(struct xfrm_state *x)
263 {
264         return read_pnet(&x->xs_net);
265 }
266 
267 /* xflags - make enum if more show up */
268 #define XFRM_TIME_DEFER 1
269 #define XFRM_SOFT_EXPIRE 2
270 
271 enum {
272         XFRM_STATE_VOID,
273         XFRM_STATE_ACQ,
274         XFRM_STATE_VALID,
275         XFRM_STATE_ERROR,
276         XFRM_STATE_EXPIRED,
277         XFRM_STATE_DEAD
278 };
279 
280 /* callback structure passed from either netlink or pfkey */
281 struct km_event {
282         union {
283                 u32 hard;
284                 u32 proto;
285                 u32 byid;
286                 u32 aevent;
287                 u32 type;
288         } data;
289 
290         u32     seq;
291         u32     portid;
292         u32     event;
293         struct net *net;
294 };
295 
296 struct xfrm_replay {
297         void    (*advance)(struct xfrm_state *x, __be32 net_seq);
298         int     (*check)(struct xfrm_state *x,
299                          struct sk_buff *skb,
300                          __be32 net_seq);
301         int     (*recheck)(struct xfrm_state *x,
302                            struct sk_buff *skb,
303                            __be32 net_seq);
304         void    (*notify)(struct xfrm_state *x, int event);
305         int     (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
306 };
307 
308 struct xfrm_if_cb {
309         struct xfrm_if  *(*decode_session)(struct sk_buff *skb,
310                                            unsigned short family);
311 };
312 
313 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
314 void xfrm_if_unregister_cb(void);
315 
316 struct net_device;
317 struct xfrm_type;
318 struct xfrm_dst;
319 struct xfrm_policy_afinfo {
320         struct dst_ops          *dst_ops;
321         struct dst_entry        *(*dst_lookup)(struct net *net,
322                                                int tos, int oif,
323                                                const xfrm_address_t *saddr,
324                                                const xfrm_address_t *daddr,
325                                                u32 mark);
326         int                     (*get_saddr)(struct net *net, int oif,
327                                              xfrm_address_t *saddr,
328                                              xfrm_address_t *daddr,
329                                              u32 mark);
330         int                     (*fill_dst)(struct xfrm_dst *xdst,
331                                             struct net_device *dev,
332                                             const struct flowi *fl);
333         struct dst_entry        *(*blackhole_route)(struct net *net, struct dst_entry *orig);
334 };
335 
336 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
337 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
338 void km_policy_notify(struct xfrm_policy *xp, int dir,
339                       const struct km_event *c);
340 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
341 
342 struct xfrm_tmpl;
343 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
344              struct xfrm_policy *pol);
345 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
346 int __xfrm_state_delete(struct xfrm_state *x);
347 
348 struct xfrm_state_afinfo {
349         unsigned int                    family;
350         unsigned int                    proto;
351         __be16                          eth_proto;
352         struct module                   *owner;
353         const struct xfrm_type          *type_map[IPPROTO_MAX];
354         const struct xfrm_type_offload  *type_offload_map[IPPROTO_MAX];
355 
356         int                     (*init_flags)(struct xfrm_state *x);
357         void                    (*init_tempsel)(struct xfrm_selector *sel,
358                                                 const struct flowi *fl);
359         void                    (*init_temprop)(struct xfrm_state *x,
360                                                 const struct xfrm_tmpl *tmpl,
361                                                 const xfrm_address_t *daddr,
362                                                 const xfrm_address_t *saddr);
363         int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
364         int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
365         int                     (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
366         int                     (*output_finish)(struct sock *sk, struct sk_buff *skb);
367         int                     (*extract_input)(struct xfrm_state *x,
368                                                  struct sk_buff *skb);
369         int                     (*extract_output)(struct xfrm_state *x,
370                                                   struct sk_buff *skb);
371         int                     (*transport_finish)(struct sk_buff *skb,
372                                                     int async);
373         void                    (*local_error)(struct sk_buff *skb, u32 mtu);
374 };
375 
376 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
377 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
378 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
379 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
380 
381 struct xfrm_input_afinfo {
382         unsigned int            family;
383         int                     (*callback)(struct sk_buff *skb, u8 protocol,
384                                             int err);
385 };
386 
387 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
388 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
389 
390 void xfrm_flush_gc(void);
391 void xfrm_state_delete_tunnel(struct xfrm_state *x);
392 
393 struct xfrm_type {
394         char                    *description;
395         struct module           *owner;
396         u8                      proto;
397         u8                      flags;
398 #define XFRM_TYPE_NON_FRAGMENT  1
399 #define XFRM_TYPE_REPLAY_PROT   2
400 #define XFRM_TYPE_LOCAL_COADDR  4
401 #define XFRM_TYPE_REMOTE_COADDR 8
402 
403         int                     (*init_state)(struct xfrm_state *x);
404         void                    (*destructor)(struct xfrm_state *);
405         int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
406         int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
407         int                     (*reject)(struct xfrm_state *, struct sk_buff *,
408                                           const struct flowi *);
409         int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
410         /* Estimate maximal size of result of transformation of a dgram */
411         u32                     (*get_mtu)(struct xfrm_state *, int size);
412 };
413 
414 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
415 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
416 
417 struct xfrm_type_offload {
418         char            *description;
419         struct module   *owner;
420         u8              proto;
421         void            (*encap)(struct xfrm_state *, struct sk_buff *pskb);
422         int             (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
423         int             (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
424 };
425 
426 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
427 int xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
428 
429 static inline int xfrm_af2proto(unsigned int family)
430 {
431         switch(family) {
432         case AF_INET:
433                 return IPPROTO_IPIP;
434         case AF_INET6:
435                 return IPPROTO_IPV6;
436         default:
437                 return 0;
438         }
439 }
440 
441 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
442 {
443         if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
444             (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
445                 return &x->inner_mode;
446         else
447                 return &x->inner_mode_iaf;
448 }
449 
450 struct xfrm_tmpl {
451 /* id in template is interpreted as:
452  * daddr - destination of tunnel, may be zero for transport mode.
