1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
23 #include <net/route.h>
25 #include <net/ip6_fib.h>
27 #include <net/gro_cells.h>
29 #include <linux/interrupt.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
55 #define XFRM_INC_STATS(net, field) ((void)(net))
59 /* Organization of SPD aka "XFRM rules"
60 ------------------------------------
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
68 SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 (To be compatible with existing pfkeyv2 implementations,
70 many rules with priority of 0x7fffffff are allowed to exist and
71 such rules are ordered in an unpredictable way, thanks to bsd folks.)
73 Lookup is plain linear search until the first match with selector.
75 If "action" is "block", then we prohibit the flow, otherwise:
76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 described by templates xfrm_tmpl. Each template is resolved
79 to a complete xfrm_state (see below) and we pack bundle of transformations
80 to a dst_entry returned to requestor.
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
87 Bundles are cached at xrfm_policy struct (field ->bundles).
90 Resolution of xrfm_tmpl
91 -----------------------
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 Q: allow to resolve security gateway?
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
100 Q: ealgos, aalgos, calgos. What a mess...
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
105 Having this template we search through SAD searching for entries
106 with appropriate mode/proto/algo, permitted by selector.
107 If no appropriate entry found, it is requested from key manager.
110 Q: How to find all the bundles referring to a physical path for
111 PMTU discovery? Seems, dst should contain list of all parents...
112 and enter to infinite locking hierarchy disaster.
113 No! It is easier, we will not search for them, let them find us.
114 We add genid to each dst plus pointer to genid of raw IP route,
115 pmtu disc will update pmtu on raw IP route and increase its genid.
116 dst_check() will see this for top level and trigger resyncing
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
120 struct xfrm_state_walk {
121 struct list_head all;
126 struct xfrm_address_filter *filter;
129 struct xfrm_state_offload {
130 struct net_device *dev;
131 struct net_device *real_dev;
132 unsigned long offload_handle;
133 unsigned int num_exthdrs;
143 /* Flags for xfrm_mode. */
145 XFRM_MODE_FLAG_TUNNEL = 1,
148 enum xfrm_replay_mode {
149 XFRM_REPLAY_MODE_LEGACY,
150 XFRM_REPLAY_MODE_BMP,
151 XFRM_REPLAY_MODE_ESN,
154 /* Full description of state of transformer. */
156 possible_net_t xs_net;
158 struct hlist_node gclist;
159 struct hlist_node bydst;
161 struct hlist_node bysrc;
162 struct hlist_node byspi;
163 struct hlist_node byseq;
169 struct xfrm_selector sel;
170 struct xfrm_mark mark;
176 /* Key manager bits */
177 struct xfrm_state_walk km;
179 /* Parameters of this state. */
184 u8 aalgo, ealgo, calgo;
187 xfrm_address_t saddr;
191 struct xfrm_mark smark;
194 struct xfrm_lifetime_cfg lft;
196 /* Data for transformer */
197 struct xfrm_algo_auth *aalg;
198 struct xfrm_algo *ealg;
199 struct xfrm_algo *calg;
200 struct xfrm_algo_aead *aead;
203 /* mapping change rate limiting */
204 __be16 new_mapping_sport;
205 u32 new_mapping; /* seconds */
206 u32 mapping_maxage; /* seconds for input SA */
208 /* Data for encapsulator */
209 struct xfrm_encap_tmpl *encap;
210 struct sock __rcu *encap_sk;
212 /* Data for care-of address */
213 xfrm_address_t *coaddr;
215 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
216 struct xfrm_state *tunnel;
218 /* If a tunnel, number of users + 1 */
219 atomic_t tunnel_users;
221 /* State for replay detection */
222 struct xfrm_replay_state replay;
223 struct xfrm_replay_state_esn *replay_esn;
225 /* Replay detection state at the time we sent the last notification */
226 struct xfrm_replay_state preplay;
227 struct xfrm_replay_state_esn *preplay_esn;
229 /* replay detection mode */
230 enum xfrm_replay_mode repl_mode;
231 /* internal flag that only holds state for delayed aevent at the
236 /* Replay detection notification settings */
240 /* Replay detection notification timer */
241 struct timer_list rtimer;
244 struct xfrm_stats stats;
246 struct xfrm_lifetime_cur curlft;
247 struct hrtimer mtimer;
