1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
23 #include <net/route.h>
25 #include <net/ip6_fib.h>
27 #include <net/gro_cells.h>
29 #include <linux/interrupt.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
55 #define XFRM_INC_STATS(net, field) ((void)(net))
59 /* Organization of SPD aka "XFRM rules"
60 ------------------------------------
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
68 SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 (To be compatible with existing pfkeyv2 implementations,
70 many rules with priority of 0x7fffffff are allowed to exist and
71 such rules are ordered in an unpredictable way, thanks to bsd folks.)
73 Lookup is plain linear search until the first match with selector.
75 If "action" is "block", then we prohibit the flow, otherwise:
76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 described by templates xfrm_tmpl. Each template is resolved
79 to a complete xfrm_state (see below) and we pack bundle of transformations
80 to a dst_entry returned to requestor.
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
87 Bundles are cached at xrfm_policy struct (field ->bundles).
90 Resolution of xrfm_tmpl
91 -----------------------
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 Q: allow to resolve security gateway?
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
100 Q: ealgos, aalgos, calgos. What a mess...
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
105 Having this template we search through SAD searching for entries
106 with appropriate mode/proto/algo, permitted by selector.
107 If no appropriate entry found, it is requested from key manager.
110 Q: How to find all the bundles referring to a physical path for
111 PMTU discovery? Seems, dst should contain list of all parents...
112 and enter to infinite locking hierarchy disaster.
113 No! It is easier, we will not search for them, let them find us.
114 We add genid to each dst plus pointer to genid of raw IP route,
115 pmtu disc will update pmtu on raw IP route and increase its genid.
116 dst_check() will see this for top level and trigger resyncing
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
120 struct xfrm_state_walk {
121 struct list_head all;
126 struct xfrm_address_filter *filter;
129 struct xfrm_state_offload {
130 struct net_device *dev;
131 struct net_device *real_dev;
132 unsigned long offload_handle;
133 unsigned int num_exthdrs;
143 /* Flags for xfrm_mode. */
145 XFRM_MODE_FLAG_TUNNEL = 1,
148 enum xfrm_replay_mode {
149 XFRM_REPLAY_MODE_LEGACY,
150 XFRM_REPLAY_MODE_BMP,
151 XFRM_REPLAY_MODE_ESN,
154 /* Full description of state of transformer. */
156 possible_net_t xs_net;
158 struct hlist_node gclist;
159 struct hlist_node bydst;
161 struct hlist_node bysrc;
162 struct hlist_node byspi;
163 struct hlist_node byseq;
169 struct xfrm_selector sel;
170 struct xfrm_mark mark;
176 /* Key manager bits */
177 struct xfrm_state_walk km;
179 /* Parameters of this state. */
184 u8 aalgo, ealgo, calgo;
187 xfrm_address_t saddr;
191 struct xfrm_mark smark;
194 struct xfrm_lifetime_cfg lft;
196 /* Data for transformer */
197 struct xfrm_algo_auth *aalg;
198 struct xfrm_algo *ealg;
199 struct xfrm_algo *calg;
200 struct xfrm_algo_aead *aead;
203 /* Data for encapsulator */
204 struct xfrm_encap_tmpl *encap;
205 struct sock __rcu *encap_sk;
207 /* Data for care-of address */
208 xfrm_address_t *coaddr;
210 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
211 struct xfrm_state *tunnel;
213 /* If a tunnel, number of users + 1 */
214 atomic_t tunnel_users;
216 /* State for replay detection */
217 struct xfrm_replay_state replay;
218 struct xfrm_replay_state_esn *replay_esn;
220 /* Replay detection state at the time we sent the last notification */
221 struct xfrm_replay_state preplay;
222 struct xfrm_replay_state_esn *preplay_esn;
224 /* The functions for replay detection. */
225 const struct xfrm_replay *repl;
227 /* replay detection mode */
228 enum xfrm_replay_mode repl_mode;
229 /* internal flag that only holds state for delayed aevent at the
234 /* Replay detection notification settings */
238 /* Replay detection notification timer */
239 struct timer_list rtimer;
242 struct xfrm_stats stats;
244 struct xfrm_lifetime_cur curlft;
245 struct hrtimer mtimer;
247 struct xfrm_state_offload xso;
249 /* used to fix curlft->add_time when changing date */
255 struct page_frag xfrag;
257 /* Reference to data common to all the instances of this
259 const struct xfrm_type *type;
260 struct xfrm_mode inner_mode;
261 struct xfrm_mode inner_mode_iaf;
262 struct xfrm_mode outer_mode;
264 const struct xfrm_type_offload *type_offload;
266 /* Security context */
267 struct xfrm_sec_ctx *security;
269 /* Private data of this transformer, format is opaque,
270 * interpreted by xfrm_type methods. */
274 static inline struct net *xs_net(struct xfrm_state *x)
276 return read_pnet(&x->xs_net);
279 /* xflags - make enum if more show up */
280 #define XFRM_TIME_DEFER 1
281 #define XFRM_SOFT_EXPIRE 2
292 /* callback structure passed from either netlink or pfkey */
309 void (*advance)(struct xfrm_state *x, __be32 net_seq);
310 int (*check)(struct xfrm_state *x,
313 int (*recheck)(struct xfrm_state *x,
316 int (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
320 struct xfrm_if *(*decode_session)(struct sk_buff *skb,
321 unsigned short family);
324 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
325 void xfrm_if_unregister_cb(void);
330 struct xfrm_policy_afinfo {
331 struct dst_ops *dst_ops;
332 struct dst_entry *(*dst_lookup)(struct net *net,
334 const xfrm_address_t *saddr,
335 const xfrm_address_t *daddr,
337 int (*get_saddr)(struct net *net, int oif,
338 xfrm_address_t *saddr,
339 xfrm_address_t *daddr,
341 int (*fill_dst)(struct xfrm_dst *xdst,
342 struct net_device *dev,
343 const struct flowi *fl);
344 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
347 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
348 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
349 void km_policy_notify(struct xfrm_policy *xp, int dir,
350 const struct km_event *c);
351 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
354 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
355 struct xfrm_policy *pol);
356 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
357 int __xfrm_state_delete(struct xfrm_state *x);
359 struct xfrm_state_afinfo {
363 const struct xfrm_type_offload *type_offload_esp;
365 const struct xfrm_type *type_esp;
366 const struct xfrm_type *type_ipip;
367 const struct xfrm_type *type_ipip6;
368 const struct xfrm_type *type_comp;
369 const struct xfrm_type *type_ah;
370 const struct xfrm_type *type_routing;
371 const struct xfrm_type *type_dstopts;
373 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
374 int (*transport_finish)(struct sk_buff *skb,
376 void (*local_error)(struct sk_buff *skb, u32 mtu);
379 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
380 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
381 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
382 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
384 struct xfrm_input_afinfo {
387 int (*callback)(struct sk_buff *skb, u8 protocol,
391 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
392 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
394 void xfrm_flush_gc(void);
395 void xfrm_state_delete_tunnel(struct xfrm_state *x);
398 struct module *owner;
401 #define XFRM_TYPE_NON_FRAGMENT 1
402 #define XFRM_TYPE_REPLAY_PROT 2
403 #define XFRM_TYPE_LOCAL_COADDR 4
404 #define XFRM_TYPE_REMOTE_COADDR 8
406 int (*init_state)(struct xfrm_state *x);
407 void (*destructor)(struct xfrm_state *);
408 int (*input)(struct xfrm_state *, struct sk_buff *skb);
409 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
410 int (*reject)(struct xfrm_state *, struct sk_buff *,
411 const struct flowi *);
414 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
415 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
417 struct xfrm_type_offload {
418 struct module *owner;
420 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
421 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
422 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
425 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
426 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
428 static inline int xfrm_af2proto(unsigned int family)
440 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
442 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
443 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
444 return &x->inner_mode;
446 return &x->inner_mode_iaf;
450 /* id in template is interpreted as:
451 * daddr - destination of tunnel, may be zero for transport mode.
452 * spi - zero to acquire spi. Not zero if spi is static, then
453 * daddr must be fixed too.
454 * proto - AH/ESP/IPCOMP
458 /* Source address of tunnel. Ignored, if it is not a tunnel. */
459 xfrm_address_t saddr;
461 unsigned short encap_family;
465 /* Mode: transport, tunnel etc. */
468 /* Sharing mode: unique, this session only, this user only etc. */
471 /* May skip this transfomration if no SA is found */
474 /* Skip aalgos/ealgos/calgos checks. */
477 /* Bit mask of algos allowed for acquisition */
483 #define XFRM_MAX_DEPTH 6
484 #define XFRM_MAX_OFFLOAD_DEPTH 1
486 struct xfrm_policy_walk_entry {
487 struct list_head all;
491 struct xfrm_policy_walk {
492 struct xfrm_policy_walk_entry walk;
497 struct xfrm_policy_queue {
498 struct sk_buff_head hold_queue;
499 struct timer_list hold_timer;
500 unsigned long timeout;
504 possible_net_t xp_net;
505 struct hlist_node bydst;
506 struct hlist_node byidx;
508 /* This lock only affects elements except for entry. */
512 struct timer_list timer;
518 struct xfrm_mark mark;
519 struct xfrm_selector selector;
520 struct xfrm_lifetime_cfg lft;
521 struct xfrm_lifetime_cur curlft;
522 struct xfrm_policy_walk_entry walk;
523 struct xfrm_policy_queue polq;
530 struct xfrm_sec_ctx *security;
531 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
532 struct hlist_node bydst_inexact_list;
536 static inline struct net *xp_net(const struct xfrm_policy *xp)
538 return read_pnet(&xp->xp_net);
541 struct xfrm_kmaddress {
542 xfrm_address_t local;
543 xfrm_address_t remote;
548 struct xfrm_migrate {
549 xfrm_address_t old_daddr;
550 xfrm_address_t old_saddr;
551 xfrm_address_t new_daddr;
552 xfrm_address_t new_saddr;
561 #define XFRM_KM_TIMEOUT 30
563 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
564 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
566 /* default aevent timeout in units of 100ms */
567 #define XFRM_AE_ETIME 10
568 /* Async Event timer multiplier */
569 #define XFRM_AE_ETH_M 10
570 /* default seq threshold size */
571 #define XFRM_AE_SEQT_SIZE 2
574 struct list_head list;
575 int (*notify)(struct xfrm_state *x, const struct km_event *c);
576 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
577 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
578 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
579 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
580 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
581 int (*migrate)(const struct xfrm_selector *sel,
583 const struct xfrm_migrate *m,
585 const struct xfrm_kmaddress *k,
586 const struct xfrm_encap_tmpl *encap);
587 bool (*is_alive)(const struct km_event *c);
590 int xfrm_register_km(struct xfrm_mgr *km);
591 int xfrm_unregister_km(struct xfrm_mgr *km);
593 struct xfrm_tunnel_skb_cb {
595 struct inet_skb_parm h4;
596 struct inet6_skb_parm h6;
600 struct ip_tunnel *ip4;
605 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
608 * This structure is used for the duration where packets are being
609 * transformed by IPsec. As soon as the packet leaves IPsec the
610 * area beyond the generic IP part may be overwritten.
613 struct xfrm_tunnel_skb_cb header;
615 /* Sequence number for replay protection. */
628 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
631 * This structure is used by the afinfo prepare_input/prepare_output functions
632 * to transmit header information to the mode input/output functions.
634 struct xfrm_mode_skb_cb {
635 struct xfrm_tunnel_skb_cb header;
637 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
641 /* IP header length (excluding options or extension headers). */
644 /* TOS for IPv4, class for IPv6. */
647 /* TTL for IPv4, hop limitfor IPv6. */
650 /* Protocol for IPv4, NH for IPv6. */
653 /* Option length for IPv4, zero for IPv6. */
656 /* Used by IPv6 only, zero for IPv4. */
660 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
663 * This structure is used by the input processing to locate the SPI and
664 * related information.
666 struct xfrm_spi_skb_cb {
667 struct xfrm_tunnel_skb_cb header;
669 unsigned int daddroff;
674 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
676 #ifdef CONFIG_AUDITSYSCALL
677 static inline struct audit_buffer *xfrm_audit_start(const char *op)
679 struct audit_buffer *audit_buf = NULL;
681 if (audit_enabled == AUDIT_OFF)
683 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
684 AUDIT_MAC_IPSEC_EVENT);
685 if (audit_buf == NULL)
687 audit_log_format(audit_buf, "op=%s", op);
691 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
692 struct audit_buffer *audit_buf)
694 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
695 audit_get_loginuid(current) :
697 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
700 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
701 audit_log_task_context(audit_buf);
704 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
705 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
707 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
708 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
709 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
710 struct sk_buff *skb);
711 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
713 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
714 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
716 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
720 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
725 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
730 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
735 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
740 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
745 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
746 struct sk_buff *skb, __be32 net_seq)
750 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
755 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
756 __be32 net_spi, __be32 net_seq)
760 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
761 struct sk_buff *skb, u8 proto)
764 #endif /* CONFIG_AUDITSYSCALL */
766 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
768 if (likely(policy != NULL))
769 refcount_inc(&policy->refcnt);
772 void xfrm_policy_destroy(struct xfrm_policy *policy);
774 static inline void xfrm_pol_put(struct xfrm_policy *policy)
776 if (refcount_dec_and_test(&policy->refcnt))
777 xfrm_policy_destroy(policy);
780 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
783 for (i = npols - 1; i >= 0; --i)
784 xfrm_pol_put(pols[i]);
787 void __xfrm_state_destroy(struct xfrm_state *, bool);
789 static inline void __xfrm_state_put(struct xfrm_state *x)
791 refcount_dec(&x->refcnt);
794 static inline void xfrm_state_put(struct xfrm_state *x)
796 if (refcount_dec_and_test(&x->refcnt))
797 __xfrm_state_destroy(x, false);
800 static inline void xfrm_state_put_sync(struct xfrm_state *x)
802 if (refcount_dec_and_test(&x->refcnt))
803 __xfrm_state_destroy(x, true);
806 static inline void xfrm_state_hold(struct xfrm_state *x)
808 refcount_inc(&x->refcnt);
811 static inline bool addr_match(const void *token1, const void *token2,
812 unsigned int prefixlen)
814 const __be32 *a1 = token1;
815 const __be32 *a2 = token2;
819 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
820 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
823 if (memcmp(a1, a2, pdw << 2))
829 mask = htonl((0xffffffff) << (32 - pbi));
831 if ((a1[pdw] ^ a2[pdw]) & mask)
838 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
840 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
841 if (sizeof(long) == 4 && prefixlen == 0)
843 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
847 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
850 switch(fl->flowi_proto) {
853 case IPPROTO_UDPLITE:
855 port = uli->ports.sport;
859 port = htons(uli->icmpt.type);
862 port = htons(uli->mht.type);
865 port = htons(ntohl(uli->gre_key) >> 16);
874 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
877 switch(fl->flowi_proto) {
880 case IPPROTO_UDPLITE:
882 port = uli->ports.dport;
886 port = htons(uli->icmpt.code);
889 port = htons(ntohl(uli->gre_key) & 0xffff);
897 bool xfrm_selector_match(const struct xfrm_selector *sel,
898 const struct flowi *fl, unsigned short family);
900 #ifdef CONFIG_SECURITY_NETWORK_XFRM
901 /* If neither has a context --> match
902 * Otherwise, both must have a context and the sids, doi, alg must match
904 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
906 return ((!s1 && !s2) ||
908 (s1->ctx_sid == s2->ctx_sid) &&
909 (s1->ctx_doi == s2->ctx_doi) &&
910 (s1->ctx_alg == s2->ctx_alg)));
913 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
919 /* A struct encoding bundle of transformations to apply to some set of flow.
921 * xdst->child points to the next element of bundle.
922 * dst->xfrm points to an instanse of transformer.
924 * Due to unfortunate limitations of current routing cache, which we
925 * have no time to fix, it mirrors struct rtable and bound to the same
926 * routing key, including saddr,daddr. However, we can have many of
927 * bundles differing by session id. All the bundles grow from a parent
932 struct dst_entry dst;
936 struct dst_entry *route;
937 struct dst_entry *child;
938 struct dst_entry *path;
939 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
940 int num_pols, num_xfrms;
943 u32 route_mtu_cached;
944 u32 child_mtu_cached;
949 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
952 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
953 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
958 return (struct dst_entry *) dst;
961 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
964 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
965 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
973 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
978 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
980 xfrm_pols_put(xdst->pols, xdst->num_pols);
981 dst_release(xdst->route);
982 if (likely(xdst->u.dst.xfrm))
983 xfrm_state_put(xdst->u.dst.xfrm);
987 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
989 struct xfrm_if_parms {
990 int link; /* ifindex of underlying L2 interface */
991 u32 if_id; /* interface identifyer */
995 struct xfrm_if __rcu *next; /* next interface in list */
996 struct net_device *dev; /* virtual device associated with interface */
997 struct net *net; /* netns for packet i/o */
998 struct xfrm_if_parms p; /* interface parms */
1000 struct gro_cells gro_cells;
1003 struct xfrm_offload {
1004 /* Output sequence number for replay protection on offloading. */
1011 #define SA_DELETE_REQ 1
1012 #define CRYPTO_DONE 2
1013 #define CRYPTO_NEXT_DONE 4
1014 #define CRYPTO_FALLBACK 8
1015 #define XFRM_GSO_SEGMENT 16
1017 #define XFRM_ESP_NO_TRAILER 64
1018 #define XFRM_DEV_RESUME 128
1019 #define XFRM_XMIT 256
1022 #define CRYPTO_SUCCESS 1
1023 #define CRYPTO_GENERIC_ERROR 2
1024 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1025 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1026 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1027 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1028 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1029 #define CRYPTO_INVALID_PROTOCOL 128
1038 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1039 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1042 struct sec_path *secpath_set(struct sk_buff *skb);
1045 secpath_reset(struct sk_buff *skb)
1048 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1053 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1057 return addr->a4 == 0;
1059 return ipv6_addr_any(&addr->in6);
1065 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1067 return (tmpl->saddr.a4 &&
1068 tmpl->saddr.a4 != x->props.saddr.a4);
1072 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1074 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1075 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1079 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1083 return __xfrm4_state_addr_cmp(tmpl, x);
1085 return __xfrm6_state_addr_cmp(tmpl, x);
1091 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1092 unsigned short family);
1094 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1095 struct sk_buff *skb,
1096 unsigned int family, int reverse)
1098 struct net *net = dev_net(skb->dev);
1099 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1101 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1102 return __xfrm_policy_check(sk, ndir, skb, family);
1104 return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1105 (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
1106 __xfrm_policy_check(sk, ndir, skb, family);
1109 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1111 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1114 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1116 return xfrm_policy_check(sk, dir, skb, AF_INET);
1119 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1121 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1124 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1125 struct sk_buff *skb)
1127 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1130 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1131 struct sk_buff *skb)
1133 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1136 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1137 unsigned int family, int reverse);
1139 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1140 unsigned int family)
1142 return __xfrm_decode_session(skb, fl, family, 0);
1145 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1147 unsigned int family)
1149 return __xfrm_decode_session(skb, fl, family, 1);
1152 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1154 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1156 struct net *net = dev_net(skb->dev);
1158 return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1159 (skb_dst(skb)->flags & DST_NOXFRM) ||
1160 __xfrm_route_forward(skb, family);
1163 static inline int xfrm4_route_forward(struct sk_buff *skb)
1165 return xfrm_route_forward(skb, AF_INET);
1168 static inline int xfrm6_route_forward(struct sk_buff *skb)
1170 return xfrm_route_forward(skb, AF_INET6);
1173 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1175 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1177 sk->sk_policy[0] = NULL;
1178 sk->sk_policy[1] = NULL;
1179 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1180 return __xfrm_sk_clone_policy(sk, osk);
1184 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1186 static inline void xfrm_sk_free_policy(struct sock *sk)
1188 struct xfrm_policy *pol;
1190 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1191 if (unlikely(pol != NULL)) {
1192 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1193 sk->sk_policy[0] = NULL;
1195 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1196 if (unlikely(pol != NULL)) {
1197 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1198 sk->sk_policy[1] = NULL;
1204 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1205 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1206 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1207 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1208 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1212 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1216 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1220 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1222 unsigned int family)
1226 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1227 struct sk_buff *skb)
1231 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1232 struct sk_buff *skb)
1239 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1243 return (xfrm_address_t *)&fl->u.ip4.daddr;
1245 return (xfrm_address_t *)&fl->u.ip6.daddr;
1251 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1255 return (xfrm_address_t *)&fl->u.ip4.saddr;
1257 return (xfrm_address_t *)&fl->u.ip6.saddr;
1263 void xfrm_flowi_addr_get(const struct flowi *fl,
1264 xfrm_address_t *saddr, xfrm_address_t *daddr,
1265 unsigned short family)
1269 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1270 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1273 saddr->in6 = fl->u.ip6.saddr;
1274 daddr->in6 = fl->u.ip6.daddr;
1279 static __inline__ int
1280 __xfrm4_state_addr_check(const struct xfrm_state *x,
1281 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1283 if (daddr->a4 == x->id.daddr.a4 &&
1284 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1289 static __inline__ int
1290 __xfrm6_state_addr_check(const struct xfrm_state *x,
1291 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1293 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1294 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1295 ipv6_addr_any((struct in6_addr *)saddr) ||
1296 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1301 static __inline__ int
1302 xfrm_state_addr_check(const struct xfrm_state *x,
1303 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1304 unsigned short family)
1308 return __xfrm4_state_addr_check(x, daddr, saddr);
1310 return __xfrm6_state_addr_check(x, daddr, saddr);
1315 static __inline__ int
1316 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1317 unsigned short family)
1321 return __xfrm4_state_addr_check(x,
1322 (const xfrm_address_t *)&fl->u.ip4.daddr,
1323 (const xfrm_address_t *)&fl->u.ip4.saddr);
1325 return __xfrm6_state_addr_check(x,
1326 (const xfrm_address_t *)&fl->u.ip6.daddr,
1327 (const xfrm_address_t *)&fl->u.ip6.saddr);
1332 static inline int xfrm_state_kern(const struct xfrm_state *x)
1334 return atomic_read(&x->tunnel_users);
1337 static inline bool xfrm_id_proto_valid(u8 proto)
1343 #if IS_ENABLED(CONFIG_IPV6)
1344 case IPPROTO_ROUTING:
1345 case IPPROTO_DSTOPTS:
1353 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1354 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1356 return (!userproto || proto == userproto ||
1357 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1358 proto == IPPROTO_ESP ||
1359 proto == IPPROTO_COMP)));
1363 * xfrm algorithm information
1365 struct xfrm_algo_aead_info {
1370 struct xfrm_algo_auth_info {
1375 struct xfrm_algo_encr_info {
1381 struct xfrm_algo_comp_info {
1385 struct xfrm_algo_desc {
1389 u8 pfkey_supported:1;
1391 struct xfrm_algo_aead_info aead;
1392 struct xfrm_algo_auth_info auth;
1393 struct xfrm_algo_encr_info encr;
1394 struct xfrm_algo_comp_info comp;
1396 struct sadb_alg desc;
1399 /* XFRM protocol handlers. */
1400 struct xfrm4_protocol {
1401 int (*handler)(struct sk_buff *skb);
1402 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1404 int (*cb_handler)(struct sk_buff *skb, int err);
1405 int (*err_handler)(struct sk_buff *skb, u32 info);
1407 struct xfrm4_protocol __rcu *next;
1411 struct xfrm6_protocol {
1412 int (*handler)(struct sk_buff *skb);
1413 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1415 int (*cb_handler)(struct sk_buff *skb, int err);
1416 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1417 u8 type, u8 code, int offset, __be32 info);
1419 struct xfrm6_protocol __rcu *next;
1423 /* XFRM tunnel handlers. */
1424 struct xfrm_tunnel {
1425 int (*handler)(struct sk_buff *skb);
1426 int (*cb_handler)(struct sk_buff *skb, int err);
1427 int (*err_handler)(struct sk_buff *skb, u32 info);
1429 struct xfrm_tunnel __rcu *next;
1433 struct xfrm6_tunnel {
1434 int (*handler)(struct sk_buff *skb);
1435 int (*cb_handler)(struct sk_buff *skb, int err);
1436 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1437 u8 type, u8 code, int offset, __be32 info);
1438 struct xfrm6_tunnel __rcu *next;
1442 void xfrm_init(void);
1443 void xfrm4_init(void);
1444 int xfrm_state_init(struct net *net);
1445 void xfrm_state_fini(struct net *net);
1446 void xfrm4_state_init(void);
1447 void xfrm4_protocol_init(void);
1449 int xfrm6_init(void);
1450 void xfrm6_fini(void);
1451 int xfrm6_state_init(void);
1452 void xfrm6_state_fini(void);
1453 int xfrm6_protocol_init(void);
1454 void xfrm6_protocol_fini(void);
1456 static inline int xfrm6_init(void)
1460 static inline void xfrm6_fini(void)
1466 #ifdef CONFIG_XFRM_STATISTICS
1467 int xfrm_proc_init(struct net *net);
1468 void xfrm_proc_fini(struct net *net);
1471 int xfrm_sysctl_init(struct net *net);
1472 #ifdef CONFIG_SYSCTL
1473 void xfrm_sysctl_fini(struct net *net);
1475 static inline void xfrm_sysctl_fini(struct net *net)
1480 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1481 struct xfrm_address_filter *filter);
1482 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1483 int (*func)(struct xfrm_state *, int, void*), void *);
1484 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1485 struct xfrm_state *xfrm_state_alloc(struct net *net);
1486 void xfrm_state_free(struct xfrm_state *x);
1487 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1488 const xfrm_address_t *saddr,
1489 const struct flowi *fl,
1490 struct xfrm_tmpl *tmpl,
1491 struct xfrm_policy *pol, int *err,
1492 unsigned short family, u32 if_id);
1493 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1494 xfrm_address_t *daddr,
1495 xfrm_address_t *saddr,
1496 unsigned short family,
1497 u8 mode, u8 proto, u32 reqid);
1498 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1499 unsigned short family);
1500 int xfrm_state_check_expire(struct xfrm_state *x);
1501 void xfrm_state_insert(struct xfrm_state *x);
1502 int xfrm_state_add(struct xfrm_state *x);
1503 int xfrm_state_update(struct xfrm_state *x);
1504 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1505 const xfrm_address_t *daddr, __be32 spi,
1506 u8 proto, unsigned short family);
1507 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1508 const xfrm_address_t *daddr,
1509 const xfrm_address_t *saddr,
1511 unsigned short family);
1512 #ifdef CONFIG_XFRM_SUB_POLICY
1513 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1514 unsigned short family);
1515 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1516 unsigned short family);
1518 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1519 int n, unsigned short family)
1523 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1524 int n, unsigned short family)
1529 struct xfrmk_sadinfo {
1530 u32 sadhcnt; /* current hash bkts */
1531 u32 sadhmcnt; /* max allowed hash bkts */
1532 u32 sadcnt; /* current running count */
1535 struct xfrmk_spdinfo {
1546 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1547 int xfrm_state_delete(struct xfrm_state *x);
1548 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1549 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1550 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1551 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1552 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1553 int xfrm_init_replay(struct xfrm_state *x);
1554 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1555 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1556 int xfrm_init_state(struct xfrm_state *x);
1557 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1558 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1559 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1560 int (*finish)(struct net *, struct sock *,
1562 int xfrm_trans_queue(struct sk_buff *skb,
1563 int (*finish)(struct net *, struct sock *,
1565 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1566 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1568 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1569 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1572 void xfrm_local_error(struct sk_buff *skb, int mtu);
1573 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1574 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1576 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1577 int xfrm4_rcv(struct sk_buff *skb);
1578 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1580 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1582 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1583 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1584 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1585 return xfrm_input(skb, nexthdr, spi, 0);
1588 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1589 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1590 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1591 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1592 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1593 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1594 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1595 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1597 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1599 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1600 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1601 int xfrm6_rcv(struct sk_buff *skb);
1602 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1603 xfrm_address_t *saddr, u8 proto);
1604 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1605 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1606 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1607 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1608 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1609 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1610 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1611 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1614 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1615 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1616 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1617 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1620 static inline int xfrm_user_policy(struct sock *sk, int optname,
1621 sockptr_t optval, int optlen)
1623 return -ENOPROTOOPT;
1627 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1628 const xfrm_address_t *saddr,
1629 const xfrm_address_t *daddr,
1630 int family, u32 mark);
1632 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1634 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1635 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1636 int (*func)(struct xfrm_policy *, int, int, void*),
1638 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1639 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1640 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1641 const struct xfrm_mark *mark,
1642 u32 if_id, u8 type, int dir,
1643 struct xfrm_selector *sel,
1644 struct xfrm_sec_ctx *ctx, int delete,
1646 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1647 const struct xfrm_mark *mark, u32 if_id,
1648 u8 type, int dir, u32 id, int delete,
1650 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1651 void xfrm_policy_hash_rebuild(struct net *net);
1652 u32 xfrm_get_acqseq(void);
1653 int verify_spi_info(u8 proto, u32 min, u32 max);
1654 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1655 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1656 u8 mode, u32 reqid, u32 if_id, u8 proto,
1657 const xfrm_address_t *daddr,
1658 const xfrm_address_t *saddr, int create,
1659 unsigned short family);
1660 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1662 #ifdef CONFIG_XFRM_MIGRATE
1663 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1664 const struct xfrm_migrate *m, int num_bundles,
1665 const struct xfrm_kmaddress *k,
1666 const struct xfrm_encap_tmpl *encap);
1667 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1668 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1669 struct xfrm_migrate *m,
1670 struct xfrm_encap_tmpl *encap);
1671 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1672 struct xfrm_migrate *m, int num_bundles,
1673 struct xfrm_kmaddress *k, struct net *net,
1674 struct xfrm_encap_tmpl *encap);
1677 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1678 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1679 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1680 xfrm_address_t *addr);
1682 void xfrm_input_init(void);
1683 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1685 void xfrm_probe_algs(void);
1686 int xfrm_count_pfkey_auth_supported(void);
1687 int xfrm_count_pfkey_enc_supported(void);
1688 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1689 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1690 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1691 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1692 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1693 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1694 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1695 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1696 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1699 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1700 const xfrm_address_t *b)
1702 return ipv6_addr_equal((const struct in6_addr *)a,
1703 (const struct in6_addr *)b);
1706 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1707 const xfrm_address_t *b,
1713 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1715 return xfrm6_addr_equal(a, b);
1719 static inline int xfrm_policy_id2dir(u32 index)
1725 void xfrm_replay_notify(struct xfrm_state *x, int event);
1727 static inline int xfrm_aevent_is_on(struct net *net)
1733 nlsk = rcu_dereference(net->xfrm.nlsk);
1735 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1740 static inline int xfrm_acquire_is_on(struct net *net)
1746 nlsk = rcu_dereference(net->xfrm.nlsk);
1748 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1755 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1757 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1760 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1762 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1765 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1767 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1770 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1772 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1775 #ifdef CONFIG_XFRM_MIGRATE
1776 static inline int xfrm_replay_clone(struct xfrm_state *x,
1777 struct xfrm_state *orig)
1780 x->replay_esn = kmemdup(orig->replay_esn,
1781 xfrm_replay_state_esn_len(orig->replay_esn),
1785 x->preplay_esn = kmemdup(orig->preplay_esn,
1786 xfrm_replay_state_esn_len(orig->preplay_esn),
1788 if (!x->preplay_esn)
1794 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1796 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1800 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1802 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1805 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1807 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1810 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1813 for (i = 0; i < n; i++)
1814 xfrm_state_put(*(states + i));
1817 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1820 for (i = 0; i < n; i++)
1821 xfrm_state_delete(*(states + i));
1826 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1828 struct sec_path *sp = skb_sec_path(skb);
1830 return sp->xvec[sp->len - 1];
1834 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1837 struct sec_path *sp = skb_sec_path(skb);
1839 if (!sp || !sp->olen || sp->len != sp->olen)
1842 return &sp->ovec[sp->olen - 1];
1848 void __init xfrm_dev_init(void);
1850 #ifdef CONFIG_XFRM_OFFLOAD
1851 void xfrm_dev_resume(struct sk_buff *skb);
1852 void xfrm_dev_backlog(struct softnet_data *sd);
1853 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1854 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1855 struct xfrm_user_offload *xuo);
1856 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1858 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1860 struct xfrm_state_offload *xso = &x->xso;
1862 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1863 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1866 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1868 struct xfrm_state *x = dst->xfrm;
1869 struct xfrm_dst *xdst;
1871 if (!x || !x->type_offload)
1874 xdst = (struct xfrm_dst *) dst;
1875 if (!x->xso.offload_handle && !xdst->child->xfrm)
1877 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1884 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1886 struct xfrm_state_offload *xso = &x->xso;
1889 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1892 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1894 struct xfrm_state_offload *xso = &x->xso;
1895 struct net_device *dev = xso->dev;
1897 if (dev && dev->xfrmdev_ops) {
1898 if (dev->xfrmdev_ops->xdo_dev_state_free)
1899 dev->xfrmdev_ops->xdo_dev_state_free(x);
1905 static inline void xfrm_dev_resume(struct sk_buff *skb)
1909 static inline void xfrm_dev_backlog(struct softnet_data *sd)
1913 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1918 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1923 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1927 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1931 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1936 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1940 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1946 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1948 if (attrs[XFRMA_MARK])
1949 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1956 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1961 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1965 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1967 struct xfrm_mark *m = &x->props.smark;
1969 return (m->v & m->m) | (mark & ~m->m);
1972 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1977 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
1981 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1982 unsigned int family)
1984 bool tunnel = false;
1988 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1992 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1996 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2002 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2003 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2005 struct xfrm_translator {
2006 /* Allocate frag_list and put compat translation there */
2007 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2009 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2010 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2011 int maxtype, const struct nla_policy *policy,
2012 struct netlink_ext_ack *extack);
2014 /* Translate 32-bit user_policy from sockptr */
2015 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2017 struct module *owner;
2020 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2021 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2022 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2023 extern struct xfrm_translator *xfrm_get_translator(void);
2024 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2026 static inline struct xfrm_translator *xfrm_get_translator(void)
2030 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2035 #if IS_ENABLED(CONFIG_IPV6)
2036 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2040 if (!sk || sk->sk_family != AF_INET6)
2043 proto = sk->sk_protocol;
2044 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2045 return inet6_sk(sk)->dontfrag;
2050 #endif /* _NET_XFRM_H */