453  * spi   - zero to acquire spi. Not zero if spi is static, then
454  *         daddr must be fixed too.
455  * proto - AH/ESP/IPCOMP
456  */
457         struct xfrm_id          id;
458 
459 /* Source address of tunnel. Ignored, if it is not a tunnel. */
460         xfrm_address_t          saddr;
461 
462         unsigned short          encap_family;
463 
464         u32                     reqid;
465 
466 /* Mode: transport, tunnel etc. */
467         u8                      mode;
468 
469 /* Sharing mode: unique, this session only, this user only etc. */
470         u8                      share;
471 
472 /* May skip this transfomration if no SA is found */
473         u8                      optional;
474 
475 /* Skip aalgos/ealgos/calgos checks. */
476         u8                      allalgs;
477 
478 /* Bit mask of algos allowed for acquisition */
479         u32                     aalgos;
480         u32                     ealgos;
481         u32                     calgos;
482 };
483 
484 #define XFRM_MAX_DEPTH          6
485 #define XFRM_MAX_OFFLOAD_DEPTH  1
486 
487 struct xfrm_policy_walk_entry {
488         struct list_head        all;
489         u8                      dead;
490 };
491 
492 struct xfrm_policy_walk {
493         struct xfrm_policy_walk_entry walk;
494         u8 type;
495         u32 seq;
496 };
497 
498 struct xfrm_policy_queue {
499         struct sk_buff_head     hold_queue;
500         struct timer_list       hold_timer;
501         unsigned long           timeout;
502 };
503 
504 struct xfrm_policy {
505         possible_net_t          xp_net;
506         struct hlist_node       bydst;
507         struct hlist_node       byidx;
508 
509         /* This lock only affects elements except for entry. */
510         rwlock_t                lock;
511         refcount_t              refcnt;
512         u32                     pos;
513         struct timer_list       timer;
514 
515         atomic_t                genid;
516         u32                     priority;
517         u32                     index;
518         u32                     if_id;
519         struct xfrm_mark        mark;
520         struct xfrm_selector    selector;
521         struct xfrm_lifetime_cfg lft;
522         struct xfrm_lifetime_cur curlft;
523         struct xfrm_policy_walk_entry walk;
524         struct xfrm_policy_queue polq;
525         bool                    bydst_reinsert;
526         u8                      type;
527         u8                      action;
528         u8                      flags;
529         u8                      xfrm_nr;
530         u16                     family;
531         struct xfrm_sec_ctx     *security;
532         struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
533         struct hlist_node       bydst_inexact_list;
534         struct rcu_head         rcu;
535 };
536 
537 static inline struct net *xp_net(const struct xfrm_policy *xp)
538 {
539         return read_pnet(&xp->xp_net);
540 }
541 
542 struct xfrm_kmaddress {
543         xfrm_address_t          local;
544         xfrm_address_t          remote;
545         u32                     reserved;
546         u16                     family;
547 };
548 
549 struct xfrm_migrate {
550         xfrm_address_t          old_daddr;
551         xfrm_address_t          old_saddr;
552         xfrm_address_t          new_daddr;
553         xfrm_address_t          new_saddr;
554         u8                      proto;
555         u8                      mode;
556         u16                     reserved;
557         u32                     reqid;
558         u16                     old_family;
559         u16                     new_family;
560 };
561 
562 #define XFRM_KM_TIMEOUT                30
563 /* what happened */
564 #define XFRM_REPLAY_UPDATE      XFRM_AE_CR
565 #define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
566 
567 /* default aevent timeout in units of 100ms */
568 #define XFRM_AE_ETIME                   10
569 /* Async Event timer multiplier */
570 #define XFRM_AE_ETH_M                   10
571 /* default seq threshold size */
572 #define XFRM_AE_SEQT_SIZE               2
573 
574 struct xfrm_mgr {
575         struct list_head        list;
576         int                     (*notify)(struct xfrm_state *x, const struct km_event *c);
577         int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
578         struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
579         int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
580         int                     (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
581         int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
582         int                     (*migrate)(const struct xfrm_selector *sel,
583                                            u8 dir, u8 type,
584                                            const struct xfrm_migrate *m,
585                                            int num_bundles,
586                                            const struct xfrm_kmaddress *k,
587                                            const struct xfrm_encap_tmpl *encap);
588         bool                    (*is_alive)(const struct km_event *c);
589 };
590 
591 int xfrm_register_km(struct xfrm_mgr *km);
592 int xfrm_unregister_km(struct xfrm_mgr *km);
593 
594 struct xfrm_tunnel_skb_cb {
595         union {
596                 struct inet_skb_parm h4;
597                 struct inet6_skb_parm h6;
598         } header;
599 
600         union {
601                 struct ip_tunnel *ip4;
602                 struct ip6_tnl *ip6;
603         } tunnel;
604 };
605 
606 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
607 
608 /*
609  * This structure is used for the duration where packets are being
610  * transformed by IPsec.  As soon as the packet leaves IPsec the
611  * area beyond the generic IP part may be overwritten.
612  */
613 struct xfrm_skb_cb {
614         struct xfrm_tunnel_skb_cb header;
615 
616         /* Sequence number for replay protection. */
617         union {
618                 struct {
619                         __u32 low;
620                         __u32 hi;
621                 } output;
622                 struct {
623                         __be32 low;
624                         __be32 hi;
625                 } input;
626         } seq;
627 };
628 
629 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
630 
631 /*
632  * This structure is used by the afinfo prepare_input/prepare_output functions
633  * to transmit header information to the mode input/output functions.
634  */
635 struct xfrm_mode_skb_cb {
636         struct xfrm_tunnel_skb_cb header;
637 
638         /* Copied from header for IPv4, always set to zero and DF for IPv6. */
639         __be16 id;
640         __be16 frag_off;
641 
642         /* IP header length (excluding options or extension headers). */
643         u8 ihl;
644 
645         /* TOS for IPv4, class for IPv6. */
646         u8 tos;
647 
648         /* TTL for IPv4, hop limitfor IPv6. */
649         u8 ttl;
650 
651         /* Protocol for IPv4, NH for IPv6. */
652         u8 protocol;
653 
654         /* Option length for IPv4, zero for IPv6. */
655         u8 optlen;
656 
657         /* Used by IPv6 only, zero for IPv4. */
658         u8 flow_lbl[3];
659 };
660 
661 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
662 
663 /*
664  * This structure is used by the input processing to locate the SPI and
665  * related information.
