4 #include <linux/compiler.h>
5 #include <linux/xfrm.h>
6 #include <linux/spinlock.h>
7 #include <linux/list.h>
8 #include <linux/skbuff.h>
9 #include <linux/socket.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/ipsec.h>
12 #include <linux/in6.h>
13 #include <linux/mutex.h>
14 #include <linux/audit.h>
19 #include <net/route.h>
21 #include <net/ip6_fib.h>
23 #define XFRM_PROTO_ESP 50
24 #define XFRM_PROTO_AH 51
25 #define XFRM_PROTO_COMP 108
26 #define XFRM_PROTO_IPIP 4
27 #define XFRM_PROTO_IPV6 41
28 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
29 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
31 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
32 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
33 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
34 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
35 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
37 extern struct sock *xfrm_nl;
38 extern u32 sysctl_xfrm_aevent_etime;
39 extern u32 sysctl_xfrm_aevent_rseqth;
41 extern struct mutex xfrm_cfg_mutex;
43 /* Organization of SPD aka "XFRM rules"
44 ------------------------------------
47 - policy rule, struct xfrm_policy (=SPD entry)
48 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
49 - instance of a transformer, struct xfrm_state (=SA)
50 - template to clone xfrm_state, struct xfrm_tmpl
52 SPD is plain linear list of xfrm_policy rules, ordered by priority.
53 (To be compatible with existing pfkeyv2 implementations,
54 many rules with priority of 0x7fffffff are allowed to exist and
55 such rules are ordered in an unpredictable way, thanks to bsd folks.)
57 Lookup is plain linear search until the first match with selector.
59 If "action" is "block", then we prohibit the flow, otherwise:
60 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
61 policy entry has list of up to XFRM_MAX_DEPTH transformations,
62 described by templates xfrm_tmpl. Each template is resolved
63 to a complete xfrm_state (see below) and we pack bundle of transformations
64 to a dst_entry returned to requestor.
66 dst -. xfrm .-> xfrm_state #1
67 |---. child .-> dst -. xfrm .-> xfrm_state #2
68 |---. child .-> dst -. xfrm .-> xfrm_state #3
71 Bundles are cached at xrfm_policy struct (field ->bundles).
74 Resolution of xrfm_tmpl
75 -----------------------
77 1. ->mode Mode: transport or tunnel
78 2. ->id.proto Protocol: AH/ESP/IPCOMP
79 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
80 Q: allow to resolve security gateway?
81 4. ->id.spi If not zero, static SPI.
82 5. ->saddr Local tunnel endpoint, ignored for transport mode.
83 6. ->algos List of allowed algos. Plain bitmask now.
84 Q: ealgos, aalgos, calgos. What a mess...
85 7. ->share Sharing mode.
86 Q: how to implement private sharing mode? To add struct sock* to
89 Having this template we search through SAD searching for entries
90 with appropriate mode/proto/algo, permitted by selector.
91 If no appropriate entry found, it is requested from key manager.
94 Q: How to find all the bundles referring to a physical path for
95 PMTU discovery? Seems, dst should contain list of all parents...
96 and enter to infinite locking hierarchy disaster.
97 No! It is easier, we will not search for them, let them find us.
98 We add genid to each dst plus pointer to genid of raw IP route,
99 pmtu disc will update pmtu on raw IP route and increase its genid.