249 struct xfrm_state_offload xso;
251 /* used to fix curlft->add_time when changing date */
257 struct page_frag xfrag;
259 /* Reference to data common to all the instances of this
261 const struct xfrm_type *type;
262 struct xfrm_mode inner_mode;
263 struct xfrm_mode inner_mode_iaf;
264 struct xfrm_mode outer_mode;
266 const struct xfrm_type_offload *type_offload;
268 /* Security context */
269 struct xfrm_sec_ctx *security;
271 /* Private data of this transformer, format is opaque,
272 * interpreted by xfrm_type methods. */
276 static inline struct net *xs_net(struct xfrm_state *x)
278 return read_pnet(&x->xs_net);
281 /* xflags - make enum if more show up */
282 #define XFRM_TIME_DEFER 1
283 #define XFRM_SOFT_EXPIRE 2
294 /* callback structure passed from either netlink or pfkey */
311 struct xfrm_if *(*decode_session)(struct sk_buff *skb,
312 unsigned short family);
315 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
316 void xfrm_if_unregister_cb(void);
321 struct xfrm_policy_afinfo {
322 struct dst_ops *dst_ops;
323 struct dst_entry *(*dst_lookup)(struct net *net,
325 const xfrm_address_t *saddr,
326 const xfrm_address_t *daddr,
328 int (*get_saddr)(struct net *net, int oif,
329 xfrm_address_t *saddr,
330 xfrm_address_t *daddr,
332 int (*fill_dst)(struct xfrm_dst *xdst,
333 struct net_device *dev,
334 const struct flowi *fl);
335 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
338 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
339 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
340 void km_policy_notify(struct xfrm_policy *xp, int dir,
341 const struct km_event *c);
342 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
345 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
346 struct xfrm_policy *pol);
347 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
348 int __xfrm_state_delete(struct xfrm_state *x);
350 struct xfrm_state_afinfo {
354 const struct xfrm_type_offload *type_offload_esp;
356 const struct xfrm_type *type_esp;
357 const struct xfrm_type *type_ipip;
358 const struct xfrm_type *type_ipip6;
359 const struct xfrm_type *type_comp;
360 const struct xfrm_type *type_ah;
361 const struct xfrm_type *type_routing;
362 const struct xfrm_type *type_dstopts;
364 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
365 int (*transport_finish)(struct sk_buff *skb,
367 void (*local_error)(struct sk_buff *skb, u32 mtu);
370 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
371 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
372 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
373 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
375 struct xfrm_input_afinfo {
378 int (*callback)(struct sk_buff *skb, u8 protocol,
382 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
383 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
385 void xfrm_flush_gc(void);
386 void xfrm_state_delete_tunnel(struct xfrm_state *x);
389 struct module *owner;
392 #define XFRM_TYPE_NON_FRAGMENT 1
393 #define XFRM_TYPE_REPLAY_PROT 2
394 #define XFRM_TYPE_LOCAL_COADDR 4
395 #define XFRM_TYPE_REMOTE_COADDR 8
397 int (*init_state)(struct xfrm_state *x);
398 void (*destructor)(struct xfrm_state *);
399 int (*input)(struct xfrm_state *, struct sk_buff *skb);
400 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
401 int (*reject)(struct xfrm_state *, struct sk_buff *,
402 const struct flowi *);
405 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
406 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
408 struct xfrm_type_offload {
409 struct module *owner;
411 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
412 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
413 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
416 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
417 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
419 static inline int xfrm_af2proto(unsigned int family)
431 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
433 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
434 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
435 return &x->inner_mode;
437 return &x->inner_mode_iaf;
441 /* id in template is interpreted as:
442 * daddr - destination of tunnel, may be zero for transport mode.
443 * spi - zero to acquire spi. Not zero if spi is static, then
444 * daddr must be fixed too.