666  */
667 struct xfrm_spi_skb_cb {
668         struct xfrm_tunnel_skb_cb header;
669 
670         unsigned int daddroff;
671         unsigned int family;
672         __be32 seq;
673 };
674 
675 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
676 
677 #ifdef CONFIG_AUDITSYSCALL
678 static inline struct audit_buffer *xfrm_audit_start(const char *op)
679 {
680         struct audit_buffer *audit_buf = NULL;
681 
682         if (audit_enabled == AUDIT_OFF)
683                 return NULL;
684         audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
685                                     AUDIT_MAC_IPSEC_EVENT);
686         if (audit_buf == NULL)
687                 return NULL;
688         audit_log_format(audit_buf, "op=%s", op);
689         return audit_buf;
690 }
691 
692 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
693                                              struct audit_buffer *audit_buf)
694 {
695         const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
696                                             audit_get_loginuid(current) :
697                                             INVALID_UID);
698         const unsigned int ses = task_valid ? audit_get_sessionid(current) :
699                 AUDIT_SID_UNSET;
700 
701         audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
702         audit_log_task_context(audit_buf);
703 }
704 
705 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
706 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
707                               bool task_valid);
708 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
709 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
710 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
711                                       struct sk_buff *skb);
712 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
713                              __be32 net_seq);
714 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
715 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
716                                __be32 net_seq);
717 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
718                               u8 proto);
719 #else
720 
721 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
722                                          bool task_valid)
723 {
724 }
725 
726 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
727                                             bool task_valid)
728 {
729 }
730 
731 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
732                                         bool task_valid)
733 {
734 }
735 
736 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
737                                            bool task_valid)
738 {
739 }
740 
741 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
742                                              struct sk_buff *skb)
743 {
744 }
745 
746 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
747                                            struct sk_buff *skb, __be32 net_seq)
748 {
749 }
750 
751 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
752                                       u16 family)
753 {
754 }
755 
756 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
757                                       __be32 net_spi, __be32 net_seq)
758 {
759 }
760 
761 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
762                                      struct sk_buff *skb, u8 proto)
763 {
764 }
765 #endif /* CONFIG_AUDITSYSCALL */
766 
767 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
768 {
769         if (likely(policy != NULL))
770                 refcount_inc(&policy->refcnt);
771 }
772 
773 void xfrm_policy_destroy(struct xfrm_policy *policy);
774 
775 static inline void xfrm_pol_put(struct xfrm_policy *policy)
776 {
777         if (refcount_dec_and_test(&policy->refcnt))
778                 xfrm_policy_destroy(policy);
779 }
780 
781 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
782 {
783         int i;
784         for (i = npols - 1; i >= 0; --i)
785                 xfrm_pol_put(pols[i]);
786 }
787 
788 void __xfrm_state_destroy(struct xfrm_state *, bool);
789 
790 static inline void __xfrm_state_put(struct xfrm_state *x)
791 {
792         refcount_dec(&x->refcnt);
793 }
794 
795 static inline void xfrm_state_put(struct xfrm_state *x)
796 {
797         if (refcount_dec_and_test(&x->refcnt))
798                 __xfrm_state_destroy(x, false);
799 }
800 
801 static inline void xfrm_state_put_sync(struct xfrm_state *x)
802 {
803         if (refcount_dec_and_test(&x->refcnt))
804                 __xfrm_state_destroy(x, true);
805 }
806 
807 static inline void xfrm_state_hold(struct xfrm_state *x)
808 {
809         refcount_inc(&x->refcnt);
810 }
811 
812 static inline bool addr_match(const void *token1, const void *token2,
813                               unsigned int prefixlen)
814 {
815         const __be32 *a1 = token1;
816         const __be32 *a2 = token2;
817         unsigned int pdw;
818         unsigned int pbi;
819 
820         pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
821         pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
822 
823         if (pdw)
824                 if (memcmp(a1, a2, pdw << 2))
825                         return false;
826 
827         if (pbi) {
828                 __be32 mask;
829 
830                 mask = htonl((0xffffffff) << (32 - pbi));
831 
832                 if ((a1[pdw] ^ a2[pdw]) & mask)
833                         return false;
834         }
835 
836         return true;
837 }
838 
839 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
840 {
841         /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
842         if (sizeof(long) == 4 && prefixlen == 0)
843                 return true;
844         return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
845 }
846 
847 static __inline__
848 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
849 {
850         __be16 port;
851         switch(fl->flowi_proto) {
852         case IPPROTO_TCP:
853         case IPPROTO_UDP:
854         case IPPROTO_UDPLITE:
855         case IPPROTO_SCTP:
856                 port = uli->ports.sport;
857                 break;
858         case IPPROTO_ICMP:
859         case IPPROTO_ICMPV6:
860                 port = htons(uli->icmpt.type);
861                 break;
862         case IPPROTO_MH:
863                 port = htons(uli->mht.type);
864                 break;
865         case IPPROTO_GRE:
866                 port = htons(ntohl(uli->gre_key) >> 16);
867                 break;
868         default:
869                 port = 0;       /*XXX*/
870         }
871         return port;
872 }
873 
874 static __inline__
875 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
876 {
877         __be16 port;
878         switch(fl->flowi_proto) {
879         case IPPROTO_TCP:
880         case IPPROTO_UDP:
881         case IPPROTO_UDPLITE:
882         case IPPROTO_SCTP:
883                 port = uli->ports.dport;
884                 break;
885         case IPPROTO_ICMP:
886         case IPPROTO_ICMPV6:
887                 port = htons(uli->icmpt.code);
888                 break;
889         case IPPROTO_GRE:
890                 port = htons(ntohl(uli->gre_key) & 0xffff);
891                 break;
892         default:
893                 port = 0;       /*XXX*/
894         }
895         return port;
896 }
897 
898 bool xfrm_selector_match(const struct xfrm_selector *sel,
899                          const struct flowi *fl, unsigned short family);
900 
901 #ifdef CONFIG_SECURITY_NETWORK_XFRM
902 /*      If neither has a context --> match
903  *      Otherwise, both must have a context and the sids, doi, alg must match
904  */
905 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
906 {
907         return ((!s1 && !s2) ||
908                 (s1 && s2 &&
909                  (s1->ctx_sid == s2->ctx_sid) &&
910                  (s1->ctx_doi == s2->ctx_doi) &&
911                  (s1->ctx_alg == s2->ctx_alg)));
912 }
913 #else
914 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
915 {
916         return true;
917 }
918 #endif
919 
920 /* A struct encoding bundle of transformations to apply to some set of flow.