100 dst_check() will see this for top level and trigger resyncing
101 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
104 /* Full description of state of transformer. */
107 /* Note: bydst is re-used during gc */
108 struct hlist_node bydst;
109 struct hlist_node bysrc;
110 struct hlist_node byspi;
116 struct xfrm_selector sel;
120 /* Key manger bits */
127 /* Parameters of this state. */
132 u8 aalgo, ealgo, calgo;
135 xfrm_address_t saddr;
140 struct xfrm_lifetime_cfg lft;
142 /* Data for transformer */
143 struct xfrm_algo *aalg;
144 struct xfrm_algo *ealg;
145 struct xfrm_algo *calg;
147 /* Data for encapsulator */
148 struct xfrm_encap_tmpl *encap;
150 /* Data for care-of address */
151 xfrm_address_t *coaddr;
153 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
154 struct xfrm_state *tunnel;
156 /* If a tunnel, number of users + 1 */
157 atomic_t tunnel_users;
159 /* State for replay detection */
160 struct xfrm_replay_state replay;
162 /* Replay detection state at the time we sent the last notification */
163 struct xfrm_replay_state preplay;
165 /* internal flag that only holds state for delayed aevent at the
170 /* Replay detection notification settings */
174 /* Replay detection notification timer */
175 struct timer_list rtimer;
178 struct xfrm_stats stats;
180 struct xfrm_lifetime_cur curlft;
181 struct timer_list timer;
186 /* Reference to data common to all the instances of this
188 struct xfrm_type *type;
189 struct xfrm_mode *inner_mode;
190 struct xfrm_mode *outer_mode;
192 /* Security context */
193 struct xfrm_sec_ctx *security;
195 /* Private data of this transformer, format is opaque,
196 * interpreted by xfrm_type methods. */
200 /* xflags - make enum if more show up */
201 #define XFRM_TIME_DEFER 1
212 /* callback structure passed from either netlink or pfkey */
230 struct xfrm_policy_afinfo {
231 unsigned short family;
232 struct dst_ops *dst_ops;
233 void (*garbage_collect)(void);
234 int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
235 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
236 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
237 int (*bundle_create)(struct xfrm_policy *policy,
238 struct xfrm_state **xfrm,
241 struct dst_entry **dst_p);
242 void (*decode_session)(struct sk_buff *skb,
246 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
247 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
248 extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
249 extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
252 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
253 extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
254 extern int __xfrm_state_delete(struct xfrm_state *x);
256 struct xfrm_state_afinfo {
258 struct module *owner;
259 struct xfrm_type *type_map[IPPROTO_MAX];
260 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
261 int (*init_flags)(struct xfrm_state *x);
262 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
263 struct xfrm_tmpl *tmpl,
264 xfrm_address_t *daddr, xfrm_address_t *saddr);
265 int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
266 int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
267 int (*output)(struct sk_buff *skb);
270 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
271 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
273 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
278 struct module *owner;
281 #define XFRM_TYPE_NON_FRAGMENT 1
282 #define XFRM_TYPE_REPLAY_PROT 2
284 int (*init_state)(struct xfrm_state *x);
285 void (*destructor)(struct xfrm_state *);
286 int (*input)(struct xfrm_state *, struct sk_buff *skb);
287 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
288 int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
289 int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
290 xfrm_address_t *(*local_addr)(struct xfrm_state *, xfrm_address_t *);
291 xfrm_address_t *(*remote_addr)(struct xfrm_state *, xfrm_address_t *);
292 /* Estimate maximal size of result of transformation of a dgram */
293 u32 (*get_mtu)(struct xfrm_state *, int size);
296 extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
297 extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
300 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
303 * Add encapsulation header.
305 * On exit, the transport header will be set to the start of the
306 * encapsulation header to be filled in by x->type->output and
307 * the mac header will be set to the nextheader (protocol for
308 * IPv4) field of the extension header directly preceding the
309 * encapsulation header, or in its absence, that of the top IP
310 * header. The value of the network header will always point
311 * to the top IP header while skb->data will point to the payload.
313 int (*output)(struct xfrm_state *x,struct sk_buff *skb);
315 struct xfrm_state_afinfo *afinfo;
316 struct module *owner;
321 /* Flags for xfrm_mode. */
323 XFRM_MODE_FLAG_TUNNEL = 1,
326 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
327 extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
331 /* id in template is interpreted as:
332 * daddr - destination of tunnel, may be zero for transport mode.
333 * spi - zero to acquire spi. Not zero if spi is static, then
334 * daddr must be fixed too.