445 * proto - AH/ESP/IPCOMP
449 /* Source address of tunnel. Ignored, if it is not a tunnel. */
450 xfrm_address_t saddr;
452 unsigned short encap_family;
456 /* Mode: transport, tunnel etc. */
459 /* Sharing mode: unique, this session only, this user only etc. */
462 /* May skip this transfomration if no SA is found */
465 /* Skip aalgos/ealgos/calgos checks. */
468 /* Bit mask of algos allowed for acquisition */
474 #define XFRM_MAX_DEPTH 6
475 #define XFRM_MAX_OFFLOAD_DEPTH 1
477 struct xfrm_policy_walk_entry {
478 struct list_head all;
482 struct xfrm_policy_walk {
483 struct xfrm_policy_walk_entry walk;
488 struct xfrm_policy_queue {
489 struct sk_buff_head hold_queue;
490 struct timer_list hold_timer;
491 unsigned long timeout;
495 possible_net_t xp_net;
496 struct hlist_node bydst;
497 struct hlist_node byidx;
499 /* This lock only affects elements except for entry. */
503 struct timer_list timer;
509 struct xfrm_mark mark;
510 struct xfrm_selector selector;
511 struct xfrm_lifetime_cfg lft;
512 struct xfrm_lifetime_cur curlft;
513 struct xfrm_policy_walk_entry walk;
514 struct xfrm_policy_queue polq;
521 struct xfrm_sec_ctx *security;
522 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
523 struct hlist_node bydst_inexact_list;
527 static inline struct net *xp_net(const struct xfrm_policy *xp)
529 return read_pnet(&xp->xp_net);
532 struct xfrm_kmaddress {
533 xfrm_address_t local;
534 xfrm_address_t remote;
539 struct xfrm_migrate {
540 xfrm_address_t old_daddr;
541 xfrm_address_t old_saddr;
542 xfrm_address_t new_daddr;
543 xfrm_address_t new_saddr;
552 #define XFRM_KM_TIMEOUT 30
554 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
555 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
557 /* default aevent timeout in units of 100ms */
558 #define XFRM_AE_ETIME 10
559 /* Async Event timer multiplier */
560 #define XFRM_AE_ETH_M 10
561 /* default seq threshold size */
562 #define XFRM_AE_SEQT_SIZE 2
565 struct list_head list;
566 int (*notify)(struct xfrm_state *x, const struct km_event *c);
567 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
568 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
569 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
570 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
571 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
572 int (*migrate)(const struct xfrm_selector *sel,
574 const struct xfrm_migrate *m,
576 const struct xfrm_kmaddress *k,
577 const struct xfrm_encap_tmpl *encap);
578 bool (*is_alive)(const struct km_event *c);
581 int xfrm_register_km(struct xfrm_mgr *km);
582 int xfrm_unregister_km(struct xfrm_mgr *km);
584 struct xfrm_tunnel_skb_cb {
586 struct inet_skb_parm h4;
587 struct inet6_skb_parm h6;
591 struct ip_tunnel *ip4;
596 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
599 * This structure is used for the duration where packets are being
600 * transformed by IPsec. As soon as the packet leaves IPsec the
601 * area beyond the generic IP part may be overwritten.
604 struct xfrm_tunnel_skb_cb header;
606 /* Sequence number for replay protection. */
619 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
622 * This structure is used by the afinfo prepare_input/prepare_output functions
623 * to transmit header information to the mode input/output functions.
625 struct xfrm_mode_skb_cb {
626 struct xfrm_tunnel_skb_cb header;
628 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
632 /* IP header length (excluding options or extension headers). */
635 /* TOS for IPv4, class for IPv6. */
638 /* TTL for IPv4, hop limitfor IPv6. */
641 /* Protocol for IPv4, NH for IPv6. */
644 /* Option length for IPv4, zero for IPv6. */
647 /* Used by IPv6 only, zero for IPv4. */
651 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
654 * This structure is used by the input processing to locate the SPI and
655 * related information.
657 struct xfrm_spi_skb_cb {
658 struct xfrm_tunnel_skb_cb header;
660 unsigned int daddroff;
665 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
667 #ifdef CONFIG_AUDITSYSCALL
668 static inline struct audit_buffer *xfrm_audit_start(const char *op)
670 struct audit_buffer *audit_buf = NULL;
672 if (audit_enabled == AUDIT_OFF)
674 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
675 AUDIT_MAC_IPSEC_EVENT);
676 if (audit_buf == NULL)
678 audit_log_format(audit_buf, "op=%s", op);
682 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
683 struct audit_buffer *audit_buf)
685 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
686 audit_get_loginuid(current) :
688 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
691 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
692 audit_log_task_context(audit_buf);
695 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
696 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
698 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
699 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
700 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
701 struct sk_buff *skb);
702 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
704 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
705 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
707 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
711 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
716 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
721 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
726 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
731 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
736 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
737 struct sk_buff *skb, __be32 net_seq)
741 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
746 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
747 __be32 net_spi, __be32 net_seq)
751 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
752 struct sk_buff *skb, u8 proto)
755 #endif /* CONFIG_AUDITSYSCALL */
757 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
759 if (likely(policy != NULL))
760 refcount_inc(&policy->refcnt);
763 void xfrm_policy_destroy(struct xfrm_policy *policy);
765 static inline void xfrm_pol_put(struct xfrm_policy *policy)
767 if (refcount_dec_and_test(&policy->refcnt))
768 xfrm_policy_destroy(policy);
771 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
774 for (i = npols - 1; i >= 0; --i)
775 xfrm_pol_put(pols[i]);
778 void __xfrm_state_destroy(struct xfrm_state *, bool);
780 static inline void __xfrm_state_put(struct xfrm_state *x)
782 refcount_dec(&x->refcnt);
785 static inline void xfrm_state_put(struct xfrm_state *x)
787 if (refcount_dec_and_test(&x->refcnt))
788 __xfrm_state_destroy(x, false);
791 static inline void xfrm_state_put_sync(struct xfrm_state *x)
793 if (refcount_dec_and_test(&x->refcnt))
794 __xfrm_state_destroy(x, true);
797 static inline void xfrm_state_hold(struct xfrm_state *x)
799 refcount_inc(&x->refcnt);
802 static inline bool addr_match(const void *token1, const void *token2,
803 unsigned int prefixlen)
805 const __be32 *a1 = token1;
806 const __be32 *a2 = token2;
810 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
811 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
814 if (memcmp(a1, a2, pdw << 2))
820 mask = htonl((0xffffffff) << (32 - pbi));
822 if ((a1[pdw] ^ a2[pdw]) & mask)
829 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
831 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
832 if (sizeof(long) == 4 && prefixlen == 0)
834 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
838 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
841 switch(fl->flowi_proto) {
844 case IPPROTO_UDPLITE:
846 port = uli->ports.sport;
850 port = htons(uli->icmpt.type);
853 port = htons(uli->mht.type);
856 port = htons(ntohl(uli->gre_key) >> 16);
865 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
868 switch(fl->flowi_proto) {
871 case IPPROTO_UDPLITE:
873 port = uli->ports.dport;
877 port = htons(uli->icmpt.code);
880 port = htons(ntohl(uli->gre_key) & 0xffff);
888 bool xfrm_selector_match(const struct xfrm_selector *sel,
889 const struct flowi *fl, unsigned short family);
891 #ifdef CONFIG_SECURITY_NETWORK_XFRM
892 /* If neither has a context --> match
893 * Otherwise, both must have a context and the sids, doi, alg must match
895 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
897 return ((!s1 && !s2) ||
899 (s1->ctx_sid == s2->ctx_sid) &&
900 (s1->ctx_doi == s2->ctx_doi) &&
901 (s1->ctx_alg == s2->ctx_alg)));
904 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
910 /* A struct encoding bundle of transformations to apply to some set of flow.
912 * xdst->child points to the next element of bundle.
913 * dst->xfrm points to an instanse of transformer.
915 * Due to unfortunate limitations of current routing cache, which we
916 * have no time to fix, it mirrors struct rtable and bound to the same
917 * routing key, including saddr,daddr. However, we can have many of
918 * bundles differing by session id. All the bundles grow from a parent
923 struct dst_entry dst;
927 struct dst_entry *route;
928 struct dst_entry *child;
929 struct dst_entry *path;
930 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
931 int num_pols, num_xfrms;
934 u32 route_mtu_cached;
935 u32 child_mtu_cached;
940 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
943 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
944 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
949 return (struct dst_entry *) dst;
952 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
955 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
956 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
964 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
969 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
971 xfrm_pols_put(xdst->pols, xdst->num_pols);
972 dst_release(xdst->route);
973 if (likely(xdst->u.dst.xfrm))
974 xfrm_state_put(xdst->u.dst.xfrm);
978 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
980 struct xfrm_if_parms {
981 int link; /* ifindex of underlying L2 interface */
982 u32 if_id; /* interface identifyer */
986 struct xfrm_if __rcu *next; /* next interface in list */
987 struct net_device *dev; /* virtual device associated with interface */
988 struct net *net; /* netns for packet i/o */
989 struct xfrm_if_parms p; /* interface parms */
991 struct gro_cells gro_cells;
994 struct xfrm_offload {
995 /* Output sequence number for replay protection on offloading. */
1002 #define SA_DELETE_REQ 1
1003 #define CRYPTO_DONE 2
1004 #define CRYPTO_NEXT_DONE 4
1005 #define CRYPTO_FALLBACK 8
1006 #define XFRM_GSO_SEGMENT 16
1008 #define XFRM_ESP_NO_TRAILER 64
1009 #define XFRM_DEV_RESUME 128
1010 #define XFRM_XMIT 256
1013 #define CRYPTO_SUCCESS 1
1014 #define CRYPTO_GENERIC_ERROR 2
1015 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1016 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1017 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1018 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1019 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1020 #define CRYPTO_INVALID_PROTOCOL 128
1030 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1031 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1034 struct sec_path *secpath_set(struct sk_buff *skb);
1037 secpath_reset(struct sk_buff *skb)
1040 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1045 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1049 return addr->a4 == 0;
1051 return ipv6_addr_any(&addr->in6);
1057 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1059 return (tmpl->saddr.a4 &&
1060 tmpl->saddr.a4 != x->props.saddr.a4);
1064 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1066 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1067 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1071 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1075 return __xfrm4_state_addr_cmp(tmpl, x);
1077 return __xfrm6_state_addr_cmp(tmpl, x);
1084 xfrm_default_allow(struct net *net, int dir)
1086 u8 def = net->xfrm.policy_default;
1089 case XFRM_POLICY_IN:
1090 return def & XFRM_POL_DEFAULT_IN ? false : true;
1091 case XFRM_POLICY_OUT:
1092 return def & XFRM_POL_DEFAULT_OUT ? false : true;
1093 case XFRM_POLICY_FWD:
1094 return def & XFRM_POL_DEFAULT_FWD ? false : true;
1099 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1100 unsigned short family);
1102 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1103 struct sk_buff *skb,
1104 unsigned int family, int reverse)
1106 struct net *net = dev_net(skb->dev);
1107 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1109 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1110 return __xfrm_policy_check(sk, ndir, skb, family);
1112 if (xfrm_default_allow(net, dir))
1113 return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1114 (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
1115 __xfrm_policy_check(sk, ndir, skb, family);
1117 return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
1118 __xfrm_policy_check(sk, ndir, skb, family);
1121 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1123 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1126 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1128 return xfrm_policy_check(sk, dir, skb, AF_INET);
1131 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1133 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1136 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1137 struct sk_buff *skb)
1139 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1142 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1143 struct sk_buff *skb)
1145 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1148 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1149 unsigned int family, int reverse);
1151 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1152 unsigned int family)
1154 return __xfrm_decode_session(skb, fl, family, 0);
1157 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1159 unsigned int family)
1161 return __xfrm_decode_session(skb, fl, family, 1);
1164 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1166 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1168 struct net *net = dev_net(skb->dev);
1170 if (xfrm_default_allow(net, XFRM_POLICY_FWD))
1171 return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1172 (skb_dst(skb)->flags & DST_NOXFRM) ||
1173 __xfrm_route_forward(skb, family);
1175 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1176 __xfrm_route_forward(skb, family);
1179 static inline int xfrm4_route_forward(struct sk_buff *skb)
1181 return xfrm_route_forward(skb, AF_INET);
1184 static inline int xfrm6_route_forward(struct sk_buff *skb)
1186 return xfrm_route_forward(skb, AF_INET6);
1189 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1191 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1193 sk->sk_policy[0] = NULL;
1194 sk->sk_policy[1] = NULL;
1195 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1196 return __xfrm_sk_clone_policy(sk, osk);
1200 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1202 static inline void xfrm_sk_free_policy(struct sock *sk)
1204 struct xfrm_policy *pol;
1206 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1207 if (unlikely(pol != NULL)) {
1208 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1209 sk->sk_policy[0] = NULL;
1211 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1212 if (unlikely(pol != NULL)) {
1213 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1214 sk->sk_policy[1] = NULL;
1220 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1221 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1222 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1223 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1224 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1228 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1232 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1236 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1238 unsigned int family)
1242 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1243 struct sk_buff *skb)
1247 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1248 struct sk_buff *skb)
1255 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1259 return (xfrm_address_t *)&fl->u.ip4.daddr;
1261 return (xfrm_address_t *)&fl->u.ip6.daddr;
1267 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1271 return (xfrm_address_t *)&fl->u.ip4.saddr;
1273 return (xfrm_address_t *)&fl->u.ip6.saddr;
1279 void xfrm_flowi_addr_get(const struct flowi *fl,
1280 xfrm_address_t *saddr, xfrm_address_t *daddr,
1281 unsigned short family)
1285 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1286 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1289 saddr->in6 = fl->u.ip6.saddr;
1290 daddr->in6 = fl->u.ip6.daddr;
1295 static __inline__ int
1296 __xfrm4_state_addr_check(const struct xfrm_state *x,
1297 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1299 if (daddr->a4 == x->id.daddr.a4 &&
1300 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1305 static __inline__ int
1306 __xfrm6_state_addr_check(const struct xfrm_state *x,
1307 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1309 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1310 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1311 ipv6_addr_any((struct in6_addr *)saddr) ||
1312 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1317 static __inline__ int
1318 xfrm_state_addr_check(const struct xfrm_state *x,
1319 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1320 unsigned short family)
1324 return __xfrm4_state_addr_check(x, daddr, saddr);
1326 return __xfrm6_state_addr_check(x, daddr, saddr);
1331 static __inline__ int
1332 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1333 unsigned short family)
1337 return __xfrm4_state_addr_check(x,
1338 (const xfrm_address_t *)&fl->u.ip4.daddr,
1339 (const xfrm_address_t *)&fl->u.ip4.saddr);
1341 return __xfrm6_state_addr_check(x,
1342 (const xfrm_address_t *)&fl->u.ip6.daddr,
1343 (const xfrm_address_t *)&fl->u.ip6.saddr);
1348 static inline int xfrm_state_kern(const struct xfrm_state *x)
1350 return atomic_read(&x->tunnel_users);
1353 static inline bool xfrm_id_proto_valid(u8 proto)
1359 #if IS_ENABLED(CONFIG_IPV6)
1360 case IPPROTO_ROUTING:
1361 case IPPROTO_DSTOPTS:
1369 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1370 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1372 return (!userproto || proto == userproto ||
1373 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1374 proto == IPPROTO_ESP ||
1375 proto == IPPROTO_COMP)));
1379 * xfrm algorithm information
1381 struct xfrm_algo_aead_info {
1386 struct xfrm_algo_auth_info {
1391 struct xfrm_algo_encr_info {
1397 struct xfrm_algo_comp_info {
1401 struct xfrm_algo_desc {
1405 u8 pfkey_supported:1;
1407 struct xfrm_algo_aead_info aead;
1408 struct xfrm_algo_auth_info auth;
1409 struct xfrm_algo_encr_info encr;
1410 struct xfrm_algo_comp_info comp;
1412 struct sadb_alg desc;
1415 /* XFRM protocol handlers. */
1416 struct xfrm4_protocol {
1417 int (*handler)(struct sk_buff *skb);
1418 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1420 int (*cb_handler)(struct sk_buff *skb, int err);
1421 int (*err_handler)(struct sk_buff *skb, u32 info);
1423 struct xfrm4_protocol __rcu *next;
1427 struct xfrm6_protocol {
1428 int (*handler)(struct sk_buff *skb);
1429 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1431 int (*cb_handler)(struct sk_buff *skb, int err);
1432 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1433 u8 type, u8 code, int offset, __be32 info);
1435 struct xfrm6_protocol __rcu *next;
1439 /* XFRM tunnel handlers. */
1440 struct xfrm_tunnel {
1441 int (*handler)(struct sk_buff *skb);
1442 int (*cb_handler)(struct sk_buff *skb, int err);
1443 int (*err_handler)(struct sk_buff *skb, u32 info);
1445 struct xfrm_tunnel __rcu *next;
1449 struct xfrm6_tunnel {
1450 int (*handler)(struct sk_buff *skb);
1451 int (*cb_handler)(struct sk_buff *skb, int err);
1452 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1453 u8 type, u8 code, int offset, __be32 info);
1454 struct xfrm6_tunnel __rcu *next;
1458 void xfrm_init(void);
1459 void xfrm4_init(void);
1460 int xfrm_state_init(struct net *net);
1461 void xfrm_state_fini(struct net *net);
1462 void xfrm4_state_init(void);
1463 void xfrm4_protocol_init(void);
1465 int xfrm6_init(void);
1466 void xfrm6_fini(void);
1467 int xfrm6_state_init(void);
1468 void xfrm6_state_fini(void);
1469 int xfrm6_protocol_init(void);
1470 void xfrm6_protocol_fini(void);
1472 static inline int xfrm6_init(void)
1476 static inline void xfrm6_fini(void)
1482 #ifdef CONFIG_XFRM_STATISTICS
1483 int xfrm_proc_init(struct net *net);
1484 void xfrm_proc_fini(struct net *net);
1487 int xfrm_sysctl_init(struct net *net);
1488 #ifdef CONFIG_SYSCTL
1489 void xfrm_sysctl_fini(struct net *net);
1491 static inline void xfrm_sysctl_fini(struct net *net)
1496 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1497 struct xfrm_address_filter *filter);
1498 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1499 int (*func)(struct xfrm_state *, int, void*), void *);
1500 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1501 struct xfrm_state *xfrm_state_alloc(struct net *net);
1502 void xfrm_state_free(struct xfrm_state *x);
1503 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1504 const xfrm_address_t *saddr,
1505 const struct flowi *fl,
1506 struct xfrm_tmpl *tmpl,
1507 struct xfrm_policy *pol, int *err,
1508 unsigned short family, u32 if_id);
1509 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1510 xfrm_address_t *daddr,
1511 xfrm_address_t *saddr,
1512 unsigned short family,
1513 u8 mode, u8 proto, u32 reqid);
1514 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1515 unsigned short family);
1516 int xfrm_state_check_expire(struct xfrm_state *x);
1517 void xfrm_state_insert(struct xfrm_state *x);
1518 int xfrm_state_add(struct xfrm_state *x);
1519 int xfrm_state_update(struct xfrm_state *x);
1520 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1521 const xfrm_address_t *daddr, __be32 spi,
1522 u8 proto, unsigned short family);
1523 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1524 const xfrm_address_t *daddr,
1525 const xfrm_address_t *saddr,
1527 unsigned short family);
1528 #ifdef CONFIG_XFRM_SUB_POLICY
1529 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1530 unsigned short family);
1531 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1532 unsigned short family);
1534 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1535 int n, unsigned short family)
1539 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1540 int n, unsigned short family)
1545 struct xfrmk_sadinfo {
1546 u32 sadhcnt; /* current hash bkts */
1547 u32 sadhmcnt; /* max allowed hash bkts */
1548 u32 sadcnt; /* current running count */
1551 struct xfrmk_spdinfo {
1562 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1563 int xfrm_state_delete(struct xfrm_state *x);
1564 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1565 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1566 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1567 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1568 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1569 int xfrm_init_replay(struct xfrm_state *x);
1570 u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu);
1571 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1572 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1573 int xfrm_init_state(struct xfrm_state *x);
1574 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1575 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1576 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1577 int (*finish)(struct net *, struct sock *,
1579 int xfrm_trans_queue(struct sk_buff *skb,
1580 int (*finish)(struct net *, struct sock *,
1582 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1583 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1585 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1586 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1589 void xfrm_local_error(struct sk_buff *skb, int mtu);
1590 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1591 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1593 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1594 int xfrm4_rcv(struct sk_buff *skb);
1596 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1598 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1599 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1600 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1601 return xfrm_input(skb, nexthdr, spi, 0);
1604 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1605 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1606 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1607 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1608 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1609 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1610 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1611 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1613 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1615 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1616 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1617 int xfrm6_rcv(struct sk_buff *skb);
1618 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1619 xfrm_address_t *saddr, u8 proto);
1620 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1621 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1622 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1623 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1624 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1625 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1626 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1627 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1630 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1631 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1632 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1633 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1636 static inline int xfrm_user_policy(struct sock *sk, int optname,
1637 sockptr_t optval, int optlen)
1639 return -ENOPROTOOPT;
1643 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1644 const xfrm_address_t *saddr,
1645 const xfrm_address_t *daddr,
1646 int family, u32 mark);
1648 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1650 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1651 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1652 int (*func)(struct xfrm_policy *, int, int, void*),
1654 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1655 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1656 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1657 const struct xfrm_mark *mark,
1658 u32 if_id, u8 type, int dir,
1659 struct xfrm_selector *sel,
1660 struct xfrm_sec_ctx *ctx, int delete,
1662 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1663 const struct xfrm_mark *mark, u32 if_id,
1664 u8 type, int dir, u32 id, int delete,
1666 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1667 void xfrm_policy_hash_rebuild(struct net *net);
1668 u32 xfrm_get_acqseq(void);
1669 int verify_spi_info(u8 proto, u32 min, u32 max);
1670 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1671 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1672 u8 mode, u32 reqid, u32 if_id, u8 proto,
1673 const xfrm_address_t *daddr,
1674 const xfrm_address_t *saddr, int create,
1675 unsigned short family);
1676 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1678 #ifdef CONFIG_XFRM_MIGRATE
1679 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1680 const struct xfrm_migrate *m, int num_bundles,
1681 const struct xfrm_kmaddress *k,
1682 const struct xfrm_encap_tmpl *encap);
1683 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1684 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1685 struct xfrm_migrate *m,
1686 struct xfrm_encap_tmpl *encap);
1687 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1688 struct xfrm_migrate *m, int num_bundles,
1689 struct xfrm_kmaddress *k, struct net *net,
1690 struct xfrm_encap_tmpl *encap);
1693 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1694 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1695 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1696 xfrm_address_t *addr);
1698 void xfrm_input_init(void);
1699 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1701 void xfrm_probe_algs(void);
1702 int xfrm_count_pfkey_auth_supported(void);
1703 int xfrm_count_pfkey_enc_supported(void);
1704 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1705 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1706 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1707 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1708 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1709 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1710 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1711 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1712 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1715 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1716 const xfrm_address_t *b)
1718 return ipv6_addr_equal((const struct in6_addr *)a,
1719 (const struct in6_addr *)b);
1722 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1723 const xfrm_address_t *b,
1729 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1731 return xfrm6_addr_equal(a, b);
1735 static inline int xfrm_policy_id2dir(u32 index)
1741 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1742 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1743 void xfrm_replay_notify(struct xfrm_state *x, int event);
1744 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1745 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1747 static inline int xfrm_aevent_is_on(struct net *net)
1753 nlsk = rcu_dereference(net->xfrm.nlsk);
1755 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1760 static inline int xfrm_acquire_is_on(struct net *net)
1766 nlsk = rcu_dereference(net->xfrm.nlsk);
1768 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1775 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1777 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1780 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1782 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1785 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1787 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1790 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1792 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1795 #ifdef CONFIG_XFRM_MIGRATE
1796 static inline int xfrm_replay_clone(struct xfrm_state *x,
1797 struct xfrm_state *orig)
1800 x->replay_esn = kmemdup(orig->replay_esn,
1801 xfrm_replay_state_esn_len(orig->replay_esn),
1805 x->preplay_esn = kmemdup(orig->preplay_esn,
1806 xfrm_replay_state_esn_len(orig->preplay_esn),
1808 if (!x->preplay_esn)
1814 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1816 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1820 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1822 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1825 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1827 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1830 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1833 for (i = 0; i < n; i++)
1834 xfrm_state_put(*(states + i));
1837 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1840 for (i = 0; i < n; i++)
1841 xfrm_state_delete(*(states + i));
1846 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1848 struct sec_path *sp = skb_sec_path(skb);
1850 return sp->xvec[sp->len - 1];
1854 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1857 struct sec_path *sp = skb_sec_path(skb);
1859 if (!sp || !sp->olen || sp->len != sp->olen)
1862 return &sp->ovec[sp->olen - 1];
1868 void __init xfrm_dev_init(void);
1870 #ifdef CONFIG_XFRM_OFFLOAD
1871 void xfrm_dev_resume(struct sk_buff *skb);
1872 void xfrm_dev_backlog(struct softnet_data *sd);
1873 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1874 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1875 struct xfrm_user_offload *xuo);
1876 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1878 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1880 struct xfrm_state_offload *xso = &x->xso;
1882 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1883 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1886 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1888 struct xfrm_state *x = dst->xfrm;
1889 struct xfrm_dst *xdst;
1891 if (!x || !x->type_offload)
1894 xdst = (struct xfrm_dst *) dst;
1895 if (!x->xso.offload_handle && !xdst->child->xfrm)
1897 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1904 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1906 struct xfrm_state_offload *xso = &x->xso;
1909 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1912 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1914 struct xfrm_state_offload *xso = &x->xso;
1915 struct net_device *dev = xso->dev;
1917 if (dev && dev->xfrmdev_ops) {
1918 if (dev->xfrmdev_ops->xdo_dev_state_free)
1919 dev->xfrmdev_ops->xdo_dev_state_free(x);
1925 static inline void xfrm_dev_resume(struct sk_buff *skb)
1929 static inline void xfrm_dev_backlog(struct softnet_data *sd)
1933 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1938 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1943 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1947 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1951 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1956 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1960 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1966 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1968 if (attrs[XFRMA_MARK])
1969 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1976 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1981 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1985 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1987 struct xfrm_mark *m = &x->props.smark;
1989 return (m->v & m->m) | (mark & ~m->m);
1992 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1997 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2001 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2002 unsigned int family)
2004 bool tunnel = false;
2008 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2012 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2016 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2022 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2023 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2025 struct xfrm_translator {
2026 /* Allocate frag_list and put compat translation there */
2027 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2029 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2030 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2031 int maxtype, const struct nla_policy *policy,
2032 struct netlink_ext_ack *extack);
2034 /* Translate 32-bit user_policy from sockptr */
2035 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2037 struct module *owner;
2040 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2041 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2042 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2043 extern struct xfrm_translator *xfrm_get_translator(void);
2044 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2046 static inline struct xfrm_translator *xfrm_get_translator(void)
2050 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2055 #if IS_ENABLED(CONFIG_IPV6)
2056 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2060 if (!sk || sk->sk_family != AF_INET6)
2063 proto = sk->sk_protocol;
2064 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2065 return inet6_sk(sk)->dontfrag;
2070 #endif /* _NET_XFRM_H */