921  *
922  * xdst->child points to the next element of bundle.
923  * dst->xfrm  points to an instanse of transformer.
924  *
925  * Due to unfortunate limitations of current routing cache, which we
926  * have no time to fix, it mirrors struct rtable and bound to the same
927  * routing key, including saddr,daddr. However, we can have many of
928  * bundles differing by session id. All the bundles grow from a parent
929  * policy rule.
930  */
931 struct xfrm_dst {
932         union {
933                 struct dst_entry        dst;
934                 struct rtable           rt;
935                 struct rt6_info         rt6;
936         } u;
937         struct dst_entry *route;
938         struct dst_entry *child;
939         struct dst_entry *path;
940         struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
941         int num_pols, num_xfrms;
942         u32 xfrm_genid;
943         u32 policy_genid;
944         u32 route_mtu_cached;
945         u32 child_mtu_cached;
946         u32 route_cookie;
947         u32 path_cookie;
948 };
949 
950 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
951 {
952 #ifdef CONFIG_XFRM
953         if (dst->xfrm) {
954                 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
955 
956                 return xdst->path;
957         }
958 #endif
959         return (struct dst_entry *) dst;
960 }
961 
962 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
963 {
964 #ifdef CONFIG_XFRM
965         if (dst->xfrm) {
966                 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
967                 return xdst->child;
968         }
969 #endif
970         return NULL;
971 }
972 
973 #ifdef CONFIG_XFRM
974 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
975 {
976         xdst->child = child;
977 }
978 
979 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
980 {
981         xfrm_pols_put(xdst->pols, xdst->num_pols);
982         dst_release(xdst->route);
983         if (likely(xdst->u.dst.xfrm))
984                 xfrm_state_put(xdst->u.dst.xfrm);
985 }
986 #endif
987 
988 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
989 
990 struct xfrm_if_parms {
991         char name[IFNAMSIZ];    /* name of XFRM device */
992         int link;               /* ifindex of underlying L2 interface */
993         u32 if_id;              /* interface identifyer */
994 };
995 
996 struct xfrm_if {
997         struct xfrm_if __rcu *next;     /* next interface in list */
998         struct net_device *dev;         /* virtual device associated with interface */
999         struct net_device *phydev;      /* physical device */
1000         struct net *net;                /* netns for packet i/o */
1001         struct xfrm_if_parms p;         /* interface parms */
1002 
1003         struct gro_cells gro_cells;
1004 };
1005 
1006 struct xfrm_offload {
1007         /* Output sequence number for replay protection on offloading. */
1008         struct {
1009                 __u32 low;
1010                 __u32 hi;
1011         } seq;
1012 
1013         __u32                   flags;
1014 #define SA_DELETE_REQ           1
1015 #define CRYPTO_DONE             2
1016 #define CRYPTO_NEXT_DONE        4
1017 #define CRYPTO_FALLBACK         8
1018 #define XFRM_GSO_SEGMENT        16
1019 #define XFRM_GRO                32
1020 #define XFRM_ESP_NO_TRAILER     64
1021 #define XFRM_DEV_RESUME         128
1022 
1023         __u32                   status;
1024 #define CRYPTO_SUCCESS                          1
1025 #define CRYPTO_GENERIC_ERROR                    2
1026 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED         4
1027 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED        8
1028 #define CRYPTO_TUNNEL_AH_AUTH_FAILED            16
1029 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED           32
1030 #define CRYPTO_INVALID_PACKET_SYNTAX            64
1031 #define CRYPTO_INVALID_PROTOCOL                 128
1032 
1033         __u8                    proto;
1034 };
1035 
1036 struct sec_path {
1037         int                     len;
1038         int                     olen;
1039 
1040         struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
1041         struct xfrm_offload     ovec[XFRM_MAX_OFFLOAD_DEPTH];
1042 };
1043 
1044 struct sec_path *secpath_set(struct sk_buff *skb);
1045 
1046 static inline void
1047 secpath_reset(struct sk_buff *skb)
1048 {
1049 #ifdef CONFIG_XFRM
1050         skb_ext_del(skb, SKB_EXT_SEC_PATH);
1051 #endif
1052 }
1053 
1054 static inline int
1055 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1056 {
1057         switch (family) {
1058         case AF_INET:
1059                 return addr->a4 == 0;
1060         case AF_INET6:
1061                 return ipv6_addr_any(&addr->in6);
1062         }
1063         return 0;
1064 }
1065 
1066 static inline int
1067 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1068 {
1069         return  (tmpl->saddr.a4 &&
1070                  tmpl->saddr.a4 != x->props.saddr.a4);
1071 }
1072 
1073 static inline int
1074 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1075 {
1076         return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1077                  !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1078 }
1079 
1080 static inline int
1081 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1082 {
1083         switch (family) {
1084         case AF_INET:
1085                 return __xfrm4_state_addr_cmp(tmpl, x);
1086         case AF_INET6:
1087                 return __xfrm6_state_addr_cmp(tmpl, x);
1088         }
1089         return !0;
1090 }
1091 
1092 #ifdef CONFIG_XFRM
1093 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1094                         unsigned short family);
1095 
1096 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1097                                        struct sk_buff *skb,
1098                                        unsigned int family, int reverse)
1099 {
1100         struct net *net = dev_net(skb->dev);
1101         int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1102 
1103         if (sk && sk->sk_policy[XFRM_POLICY_IN])
1104                 return __xfrm_policy_check(sk, ndir, skb, family);
1105 
1106         return  (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1107                 (skb_dst(skb)->flags & DST_NOPOLICY) ||
1108                 __xfrm_policy_check(sk, ndir, skb, family);
1109 }
1110 
1111 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1112 {
1113         return __xfrm_policy_check2(sk, dir, skb, family, 0);
1114 }
1115 
1116 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1117 {
1118         return xfrm_policy_check(sk, dir, skb, AF_INET);
1119 }
1120 
1121 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1122 {
1123         return xfrm_policy_check(sk, dir, skb, AF_INET6);
1124 }
1125 
1126 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1127                                              struct sk_buff *skb)
1128 {
1129         return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1130 }
1131 
1132 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1133                                              struct sk_buff *skb)
1134 {
1135         return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1136 }
1137 
1138 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1139                           unsigned int family, int reverse);
1140 
1141 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1142                                       unsigned int family)
1143 {
1144         return __xfrm_decode_session(skb, fl, family, 0);
1145 }
1146 