335 * proto - AH/ESP/IPCOMP
339 /* Source address of tunnel. Ignored, if it is not a tunnel. */
340 xfrm_address_t saddr;
342 unsigned short encap_family;
346 /* Mode: transport, tunnel etc. */
349 /* Sharing mode: unique, this session only, this user only etc. */
352 /* May skip this transfomration if no SA is found */
355 /* Bit mask of algos allowed for acquisition */
361 #define XFRM_MAX_DEPTH 6
365 struct xfrm_policy *next;
366 struct hlist_node bydst;
367 struct hlist_node byidx;
369 /* This lock only affects elements except for entry. */
372 struct timer_list timer;
376 struct xfrm_selector selector;
377 struct xfrm_lifetime_cfg lft;
378 struct xfrm_lifetime_cur curlft;
379 struct dst_entry *bundles;
386 /* XXX 1 byte hole, try to pack */
387 struct xfrm_sec_ctx *security;
388 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
391 struct xfrm_migrate {
392 xfrm_address_t old_daddr;
393 xfrm_address_t old_saddr;
394 xfrm_address_t new_daddr;
395 xfrm_address_t new_saddr;
404 #define XFRM_KM_TIMEOUT 30
406 #define XFRM_REPLAY_SEQ 1
407 #define XFRM_REPLAY_OSEQ 2
408 #define XFRM_REPLAY_SEQ_MASK 3
410 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
411 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
413 /* default aevent timeout in units of 100ms */
414 #define XFRM_AE_ETIME 10
415 /* Async Event timer multiplier */
416 #define XFRM_AE_ETH_M 10
417 /* default seq threshold size */
418 #define XFRM_AE_SEQT_SIZE 2
422 struct list_head list;
424 int (*notify)(struct xfrm_state *x, struct km_event *c);
425 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
426 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
427 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
428 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
429 int (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
430 int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles);
433 extern int xfrm_register_km(struct xfrm_mgr *km);
434 extern int xfrm_unregister_km(struct xfrm_mgr *km);
436 extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
439 * This structure is used for the duration where packets are being
440 * transformed by IPsec. As soon as the packet leaves IPsec the
441 * area beyond the generic IP part may be overwritten.
445 struct inet_skb_parm h4;
446 struct inet6_skb_parm h6;
449 /* Sequence number for replay protection. */
453 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
455 /* Audit Information */
462 #ifdef CONFIG_AUDITSYSCALL
463 static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
465 struct audit_buffer *audit_buf = NULL;
469 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
470 AUDIT_MAC_IPSEC_EVENT);
471 if (audit_buf == NULL)
474 audit_log_format(audit_buf, "auid=%u", auid);
477 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
478 audit_log_format(audit_buf, " subj=%s", secctx);
479 security_release_secctx(secctx, secctx_len);
481 audit_log_task_context(audit_buf);
485 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
487 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
489 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
491 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
494 #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
495 #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
496 #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
497 #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
498 #endif /* CONFIG_AUDITSYSCALL */
500 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
502 if (likely(policy != NULL))
503 atomic_inc(&policy->refcnt);
506 extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
508 static inline void xfrm_pol_put(struct xfrm_policy *policy)
510 if (atomic_dec_and_test(&policy->refcnt))
511 __xfrm_policy_destroy(policy);
514 #ifdef CONFIG_XFRM_SUB_POLICY
515 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
518 for (i = npols - 1; i >= 0; --i)
519 xfrm_pol_put(pols[i]);
522 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
524 xfrm_pol_put(pols[0]);
528 extern void __xfrm_state_destroy(struct xfrm_state *);
530 static inline void __xfrm_state_put(struct xfrm_state *x)
532 atomic_dec(&x->refcnt);
535 static inline void xfrm_state_put(struct xfrm_state *x)
537 if (atomic_dec_and_test(&x->refcnt))
538 __xfrm_state_destroy(x);
541 static inline void xfrm_state_hold(struct xfrm_state *x)
543 atomic_inc(&x->refcnt);
546 static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
553 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
554 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
557 if (memcmp(a1, a2, pdw << 2))
563 mask = htonl((0xffffffff) << (32 - pbi));
565 if ((a1[pdw] ^ a2[pdw]) & mask)
573 __be16 xfrm_flowi_sport(struct flowi *fl)
579 case IPPROTO_UDPLITE:
581 port = fl->fl_ip_sport;
585 port = htons(fl->fl_icmp_type);
588 port = htons(fl->fl_mh_type);
597 __be16 xfrm_flowi_dport(struct flowi *fl)
603 case IPPROTO_UDPLITE:
605 port = fl->fl_ip_dport;
609 port = htons(fl->fl_icmp_code);
617 extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
618 unsigned short family);
620 #ifdef CONFIG_SECURITY_NETWORK_XFRM
621 /* If neither has a context --> match
622 * Otherwise, both must have a context and the sids, doi, alg must match
624 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
626 return ((!s1 && !s2) ||
628 (s1->ctx_sid == s2->ctx_sid) &&
629 (s1->ctx_doi == s2->ctx_doi) &&
630 (s1->ctx_alg == s2->ctx_alg)));
633 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
639 /* A struct encoding bundle of transformations to apply to some set of flow.