1147 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1148                                               struct flowi *fl,
1149                                               unsigned int family)
1150 {
1151         return __xfrm_decode_session(skb, fl, family, 1);
1152 }
1153 
1154 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1155 
1156 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1157 {
1158         struct net *net = dev_net(skb->dev);
1159 
1160         return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1161                 (skb_dst(skb)->flags & DST_NOXFRM) ||
1162                 __xfrm_route_forward(skb, family);
1163 }
1164 
1165 static inline int xfrm4_route_forward(struct sk_buff *skb)
1166 {
1167         return xfrm_route_forward(skb, AF_INET);
1168 }
1169 
1170 static inline int xfrm6_route_forward(struct sk_buff *skb)
1171 {
1172         return xfrm_route_forward(skb, AF_INET6);
1173 }
1174 
1175 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1176 
1177 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1178 {
1179         sk->sk_policy[0] = NULL;
1180         sk->sk_policy[1] = NULL;
1181         if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1182                 return __xfrm_sk_clone_policy(sk, osk);
1183         return 0;
1184 }
1185 
1186 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1187 
1188 static inline void xfrm_sk_free_policy(struct sock *sk)
1189 {
1190         struct xfrm_policy *pol;
1191 
1192         pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1193         if (unlikely(pol != NULL)) {
1194                 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1195                 sk->sk_policy[0] = NULL;
1196         }
1197         pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1198         if (unlikely(pol != NULL)) {
1199                 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1200                 sk->sk_policy[1] = NULL;
1201         }
1202 }
1203 
1204 #else
1205 
1206 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1207 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1208 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1209 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1210 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1211 {
1212         return 1;
1213 }
1214 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1215 {
1216         return 1;
1217 }
1218 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1219 {
1220         return 1;
1221 }
1222 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1223                                               struct flowi *fl,
1224                                               unsigned int family)
1225 {
1226         return -ENOSYS;
1227 }
1228 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1229                                              struct sk_buff *skb)
1230 {
1231         return 1;
1232 }
1233 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1234                                              struct sk_buff *skb)
1235 {
1236         return 1;
1237 }
1238 #endif
1239 
1240 static __inline__
1241 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1242 {
1243         switch (family){
1244         case AF_INET:
1245                 return (xfrm_address_t *)&fl->u.ip4.daddr;
1246         case AF_INET6:
1247                 return (xfrm_address_t *)&fl->u.ip6.daddr;
1248         }
1249         return NULL;
1250 }
1251 
1252 static __inline__
1253 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1254 {
1255         switch (family){
1256         case AF_INET:
1257                 return (xfrm_address_t *)&fl->u.ip4.saddr;
1258         case AF_INET6:
1259                 return (xfrm_address_t *)&fl->u.ip6.saddr;
1260         }
1261         return NULL;
1262 }
1263 
1264 static __inline__
1265 void xfrm_flowi_addr_get(const struct flowi *fl,
1266                          xfrm_address_t *saddr, xfrm_address_t *daddr,
1267                          unsigned short family)
1268 {
1269         switch(family) {
1270         case AF_INET:
1271                 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1272                 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1273                 break;
1274         case AF_INET6:
1275                 saddr->in6 = fl->u.ip6.saddr;
1276                 daddr->in6 = fl->u.ip6.daddr;
1277                 break;
1278         }
1279 }
1280 
1281 static __inline__ int
1282 __xfrm4_state_addr_check(const struct xfrm_state *x,
1283                          const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1284 {
1285         if (daddr->a4 == x->id.daddr.a4 &&
1286             (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1287                 return 1;
1288         return 0;
1289 }
1290 
1291 static __inline__ int
1292 __xfrm6_state_addr_check(const struct xfrm_state *x,
1293                          const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1294 {
1295         if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1296             (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1297              ipv6_addr_any((struct in6_addr *)saddr) ||
1298              ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1299                 return 1;
1300         return 0;
1301 }
1302 
1303 static __inline__ int
1304 xfrm_state_addr_check(const struct xfrm_state *x,
1305                       const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1306                       unsigned short family)
1307 {
1308         switch (family) {
1309         case AF_INET:
1310                 return __xfrm4_state_addr_check(x, daddr, saddr);
1311         case AF_INET6:
1312                 return __xfrm6_state_addr_check(x, daddr, saddr);
1313         }
1314         return 0;
1315 }
1316 
1317 static __inline__ int
1318 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1319                            unsigned short family)
1320 {
1321         switch (family) {
1322         case AF_INET:
1323                 return __xfrm4_state_addr_check(x,
1324                                                 (const xfrm_address_t *)&fl->u.ip4.daddr,
1325                                                 (const xfrm_address_t *)&fl->u.ip4.saddr);
1326         case AF_INET6:
1327                 return __xfrm6_state_addr_check(x,
1328                                                 (const xfrm_address_t *)&fl->u.ip6.daddr,
1329                                                 (const xfrm_address_t *)&fl->u.ip6.saddr);
1330         }
1331         return 0;
1332 }
1333 
1334 static inline int xfrm_state_kern(const struct xfrm_state *x)
1335 {
1336         return atomic_read(&x->tunnel_users);
1337 }
1338 
1339 static inline bool xfrm_id_proto_valid(u8 proto)
1340 {
1341         switch (proto) {
1342         case IPPROTO_AH:
1343         case IPPROTO_ESP:
1344         case IPPROTO_COMP:
1345 #if IS_ENABLED(CONFIG_IPV6)
1346         case IPPROTO_ROUTING:
1347         case IPPROTO_DSTOPTS:
1348 #endif
1349                 return true;
1350         default:
1351                 return false;
1352         }
1353 }
1354 
1355 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1356 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1357 {
1358         return (!userproto || proto == userproto ||
1359                 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1360                                                   proto == IPPROTO_ESP ||
1361                                                   proto == IPPROTO_COMP)));
1362 }
1363 
1364 /*
1365  * xfrm algorithm information
1366  */
1367 struct xfrm_algo_aead_info {
1368         char *geniv;
1369         u16 icv_truncbits;