641 * dst->child points to the next element of bundle.
642 * dst->xfrm points to an instanse of transformer.
644 * Due to unfortunate limitations of current routing cache, which we
645 * have no time to fix, it mirrors struct rtable and bound to the same
646 * routing key, including saddr,daddr. However, we can have many of
647 * bundles differing by session id. All the bundles grow from a parent
653 struct dst_entry dst;
657 struct dst_entry *route;
658 #ifdef CONFIG_XFRM_SUB_POLICY
659 struct flowi *origin;
660 struct xfrm_selector *partner;
663 u32 route_mtu_cached;
664 u32 child_mtu_cached;
669 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
671 dst_release(xdst->route);
672 if (likely(xdst->u.dst.xfrm))
673 xfrm_state_put(xdst->u.dst.xfrm);
674 #ifdef CONFIG_XFRM_SUB_POLICY
677 kfree(xdst->partner);
678 xdst->partner = NULL;
682 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
688 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
691 static inline struct sec_path *
692 secpath_get(struct sec_path *sp)
695 atomic_inc(&sp->refcnt);
699 extern void __secpath_destroy(struct sec_path *sp);
702 secpath_put(struct sec_path *sp)
704 if (sp && atomic_dec_and_test(&sp->refcnt))
705 __secpath_destroy(sp);
708 extern struct sec_path *secpath_dup(struct sec_path *src);
711 secpath_reset(struct sk_buff *skb)
714 secpath_put(skb->sp);
720 xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
724 return addr->a4 == 0;
726 return ipv6_addr_any((struct in6_addr *)&addr->a6);
732 __xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
734 return (tmpl->saddr.a4 &&
735 tmpl->saddr.a4 != x->props.saddr.a4);
739 __xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
741 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
742 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
746 xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
750 return __xfrm4_state_addr_cmp(tmpl, x);
752 return __xfrm6_state_addr_cmp(tmpl, x);
759 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
761 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
763 if (sk && sk->sk_policy[XFRM_POLICY_IN])
764 return __xfrm_policy_check(sk, dir, skb, family);
766 return (!xfrm_policy_count[dir] && !skb->sp) ||
767 (skb->dst->flags & DST_NOPOLICY) ||
768 __xfrm_policy_check(sk, dir, skb, family);
771 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
773 return xfrm_policy_check(sk, dir, skb, AF_INET);
776 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
778 return xfrm_policy_check(sk, dir, skb, AF_INET6);
781 extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
782 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
784 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
786 return !xfrm_policy_count[XFRM_POLICY_OUT] ||
787 (skb->dst->flags & DST_NOXFRM) ||
788 __xfrm_route_forward(skb, family);
791 static inline int xfrm4_route_forward(struct sk_buff *skb)
793 return xfrm_route_forward(skb, AF_INET);
796 static inline int xfrm6_route_forward(struct sk_buff *skb)
798 return xfrm_route_forward(skb, AF_INET6);
801 extern int __xfrm_sk_clone_policy(struct sock *sk);
803 static inline int xfrm_sk_clone_policy(struct sock *sk)
805 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
806 return __xfrm_sk_clone_policy(sk);
810 extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
812 static inline void xfrm_sk_free_policy(struct sock *sk)
814 if (unlikely(sk->sk_policy[0] != NULL)) {
815 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
816 sk->sk_policy[0] = NULL;
818 if (unlikely(sk->sk_policy[1] != NULL)) {
819 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
820 sk->sk_policy[1] = NULL;
826 static inline void xfrm_sk_free_policy(struct sock *sk) {}
827 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
828 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
829 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
830 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
834 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
838 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
845 xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
849 return (xfrm_address_t *)&fl->fl4_dst;
851 return (xfrm_address_t *)&fl->fl6_dst;
857 xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
861 return (xfrm_address_t *)&fl->fl4_src;
863 return (xfrm_address_t *)&fl->fl6_src;
868 static __inline__ int
869 __xfrm4_state_addr_check(struct xfrm_state *x,
870 xfrm_address_t *daddr, xfrm_address_t *saddr)
872 if (daddr->a4 == x->id.daddr.a4 &&