1370 };
1371 
1372 struct xfrm_algo_auth_info {
1373         u16 icv_truncbits;
1374         u16 icv_fullbits;
1375 };
1376 
1377 struct xfrm_algo_encr_info {
1378         char *geniv;
1379         u16 blockbits;
1380         u16 defkeybits;
1381 };
1382 
1383 struct xfrm_algo_comp_info {
1384         u16 threshold;
1385 };
1386 
1387 struct xfrm_algo_desc {
1388         char *name;
1389         char *compat;
1390         u8 available:1;
1391         u8 pfkey_supported:1;
1392         union {
1393                 struct xfrm_algo_aead_info aead;
1394                 struct xfrm_algo_auth_info auth;
1395                 struct xfrm_algo_encr_info encr;
1396                 struct xfrm_algo_comp_info comp;
1397         } uinfo;
1398         struct sadb_alg desc;
1399 };
1400 
1401 /* XFRM protocol handlers.  */
1402 struct xfrm4_protocol {
1403         int (*handler)(struct sk_buff *skb);
1404         int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1405                              int encap_type);
1406         int (*cb_handler)(struct sk_buff *skb, int err);
1407         int (*err_handler)(struct sk_buff *skb, u32 info);
1408 
1409         struct xfrm4_protocol __rcu *next;
1410         int priority;
1411 };
1412 
1413 struct xfrm6_protocol {
1414         int (*handler)(struct sk_buff *skb);
1415         int (*cb_handler)(struct sk_buff *skb, int err);
1416         int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1417                            u8 type, u8 code, int offset, __be32 info);
1418 
1419         struct xfrm6_protocol __rcu *next;
1420         int priority;
1421 };
1422 
1423 /* XFRM tunnel handlers.  */
1424 struct xfrm_tunnel {
1425         int (*handler)(struct sk_buff *skb);
1426         int (*err_handler)(struct sk_buff *skb, u32 info);
1427 
1428         struct xfrm_tunnel __rcu *next;
1429         int priority;
1430 };
1431 
1432 struct xfrm6_tunnel {
1433         int (*handler)(struct sk_buff *skb);
1434         int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1435                            u8 type, u8 code, int offset, __be32 info);
1436         struct xfrm6_tunnel __rcu *next;
1437         int priority;
1438 };
1439 
1440 void xfrm_init(void);
1441 void xfrm4_init(void);
1442 int xfrm_state_init(struct net *net);
1443 void xfrm_state_fini(struct net *net);
1444 void xfrm4_state_init(void);
1445 void xfrm4_protocol_init(void);
1446 #ifdef CONFIG_XFRM
1447 int xfrm6_init(void);
1448 void xfrm6_fini(void);
1449 int xfrm6_state_init(void);
1450 void xfrm6_state_fini(void);
1451 int xfrm6_protocol_init(void);
1452 void xfrm6_protocol_fini(void);
1453 #else
1454 static inline int xfrm6_init(void)
1455 {
1456         return 0;
1457 }
1458 static inline void xfrm6_fini(void)
1459 {
1460         ;
1461 }
1462 #endif
1463 
1464 #ifdef CONFIG_XFRM_STATISTICS
1465 int xfrm_proc_init(struct net *net);
1466 void xfrm_proc_fini(struct net *net);
1467 #endif
1468 
1469 int xfrm_sysctl_init(struct net *net);
1470 #ifdef CONFIG_SYSCTL
1471 void xfrm_sysctl_fini(struct net *net);
1472 #else
1473 static inline void xfrm_sysctl_fini(struct net *net)
1474 {
1475 }
1476 #endif
1477 
1478 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1479                           struct xfrm_address_filter *filter);
1480 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1481                     int (*func)(struct xfrm_state *, int, void*), void *);
1482 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1483 struct xfrm_state *xfrm_state_alloc(struct net *net);
1484 void xfrm_state_free(struct xfrm_state *x);
1485 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1486                                    const xfrm_address_t *saddr,
1487                                    const struct flowi *fl,
1488                                    struct xfrm_tmpl *tmpl,
1489                                    struct xfrm_policy *pol, int *err,
1490                                    unsigned short family, u32 if_id);
1491 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1492                                        xfrm_address_t *daddr,
1493                                        xfrm_address_t *saddr,
1494                                        unsigned short family,
1495                                        u8 mode, u8 proto, u32 reqid);
1496 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1497                                               unsigned short family);
1498 int xfrm_state_check_expire(struct xfrm_state *x);
1499 void xfrm_state_insert(struct xfrm_state *x);
1500 int xfrm_state_add(struct xfrm_state *x);
1501 int xfrm_state_update(struct xfrm_state *x);
1502 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1503                                      const xfrm_address_t *daddr, __be32 spi,
1504                                      u8 proto, unsigned short family);
1505 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1506                                             const xfrm_address_t *daddr,
1507                                             const xfrm_address_t *saddr,
1508                                             u8 proto,
1509                                             unsigned short family);
1510 #ifdef CONFIG_XFRM_SUB_POLICY
1511 int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1512                    unsigned short family, struct net *net);
1513 int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1514                     unsigned short family);
1515 #else
1516 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1517                                  int n, unsigned short family, struct net *net)
1518 {
1519         return -ENOSYS;
1520 }
1521 
1522 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1523                                   int n, unsigned short family)
1524 {
1525         return -ENOSYS;
1526 }
1527 #endif
1528 
1529 struct xfrmk_sadinfo {
1530         u32 sadhcnt; /* current hash bkts */
1531         u32 sadhmcnt; /* max allowed hash bkts */
1532         u32 sadcnt; /* current running count */
1533 };
1534 
1535 struct xfrmk_spdinfo {
1536         u32 incnt;
1537         u32 outcnt;
1538         u32 fwdcnt;
1539         u32 inscnt;
1540         u32 outscnt;
1541         u32 fwdscnt;
1542         u32 spdhcnt;
1543         u32 spdhmcnt;
1544 };
1545 
1546 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1547 int xfrm_state_delete(struct xfrm_state *x);
1548 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1549 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1550 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1551 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1552 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1553 int xfrm_init_replay(struct xfrm_state *x);
1554 int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1555 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1556 int xfrm_init_state(struct xfrm_state *x);
1557 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1558 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1559 int xfrm_trans_queue(struct sk_buff *skb,
1560                      int (*finish)(struct net *, struct sock *,
1561                                    struct sk_buff *));
1562 int xfrm_output_resume(struct sk_buff *skb, int err);
1563 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1564 
1565 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1566 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1567 #endif
1568 
1569 void xfrm_local_error(struct sk_buff *skb, int mtu);
1570 int xfrm4_extract_header(struct sk_buff *skb);
1571 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1572 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1573                     int encap_type);