873 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
878 static __inline__ int
879 __xfrm6_state_addr_check(struct xfrm_state *x,
880 xfrm_address_t *daddr, xfrm_address_t *saddr)
882 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
883 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
884 ipv6_addr_any((struct in6_addr *)saddr) ||
885 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
890 static __inline__ int
891 xfrm_state_addr_check(struct xfrm_state *x,
892 xfrm_address_t *daddr, xfrm_address_t *saddr,
893 unsigned short family)
897 return __xfrm4_state_addr_check(x, daddr, saddr);
899 return __xfrm6_state_addr_check(x, daddr, saddr);
904 static __inline__ int
905 xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
906 unsigned short family)
910 return __xfrm4_state_addr_check(x,
911 (xfrm_address_t *)&fl->fl4_dst,
912 (xfrm_address_t *)&fl->fl4_src);
914 return __xfrm6_state_addr_check(x,
915 (xfrm_address_t *)&fl->fl6_dst,
916 (xfrm_address_t *)&fl->fl6_src);
921 static inline int xfrm_state_kern(struct xfrm_state *x)
923 return atomic_read(&x->tunnel_users);
926 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
928 return (!userproto || proto == userproto ||
929 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
930 proto == IPPROTO_ESP ||
931 proto == IPPROTO_COMP)));
935 * xfrm algorithm information
937 struct xfrm_algo_auth_info {
942 struct xfrm_algo_encr_info {
947 struct xfrm_algo_comp_info {
951 struct xfrm_algo_desc {
956 struct xfrm_algo_auth_info auth;
957 struct xfrm_algo_encr_info encr;
958 struct xfrm_algo_comp_info comp;
960 struct sadb_alg desc;
963 /* XFRM tunnel handlers. */
965 int (*handler)(struct sk_buff *skb);
966 int (*err_handler)(struct sk_buff *skb, __u32 info);
968 struct xfrm_tunnel *next;
972 struct xfrm6_tunnel {
973 int (*handler)(struct sk_buff *skb);
974 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
975 int type, int code, int offset, __be32 info);
976 struct xfrm6_tunnel *next;
980 extern void xfrm_init(void);
981 extern void xfrm4_init(void);
982 extern void xfrm6_init(void);
983 extern void xfrm6_fini(void);
984 extern void xfrm_state_init(void);
985 extern void xfrm4_state_init(void);
986 extern void xfrm6_state_init(void);
987 extern void xfrm6_state_fini(void);
989 extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
990 extern struct xfrm_state *xfrm_state_alloc(void);
991 extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
992 struct flowi *fl, struct xfrm_tmpl *tmpl,
993 struct xfrm_policy *pol, int *err,
994 unsigned short family);
995 extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr,
996 xfrm_address_t *saddr,
997 unsigned short family,
998 u8 mode, u8 proto, u32 reqid);
999 extern int xfrm_state_check_expire(struct xfrm_state *x);
1000 extern void xfrm_state_insert(struct xfrm_state *x);
1001 extern int xfrm_state_add(struct xfrm_state *x);
1002 extern int xfrm_state_update(struct xfrm_state *x);
1003 extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1004 extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1005 #ifdef CONFIG_XFRM_SUB_POLICY
1006 extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1007 int n, unsigned short family);
1008 extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1009 int n, unsigned short family);
1011 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1012 int n, unsigned short family)
1017 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1018 int n, unsigned short family)
1024 struct xfrmk_sadinfo {
1025 u32 sadhcnt; /* current hash bkts */
1026 u32 sadhmcnt; /* max allowed hash bkts */
1027 u32 sadcnt; /* current running count */
1030 struct xfrmk_spdinfo {
1041 extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
1042 extern int xfrm_state_delete(struct xfrm_state *x);
1043 extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1044 extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1045 extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1046 extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
1047 extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1048 extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1049 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1050 extern int xfrm_init_state(struct xfrm_state *x);
1051 extern int xfrm_output(struct sk_buff *skb);
1052 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1054 extern int xfrm4_rcv(struct sk_buff *skb);
1056 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1058 return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1061 extern int xfrm4_output(struct sk_buff *skb);
1062 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1063 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1064 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1065 extern int xfrm6_rcv(struct sk_buff *skb);
1066 extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1067 xfrm_address_t *saddr, u8 proto);
1068 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1069 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1070 extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1071 extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1072 extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1073 extern int xfrm6_output(struct sk_buff *skb);
1074 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1078 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1079 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1080 extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
1082 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1084 return -ENOPROTOOPT;
1087 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1089 /* should not happen */
1094 static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
1100 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1101 extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *);
1102 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1103 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
1104 struct xfrm_selector *sel,
1105 struct xfrm_sec_ctx *ctx, int delete,
1107 struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
1108 int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1109 u32 xfrm_get_acqseq(void);
1110 extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1111 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1112 xfrm_address_t *daddr, xfrm_address_t *saddr,
1113 int create, unsigned short family);
1114 extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1115 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1116 extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1117 struct flowi *fl, int family, int strict);
1118 extern void xfrm_init_pmtu(struct dst_entry *dst);
1120 #ifdef CONFIG_XFRM_MIGRATE
1121 extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1122 struct xfrm_migrate *m, int num_bundles);
1123 extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1124 extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1125 struct xfrm_migrate *m);
1126 extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1127 struct xfrm_migrate *m, int num_bundles);
1130 extern wait_queue_head_t km_waitq;
1131 extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1132 extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1133 extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1135 extern void xfrm_input_init(void);
1136 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1138 extern void xfrm_probe_algs(void);
1139 extern int xfrm_count_auth_supported(void);
1140 extern int xfrm_count_enc_supported(void);
1141 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1142 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1143 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1144 extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1145 extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1146 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1147 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1148 extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1152 typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1155 extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1156 int offset, int len, icv_update_fn_t icv_update);
1158 static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1164 return (__force __u32)a->a4 - (__force __u32)b->a4;
1166 return ipv6_addr_cmp((struct in6_addr *)a,
1167 (struct in6_addr *)b);
1171 static inline int xfrm_policy_id2dir(u32 index)
1176 static inline int xfrm_aevent_is_on(void)
1182 nlsk = rcu_dereference(xfrm_nl);
1184 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1189 #ifdef CONFIG_XFRM_MIGRATE
1190 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1192 return (struct xfrm_algo *)kmemdup(orig, sizeof(*orig) + orig->alg_key_len, GFP_KERNEL);
1195 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1198 for (i = 0; i < n; i++)
1199 xfrm_state_put(*(states + i));
1202 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1205 for (i = 0; i < n; i++)
1206 xfrm_state_delete(*(states + i));
1210 #endif /* _NET_XFRM_H */