1574 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1575 int xfrm4_rcv(struct sk_buff *skb);
1576 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1577 
1578 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1579 {
1580         XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1581         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1582         XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1583         return xfrm_input(skb, nexthdr, spi, 0);
1584 }
1585 
1586 int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1587 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1588 int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);
1589 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1590 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1591 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1592 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1593 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1594 int xfrm6_extract_header(struct sk_buff *skb);
1595 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1596 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1597                   struct ip6_tnl *t);
1598 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1599 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1600 int xfrm6_rcv(struct sk_buff *skb);
1601 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1602                      xfrm_address_t *saddr, u8 proto);
1603 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1604 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1605 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1606 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1607 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1608 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1609 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1610 int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1611 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1612 int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);
1613 int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1614                           u8 **prevhdr);
1615 
1616 #ifdef CONFIG_XFRM
1617 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1618 int xfrm_user_policy(struct sock *sk, int optname,
1619                      u8 __user *optval, int optlen);
1620 #else
1621 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1622 {
1623         return -ENOPROTOOPT;
1624 }
1625 
1626 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1627 {
1628         /* should not happen */
1629         kfree_skb(skb);
1630         return 0;
1631 }
1632 #endif
1633 
1634 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1635                                     const xfrm_address_t *saddr,
1636                                     const xfrm_address_t *daddr,
1637                                     int family, u32 mark);
1638 
1639 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1640 
1641 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1642 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1643                      int (*func)(struct xfrm_policy *, int, int, void*),
1644                      void *);
1645 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1646 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1647 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
1648                                           u8 type, int dir,
1649                                           struct xfrm_selector *sel,
1650                                           struct xfrm_sec_ctx *ctx, int delete,
1651                                           int *err);
1652 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, u8,
1653                                      int dir, u32 id, int delete, int *err);
1654 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1655 void xfrm_policy_hash_rebuild(struct net *net);
1656 u32 xfrm_get_acqseq(void);
1657 int verify_spi_info(u8 proto, u32 min, u32 max);
1658 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1659 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1660                                  u8 mode, u32 reqid, u32 if_id, u8 proto,
1661                                  const xfrm_address_t *daddr,
1662                                  const xfrm_address_t *saddr, int create,
1663                                  unsigned short family);
1664 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1665 
1666 #ifdef CONFIG_XFRM_MIGRATE
1667 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1668                const struct xfrm_migrate *m, int num_bundles,
1669                const struct xfrm_kmaddress *k,
1670                const struct xfrm_encap_tmpl *encap);
1671 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1672 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1673                                       struct xfrm_migrate *m,
1674                                       struct xfrm_encap_tmpl *encap);
1675 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1676                  struct xfrm_migrate *m, int num_bundles,
1677                  struct xfrm_kmaddress *k, struct net *net,
1678                  struct xfrm_encap_tmpl *encap);
1679 #endif
1680 
1681 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1682 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1683 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1684               xfrm_address_t *addr);
1685 
1686 void xfrm_input_init(void);
1687 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1688 
1689 void xfrm_probe_algs(void);
1690 int xfrm_count_pfkey_auth_supported(void);
1691 int xfrm_count_pfkey_enc_supported(void);
1692 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1693 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1694 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1695 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1696 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1697 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1698 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1699 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1700 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1701                                             int probe);
1702 
1703 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1704                                     const xfrm_address_t *b)
1705 {
1706         return ipv6_addr_equal((const struct in6_addr *)a,
1707                                (const struct in6_addr *)b);
1708 }
1709 
1710 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1711                                    const xfrm_address_t *b,
1712                                    sa_family_t family)
1713 {
1714         switch (family) {
1715         default:
1716         case AF_INET:
1717                 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1718         case AF_INET6:
1719                 return xfrm6_addr_equal(a, b);
1720         }
1721 }
1722 
1723 static inline int xfrm_policy_id2dir(u32 index)
1724 {
1725         return index & 7;
1726 }
1727 
1728 #ifdef CONFIG_XFRM
1729 static inline int xfrm_aevent_is_on(struct net *net)
1730 {
1731         struct sock *nlsk;
1732         int ret = 0;
1733 
1734         rcu_read_lock();
1735         nlsk = rcu_dereference(net->xfrm.nlsk);
1736         if (nlsk)
1737                 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1738         rcu_read_unlock();
1739         return ret;
1740 }
1741 
1742 static inline int xfrm_acquire_is_on(struct net *net)
1743 {
1744         struct sock *nlsk;
1745         int ret = 0;
1746 
1747         rcu_read_lock();
1748         nlsk = rcu_dereference(net->xfrm.nlsk);
1749         if (nlsk)
1750                 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1751         rcu_read_unlock();
1752 
1753         return ret;
1754 }
1755 #endif
1756 
1757 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1758 {
1759         return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1760 }
1761 
1762 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1763 {
1764         return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1765 }
1766 
1767 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1768 {
1769         return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1770 }
1771 
1772 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1773 {
1774         return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1775 }
1776 
1777 #ifdef CONFIG_XFRM_MIGRATE
1778 static inline int xfrm_replay_clone(struct xfrm_state *x,
1779                                      struct xfrm_state *orig)
1780 {
1781         x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1782                                 GFP_KERNEL);
1783         if (!x->replay_esn)
1784                 return -ENOMEM;
1785 
1786         x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1787         x->replay_esn->replay_window = orig->replay_esn->replay_window;
1788 
1789         x->preplay_esn = kmemdup(x->replay_esn,
1790                                  xfrm_replay_state_esn_len(x->replay_esn),
1791                                  GFP_KERNEL);
1792         if (!x->preplay_esn) {
1793                 kfree(x->replay_esn);
1794                 return -ENOMEM;
1795         }
1796 
1797         return 0;
1798 }
1799 
1800 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1801 {
1802         return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1803 }
1804 
1805 
1806 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1807 {
1808         return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1809 }
1810 
1811 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1812 {
1813         return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1814 }
1815 
1816 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1817 {
1818         int i;
1819         for (i = 0; i < n; i++)
1820                 xfrm_state_put(*(states + i));
1821 }
1822 
1823 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1824 {
1825         int i;
1826         for (i = 0; i < n; i++)
1827                 xfrm_state_delete(*(states + i));
1828 }
1829 #endif
1830 
1831 #ifdef CONFIG_XFRM
1832 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1833 {
1834         struct sec_path *sp = skb_sec_path(skb);
1835 
1836         return sp->xvec[sp->len - 1];
1837 }
1838 #endif
1839 
1840 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1841 {
1842 #ifdef CONFIG_XFRM
1843         struct sec_path *sp = skb_sec_path(skb);
1844 
1845         if (!sp || !sp->olen || sp->len != sp->olen)
1846                 return NULL;
1847 
1848         return &sp->ovec[sp->olen - 1];
1849 #else
1850         return NULL;
1851 #endif
1852 }
1853 
1854 void __init xfrm_dev_init(void);
1855 
1856 #ifdef CONFIG_XFRM_OFFLOAD
1857 void xfrm_dev_resume(struct sk_buff *skb);
1858 void xfrm_dev_backlog(struct softnet_data *sd);
1859 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1860 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1861                        struct xfrm_user_offload *xuo);
1862 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1863 
1864 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1865 {
1866         struct xfrm_state_offload *xso = &x->xso;
1867 
1868         if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1869                 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1870 }
1871 
1872 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1873 {
1874         struct xfrm_state *x = dst->xfrm;
1875         struct xfrm_dst *xdst;
1876 
1877         if (!x || !x->type_offload)
1878                 return false;
1879 
1880         xdst = (struct xfrm_dst *) dst;
1881         if (!x->xso.offload_handle && !xdst->child->xfrm)
1882                 return true;
1883         if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1884             !xdst->child->xfrm)
1885                 return true;
1886 
1887         return false;
1888 }
1889 
1890 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1891 {
1892         struct xfrm_state_offload *xso = &x->xso;
1893 
1894         if (xso->dev)
1895                 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1896 }
1897 
1898 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1899 {
1900         struct xfrm_state_offload *xso = &x->xso;
1901         struct net_device *dev = xso->dev;
1902 
1903         if (dev && dev->xfrmdev_ops) {
1904                 if (dev->xfrmdev_ops->xdo_dev_state_free)
1905                         dev->xfrmdev_ops->xdo_dev_state_free(x);
1906                 xso->dev = NULL;
1907                 dev_put(dev);
1908         }
1909 }
1910 #else
1911 static inline void xfrm_dev_resume(struct sk_buff *skb)
1912 {
1913 }
1914 
1915 static inline void xfrm_dev_backlog(struct softnet_data *sd)
1916 {
1917 }
1918 
1919 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1920 {
1921         return skb;
1922 }
1923 
1924 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1925 {
1926         return 0;
1927 }
1928 
1929 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1930 {
1931 }
1932 
1933 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1934 {
1935 }
1936 
1937 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1938 {
1939         return false;
1940 }
1941 
1942 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1943 {
1944 }
1945 
1946 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1947 {
1948         return false;
1949 }
1950 #endif
1951 
1952 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1953 {
1954         if (attrs[XFRMA_MARK])
1955                 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1956         else
1957                 m->v = m->m = 0;
1958 
1959         return m->v & m->m;
1960 }
1961 
1962 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1963 {
1964         int ret = 0;
1965 
1966         if (m->m | m->v)
1967                 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1968         return ret;
1969 }
1970 
1971 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1972 {
1973         struct xfrm_mark *m = &x->props.smark;
1974 
1975         return (m->v & m->m) | (mark & ~m->m);
1976 }
1977 
1978 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1979 {
1980         int ret = 0;
1981 
1982         if (if_id)
1983                 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
1984         return ret;
1985 }
1986 
1987 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1988                                     unsigned int family)
1989 {
1990         bool tunnel = false;
1991 
1992         switch(family) {
1993         case AF_INET:
1994                 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1995                         tunnel = true;
1996                 break;
1997         case AF_INET6:
1998                 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1999                         tunnel = true;
2000                 break;
2001         }
2002         if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2003                 return -EINVAL;
2004 
2005         return 0;
2006 }
2007 #endif  /* _NET_XFRM_H */
2008 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp