1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
23 #include <net/route.h>
25 #include <net/ip6_fib.h>
27 #include <net/gro_cells.h>
29 #include <linux/interrupt.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
55 #define XFRM_INC_STATS(net, field) ((void)(net))
59 /* Organization of SPD aka "XFRM rules"
60 ------------------------------------
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
68 SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 (To be compatible with existing pfkeyv2 implementations,
70 many rules with priority of 0x7fffffff are allowed to exist and
71 such rules are ordered in an unpredictable way, thanks to bsd folks.)
73 Lookup is plain linear search until the first match with selector.
75 If "action" is "block", then we prohibit the flow, otherwise:
76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 described by templates xfrm_tmpl. Each template is resolved
79 to a complete xfrm_state (see below) and we pack bundle of transformations
80 to a dst_entry returned to requestor.
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
87 Bundles are cached at xrfm_policy struct (field ->bundles).
90 Resolution of xrfm_tmpl
91 -----------------------
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 Q: allow to resolve security gateway?
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
100 Q: ealgos, aalgos, calgos. What a mess...
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
105 Having this template we search through SAD searching for entries
106 with appropriate mode/proto/algo, permitted by selector.
107 If no appropriate entry found, it is requested from key manager.
110 Q: How to find all the bundles referring to a physical path for
111 PMTU discovery? Seems, dst should contain list of all parents...
112 and enter to infinite locking hierarchy disaster.
113 No! It is easier, we will not search for them, let them find us.
114 We add genid to each dst plus pointer to genid of raw IP route,
115 pmtu disc will update pmtu on raw IP route and increase its genid.
116 dst_check() will see this for top level and trigger resyncing
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
120 struct xfrm_state_walk {
121 struct list_head all;
126 struct xfrm_address_filter *filter;
130 XFRM_DEV_OFFLOAD_IN = 1,
131 XFRM_DEV_OFFLOAD_OUT,
132 XFRM_DEV_OFFLOAD_FWD,
136 XFRM_DEV_OFFLOAD_UNSPECIFIED,
137 XFRM_DEV_OFFLOAD_CRYPTO,
138 XFRM_DEV_OFFLOAD_PACKET,
141 struct xfrm_dev_offload {
142 struct net_device *dev;
143 netdevice_tracker dev_tracker;
144 struct net_device *real_dev;
145 unsigned long offload_handle;
156 /* Flags for xfrm_mode. */
158 XFRM_MODE_FLAG_TUNNEL = 1,
161 enum xfrm_replay_mode {
162 XFRM_REPLAY_MODE_LEGACY,
163 XFRM_REPLAY_MODE_BMP,
164 XFRM_REPLAY_MODE_ESN,
167 /* Full description of state of transformer. */
169 possible_net_t xs_net;
171 struct hlist_node gclist;
172 struct hlist_node bydst;
174 struct hlist_node bysrc;
175 struct hlist_node byspi;
176 struct hlist_node byseq;
182 struct xfrm_selector sel;
183 struct xfrm_mark mark;
189 /* Key manager bits */
190 struct xfrm_state_walk km;
192 /* Parameters of this state. */
197 u8 aalgo, ealgo, calgo;
200 xfrm_address_t saddr;
204 struct xfrm_mark smark;
207 struct xfrm_lifetime_cfg lft;
209 /* Data for transformer */
210 struct xfrm_algo_auth *aalg;
211 struct xfrm_algo *ealg;
212 struct xfrm_algo *calg;
213 struct xfrm_algo_aead *aead;
216 /* mapping change rate limiting */
217 __be16 new_mapping_sport;
218 u32 new_mapping; /* seconds */
219 u32 mapping_maxage; /* seconds for input SA */
221 /* Data for encapsulator */
222 struct xfrm_encap_tmpl *encap;
223 struct sock __rcu *encap_sk;
225 /* Data for care-of address */
226 xfrm_address_t *coaddr;
228 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
229 struct xfrm_state *tunnel;
231 /* If a tunnel, number of users + 1 */
232 atomic_t tunnel_users;
234 /* State for replay detection */
235 struct xfrm_replay_state replay;
236 struct xfrm_replay_state_esn *replay_esn;
238 /* Replay detection state at the time we sent the last notification */
239 struct xfrm_replay_state preplay;
240 struct xfrm_replay_state_esn *preplay_esn;
242 /* replay detection mode */
243 enum xfrm_replay_mode repl_mode;
244 /* internal flag that only holds state for delayed aevent at the
249 /* Replay detection notification settings */
253 /* Replay detection notification timer */
254 struct timer_list rtimer;
257 struct xfrm_stats stats;
259 struct xfrm_lifetime_cur curlft;
260 struct hrtimer mtimer;
262 struct xfrm_dev_offload xso;
264 /* used to fix curlft->add_time when changing date */
270 struct page_frag xfrag;
272 /* Reference to data common to all the instances of this
274 const struct xfrm_type *type;
275 struct xfrm_mode inner_mode;
276 struct xfrm_mode inner_mode_iaf;
277 struct xfrm_mode outer_mode;
279 const struct xfrm_type_offload *type_offload;
281 /* Security context */
282 struct xfrm_sec_ctx *security;
284 /* Private data of this transformer, format is opaque,
285 * interpreted by xfrm_type methods. */
289 static inline struct net *xs_net(struct xfrm_state *x)
291 return read_pnet(&x->xs_net);
294 /* xflags - make enum if more show up */
295 #define XFRM_TIME_DEFER 1
296 #define XFRM_SOFT_EXPIRE 2
307 /* callback structure passed from either netlink or pfkey */
323 struct xfrm_if_decode_session_result {
329 bool (*decode_session)(struct sk_buff *skb,
330 unsigned short family,
331 struct xfrm_if_decode_session_result *res);
334 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
335 void xfrm_if_unregister_cb(void);
340 struct xfrm_policy_afinfo {
341 struct dst_ops *dst_ops;
342 struct dst_entry *(*dst_lookup)(struct net *net,
344 const xfrm_address_t *saddr,
345 const xfrm_address_t *daddr,
347 int (*get_saddr)(struct net *net, int oif,
348 xfrm_address_t *saddr,
349 xfrm_address_t *daddr,
351 int (*fill_dst)(struct xfrm_dst *xdst,
352 struct net_device *dev,
353 const struct flowi *fl);
354 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
357 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
358 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
359 void km_policy_notify(struct xfrm_policy *xp, int dir,
360 const struct km_event *c);
361 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
364 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
365 struct xfrm_policy *pol);
366 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
367 int __xfrm_state_delete(struct xfrm_state *x);
369 struct xfrm_state_afinfo {
373 const struct xfrm_type_offload *type_offload_esp;
375 const struct xfrm_type *type_esp;
376 const struct xfrm_type *type_ipip;
377 const struct xfrm_type *type_ipip6;
378 const struct xfrm_type *type_comp;
379 const struct xfrm_type *type_ah;
380 const struct xfrm_type *type_routing;
381 const struct xfrm_type *type_dstopts;
383 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
384 int (*transport_finish)(struct sk_buff *skb,
386 void (*local_error)(struct sk_buff *skb, u32 mtu);
389 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
390 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
391 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
392 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
394 struct xfrm_input_afinfo {
397 int (*callback)(struct sk_buff *skb, u8 protocol,
401 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
402 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
404 void xfrm_flush_gc(void);
405 void xfrm_state_delete_tunnel(struct xfrm_state *x);
408 struct module *owner;
411 #define XFRM_TYPE_NON_FRAGMENT 1
412 #define XFRM_TYPE_REPLAY_PROT 2
413 #define XFRM_TYPE_LOCAL_COADDR 4
414 #define XFRM_TYPE_REMOTE_COADDR 8
416 int (*init_state)(struct xfrm_state *x,
417 struct netlink_ext_ack *extack);
418 void (*destructor)(struct xfrm_state *);
419 int (*input)(struct xfrm_state *, struct sk_buff *skb);
420 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
421 int (*reject)(struct xfrm_state *, struct sk_buff *,
422 const struct flowi *);
425 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
426 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
428 struct xfrm_type_offload {
429 struct module *owner;
431 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
432 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
433 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
436 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
437 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
439 static inline int xfrm_af2proto(unsigned int family)
451 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
453 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
454 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
455 return &x->inner_mode;
457 return &x->inner_mode_iaf;
461 /* id in template is interpreted as:
462 * daddr - destination of tunnel, may be zero for transport mode.
463 * spi - zero to acquire spi. Not zero if spi is static, then
464 * daddr must be fixed too.
465 * proto - AH/ESP/IPCOMP
469 /* Source address of tunnel. Ignored, if it is not a tunnel. */
470 xfrm_address_t saddr;
472 unsigned short encap_family;
476 /* Mode: transport, tunnel etc. */
479 /* Sharing mode: unique, this session only, this user only etc. */
482 /* May skip this transfomration if no SA is found */
485 /* Skip aalgos/ealgos/calgos checks. */
488 /* Bit mask of algos allowed for acquisition */
494 #define XFRM_MAX_DEPTH 6
495 #define XFRM_MAX_OFFLOAD_DEPTH 1
497 struct xfrm_policy_walk_entry {
498 struct list_head all;
502 struct xfrm_policy_walk {
503 struct xfrm_policy_walk_entry walk;
508 struct xfrm_policy_queue {
509 struct sk_buff_head hold_queue;
510 struct timer_list hold_timer;
511 unsigned long timeout;
515 possible_net_t xp_net;
516 struct hlist_node bydst;
517 struct hlist_node byidx;
519 /* This lock only affects elements except for entry. */
523 struct timer_list timer;
529 struct xfrm_mark mark;
530 struct xfrm_selector selector;
531 struct xfrm_lifetime_cfg lft;
532 struct xfrm_lifetime_cur curlft;
533 struct xfrm_policy_walk_entry walk;
534 struct xfrm_policy_queue polq;
541 struct xfrm_sec_ctx *security;
542 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
543 struct hlist_node bydst_inexact_list;
546 struct xfrm_dev_offload xdo;
549 static inline struct net *xp_net(const struct xfrm_policy *xp)
551 return read_pnet(&xp->xp_net);
554 struct xfrm_kmaddress {
555 xfrm_address_t local;
556 xfrm_address_t remote;
561 struct xfrm_migrate {
562 xfrm_address_t old_daddr;
563 xfrm_address_t old_saddr;
564 xfrm_address_t new_daddr;
565 xfrm_address_t new_saddr;
574 #define XFRM_KM_TIMEOUT 30
576 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
577 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
579 /* default aevent timeout in units of 100ms */
580 #define XFRM_AE_ETIME 10
581 /* Async Event timer multiplier */
582 #define XFRM_AE_ETH_M 10
583 /* default seq threshold size */
584 #define XFRM_AE_SEQT_SIZE 2
587 struct list_head list;
588 int (*notify)(struct xfrm_state *x, const struct km_event *c);
589 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
590 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
591 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
592 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
593 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
594 int (*migrate)(const struct xfrm_selector *sel,
596 const struct xfrm_migrate *m,
598 const struct xfrm_kmaddress *k,
599 const struct xfrm_encap_tmpl *encap);
600 bool (*is_alive)(const struct km_event *c);
603 void xfrm_register_km(struct xfrm_mgr *km);
604 void xfrm_unregister_km(struct xfrm_mgr *km);
606 struct xfrm_tunnel_skb_cb {
608 struct inet_skb_parm h4;
609 struct inet6_skb_parm h6;
613 struct ip_tunnel *ip4;
618 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
621 * This structure is used for the duration where packets are being
622 * transformed by IPsec. As soon as the packet leaves IPsec the
623 * area beyond the generic IP part may be overwritten.
626 struct xfrm_tunnel_skb_cb header;
628 /* Sequence number for replay protection. */
641 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
644 * This structure is used by the afinfo prepare_input/prepare_output functions
645 * to transmit header information to the mode input/output functions.
647 struct xfrm_mode_skb_cb {
648 struct xfrm_tunnel_skb_cb header;
650 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
654 /* IP header length (excluding options or extension headers). */
657 /* TOS for IPv4, class for IPv6. */
660 /* TTL for IPv4, hop limitfor IPv6. */
663 /* Protocol for IPv4, NH for IPv6. */
666 /* Option length for IPv4, zero for IPv6. */
669 /* Used by IPv6 only, zero for IPv4. */
673 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
676 * This structure is used by the input processing to locate the SPI and
677 * related information.
679 struct xfrm_spi_skb_cb {
680 struct xfrm_tunnel_skb_cb header;
682 unsigned int daddroff;
687 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
689 #ifdef CONFIG_AUDITSYSCALL
690 static inline struct audit_buffer *xfrm_audit_start(const char *op)
692 struct audit_buffer *audit_buf = NULL;
694 if (audit_enabled == AUDIT_OFF)
696 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
697 AUDIT_MAC_IPSEC_EVENT);
698 if (audit_buf == NULL)
700 audit_log_format(audit_buf, "op=%s", op);
704 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
705 struct audit_buffer *audit_buf)
707 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
708 audit_get_loginuid(current) :
710 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
713 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
714 audit_log_task_context(audit_buf);
717 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
718 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
720 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
721 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
722 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
723 struct sk_buff *skb);
724 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
726 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
727 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
729 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
733 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
738 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
743 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
748 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
753 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
758 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
759 struct sk_buff *skb, __be32 net_seq)
763 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
768 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
769 __be32 net_spi, __be32 net_seq)
773 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
774 struct sk_buff *skb, u8 proto)
777 #endif /* CONFIG_AUDITSYSCALL */
779 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
781 if (likely(policy != NULL))
782 refcount_inc(&policy->refcnt);
785 void xfrm_policy_destroy(struct xfrm_policy *policy);
787 static inline void xfrm_pol_put(struct xfrm_policy *policy)
789 if (refcount_dec_and_test(&policy->refcnt))
790 xfrm_policy_destroy(policy);
793 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
796 for (i = npols - 1; i >= 0; --i)
797 xfrm_pol_put(pols[i]);
800 void __xfrm_state_destroy(struct xfrm_state *, bool);
802 static inline void __xfrm_state_put(struct xfrm_state *x)
804 refcount_dec(&x->refcnt);
807 static inline void xfrm_state_put(struct xfrm_state *x)
809 if (refcount_dec_and_test(&x->refcnt))
810 __xfrm_state_destroy(x, false);
813 static inline void xfrm_state_put_sync(struct xfrm_state *x)
815 if (refcount_dec_and_test(&x->refcnt))
816 __xfrm_state_destroy(x, true);
819 static inline void xfrm_state_hold(struct xfrm_state *x)
821 refcount_inc(&x->refcnt);
824 static inline bool addr_match(const void *token1, const void *token2,
825 unsigned int prefixlen)
827 const __be32 *a1 = token1;
828 const __be32 *a2 = token2;
832 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
833 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
836 if (memcmp(a1, a2, pdw << 2))
842 mask = htonl((0xffffffff) << (32 - pbi));
844 if ((a1[pdw] ^ a2[pdw]) & mask)
851 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
853 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
854 if (sizeof(long) == 4 && prefixlen == 0)
856 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
860 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
863 switch(fl->flowi_proto) {
866 case IPPROTO_UDPLITE:
868 port = uli->ports.sport;
872 port = htons(uli->icmpt.type);
875 port = htons(uli->mht.type);
878 port = htons(ntohl(uli->gre_key) >> 16);
887 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
890 switch(fl->flowi_proto) {
893 case IPPROTO_UDPLITE:
895 port = uli->ports.dport;
899 port = htons(uli->icmpt.code);
902 port = htons(ntohl(uli->gre_key) & 0xffff);
910 bool xfrm_selector_match(const struct xfrm_selector *sel,
911 const struct flowi *fl, unsigned short family);
913 #ifdef CONFIG_SECURITY_NETWORK_XFRM
914 /* If neither has a context --> match
915 * Otherwise, both must have a context and the sids, doi, alg must match
917 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
919 return ((!s1 && !s2) ||
921 (s1->ctx_sid == s2->ctx_sid) &&
922 (s1->ctx_doi == s2->ctx_doi) &&
923 (s1->ctx_alg == s2->ctx_alg)));
926 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
932 /* A struct encoding bundle of transformations to apply to some set of flow.
934 * xdst->child points to the next element of bundle.
935 * dst->xfrm points to an instanse of transformer.
937 * Due to unfortunate limitations of current routing cache, which we
938 * have no time to fix, it mirrors struct rtable and bound to the same
939 * routing key, including saddr,daddr. However, we can have many of
940 * bundles differing by session id. All the bundles grow from a parent
945 struct dst_entry dst;
949 struct dst_entry *route;
950 struct dst_entry *child;
951 struct dst_entry *path;
952 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
953 int num_pols, num_xfrms;
956 u32 route_mtu_cached;
957 u32 child_mtu_cached;
962 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
965 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
966 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
971 return (struct dst_entry *) dst;
974 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
977 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
978 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
986 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
991 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
993 xfrm_pols_put(xdst->pols, xdst->num_pols);
994 dst_release(xdst->route);
995 if (likely(xdst->u.dst.xfrm))
996 xfrm_state_put(xdst->u.dst.xfrm);
1000 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
1002 struct xfrm_if_parms {
1003 int link; /* ifindex of underlying L2 interface */
1004 u32 if_id; /* interface identifyer */
1009 struct xfrm_if __rcu *next; /* next interface in list */
1010 struct net_device *dev; /* virtual device associated with interface */
1011 struct net *net; /* netns for packet i/o */
1012 struct xfrm_if_parms p; /* interface parms */
1014 struct gro_cells gro_cells;
1017 struct xfrm_offload {
1018 /* Output sequence number for replay protection on offloading. */
1025 #define SA_DELETE_REQ 1
1026 #define CRYPTO_DONE 2
1027 #define CRYPTO_NEXT_DONE 4
1028 #define CRYPTO_FALLBACK 8
1029 #define XFRM_GSO_SEGMENT 16
1032 #define XFRM_DEV_RESUME 128
1033 #define XFRM_XMIT 256
1036 #define CRYPTO_SUCCESS 1
1037 #define CRYPTO_GENERIC_ERROR 2
1038 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1039 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1040 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1041 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1042 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1043 #define CRYPTO_INVALID_PROTOCOL 128
1053 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1054 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1057 struct sec_path *secpath_set(struct sk_buff *skb);
1060 secpath_reset(struct sk_buff *skb)
1063 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1068 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1072 return addr->a4 == 0;
1074 return ipv6_addr_any(&addr->in6);
1080 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1082 return (tmpl->saddr.a4 &&
1083 tmpl->saddr.a4 != x->props.saddr.a4);
1087 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1089 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1090 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1094 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1098 return __xfrm4_state_addr_cmp(tmpl, x);
1100 return __xfrm6_state_addr_cmp(tmpl, x);
1106 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1108 struct sec_path *sp = skb_sec_path(skb);
1110 return sp->xvec[sp->len - 1];
1114 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1117 struct sec_path *sp = skb_sec_path(skb);
1119 if (!sp || !sp->olen || sp->len != sp->olen)
1122 return &sp->ovec[sp->olen - 1];
1129 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1130 unsigned short family);
1132 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1135 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1136 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1141 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1142 int dir, unsigned short family)
1144 if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1145 /* same dst may be used for traffic originating from
1146 * devices with different policy settings.
1148 return IPCB(skb)->flags & IPSKB_NOPOLICY;
1150 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1153 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1154 struct sk_buff *skb,
1155 unsigned int family, int reverse)
1157 struct net *net = dev_net(skb->dev);
1158 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1159 struct xfrm_offload *xo = xfrm_offload(skb);
1160 struct xfrm_state *x;
1162 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1163 return __xfrm_policy_check(sk, ndir, skb, family);
1166 x = xfrm_input_state(skb);
1167 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1168 return (xo->flags & CRYPTO_DONE) &&
1169 (xo->status & CRYPTO_SUCCESS);
1172 return __xfrm_check_nopolicy(net, skb, dir) ||
1173 __xfrm_check_dev_nopolicy(skb, dir, family) ||
1174 __xfrm_policy_check(sk, ndir, skb, family);
1177 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1179 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1182 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1184 return xfrm_policy_check(sk, dir, skb, AF_INET);
1187 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1189 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1192 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1193 struct sk_buff *skb)
1195 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1198 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1199 struct sk_buff *skb)
1201 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1204 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1205 unsigned int family, int reverse);
1207 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1208 unsigned int family)
1210 return __xfrm_decode_session(skb, fl, family, 0);
1213 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1215 unsigned int family)
1217 return __xfrm_decode_session(skb, fl, family, 1);
1220 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1222 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1224 struct net *net = dev_net(skb->dev);
1226 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1227 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1230 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1231 __xfrm_route_forward(skb, family);
1234 static inline int xfrm4_route_forward(struct sk_buff *skb)
1236 return xfrm_route_forward(skb, AF_INET);
1239 static inline int xfrm6_route_forward(struct sk_buff *skb)
1241 return xfrm_route_forward(skb, AF_INET6);
1244 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1246 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1248 if (!sk_fullsock(osk))
1250 sk->sk_policy[0] = NULL;
1251 sk->sk_policy[1] = NULL;
1252 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1253 return __xfrm_sk_clone_policy(sk, osk);
1257 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1259 static inline void xfrm_sk_free_policy(struct sock *sk)
1261 struct xfrm_policy *pol;
1263 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1264 if (unlikely(pol != NULL)) {
1265 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1266 sk->sk_policy[0] = NULL;
1268 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1269 if (unlikely(pol != NULL)) {
1270 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1271 sk->sk_policy[1] = NULL;
1277 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1278 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1279 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1280 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1281 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1285 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1289 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1293 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1295 unsigned int family)
1299 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1300 struct sk_buff *skb)
1304 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1305 struct sk_buff *skb)
1312 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1316 return (xfrm_address_t *)&fl->u.ip4.daddr;
1318 return (xfrm_address_t *)&fl->u.ip6.daddr;
1324 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1328 return (xfrm_address_t *)&fl->u.ip4.saddr;
1330 return (xfrm_address_t *)&fl->u.ip6.saddr;
1336 void xfrm_flowi_addr_get(const struct flowi *fl,
1337 xfrm_address_t *saddr, xfrm_address_t *daddr,
1338 unsigned short family)
1342 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1343 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1346 saddr->in6 = fl->u.ip6.saddr;
1347 daddr->in6 = fl->u.ip6.daddr;
1352 static __inline__ int
1353 __xfrm4_state_addr_check(const struct xfrm_state *x,
1354 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1356 if (daddr->a4 == x->id.daddr.a4 &&
1357 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1362 static __inline__ int
1363 __xfrm6_state_addr_check(const struct xfrm_state *x,
1364 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1366 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1367 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1368 ipv6_addr_any((struct in6_addr *)saddr) ||
1369 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1374 static __inline__ int
1375 xfrm_state_addr_check(const struct xfrm_state *x,
1376 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1377 unsigned short family)
1381 return __xfrm4_state_addr_check(x, daddr, saddr);
1383 return __xfrm6_state_addr_check(x, daddr, saddr);
1388 static __inline__ int
1389 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1390 unsigned short family)
1394 return __xfrm4_state_addr_check(x,
1395 (const xfrm_address_t *)&fl->u.ip4.daddr,
1396 (const xfrm_address_t *)&fl->u.ip4.saddr);
1398 return __xfrm6_state_addr_check(x,
1399 (const xfrm_address_t *)&fl->u.ip6.daddr,
1400 (const xfrm_address_t *)&fl->u.ip6.saddr);
1405 static inline int xfrm_state_kern(const struct xfrm_state *x)
1407 return atomic_read(&x->tunnel_users);
1410 static inline bool xfrm_id_proto_valid(u8 proto)
1416 #if IS_ENABLED(CONFIG_IPV6)
1417 case IPPROTO_ROUTING:
1418 case IPPROTO_DSTOPTS:
1426 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1427 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1429 return (!userproto || proto == userproto ||
1430 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1431 proto == IPPROTO_ESP ||
1432 proto == IPPROTO_COMP)));
1436 * xfrm algorithm information
1438 struct xfrm_algo_aead_info {
1443 struct xfrm_algo_auth_info {
1448 struct xfrm_algo_encr_info {
1454 struct xfrm_algo_comp_info {
1458 struct xfrm_algo_desc {
1462 u8 pfkey_supported:1;
1464 struct xfrm_algo_aead_info aead;
1465 struct xfrm_algo_auth_info auth;
1466 struct xfrm_algo_encr_info encr;
1467 struct xfrm_algo_comp_info comp;
1469 struct sadb_alg desc;
1472 /* XFRM protocol handlers. */
1473 struct xfrm4_protocol {
1474 int (*handler)(struct sk_buff *skb);
1475 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1477 int (*cb_handler)(struct sk_buff *skb, int err);
1478 int (*err_handler)(struct sk_buff *skb, u32 info);
1480 struct xfrm4_protocol __rcu *next;
1484 struct xfrm6_protocol {
1485 int (*handler)(struct sk_buff *skb);
1486 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1488 int (*cb_handler)(struct sk_buff *skb, int err);
1489 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1490 u8 type, u8 code, int offset, __be32 info);
1492 struct xfrm6_protocol __rcu *next;
1496 /* XFRM tunnel handlers. */
1497 struct xfrm_tunnel {
1498 int (*handler)(struct sk_buff *skb);
1499 int (*cb_handler)(struct sk_buff *skb, int err);
1500 int (*err_handler)(struct sk_buff *skb, u32 info);
1502 struct xfrm_tunnel __rcu *next;
1506 struct xfrm6_tunnel {
1507 int (*handler)(struct sk_buff *skb);
1508 int (*cb_handler)(struct sk_buff *skb, int err);
1509 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1510 u8 type, u8 code, int offset, __be32 info);
1511 struct xfrm6_tunnel __rcu *next;
1515 void xfrm_init(void);
1516 void xfrm4_init(void);
1517 int xfrm_state_init(struct net *net);
1518 void xfrm_state_fini(struct net *net);
1519 void xfrm4_state_init(void);
1520 void xfrm4_protocol_init(void);
1522 int xfrm6_init(void);
1523 void xfrm6_fini(void);
1524 int xfrm6_state_init(void);
1525 void xfrm6_state_fini(void);
1526 int xfrm6_protocol_init(void);
1527 void xfrm6_protocol_fini(void);
1529 static inline int xfrm6_init(void)
1533 static inline void xfrm6_fini(void)
1539 #ifdef CONFIG_XFRM_STATISTICS
1540 int xfrm_proc_init(struct net *net);
1541 void xfrm_proc_fini(struct net *net);
1544 int xfrm_sysctl_init(struct net *net);
1545 #ifdef CONFIG_SYSCTL
1546 void xfrm_sysctl_fini(struct net *net);
1548 static inline void xfrm_sysctl_fini(struct net *net)
1553 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1554 struct xfrm_address_filter *filter);
1555 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1556 int (*func)(struct xfrm_state *, int, void*), void *);
1557 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1558 struct xfrm_state *xfrm_state_alloc(struct net *net);
1559 void xfrm_state_free(struct xfrm_state *x);
1560 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1561 const xfrm_address_t *saddr,
1562 const struct flowi *fl,
1563 struct xfrm_tmpl *tmpl,
1564 struct xfrm_policy *pol, int *err,
1565 unsigned short family, u32 if_id);
1566 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1567 xfrm_address_t *daddr,
1568 xfrm_address_t *saddr,
1569 unsigned short family,
1570 u8 mode, u8 proto, u32 reqid);
1571 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1572 unsigned short family);
1573 int xfrm_state_check_expire(struct xfrm_state *x);
1574 #ifdef CONFIG_XFRM_OFFLOAD
1575 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x)
1577 struct xfrm_dev_offload *xdo = &x->xso;
1578 struct net_device *dev = xdo->dev;
1580 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
1583 if (dev && dev->xfrmdev_ops &&
1584 dev->xfrmdev_ops->xdo_dev_state_update_curlft)
1585 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x);
1589 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) {}
1591 void xfrm_state_insert(struct xfrm_state *x);
1592 int xfrm_state_add(struct xfrm_state *x);
1593 int xfrm_state_update(struct xfrm_state *x);
1594 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1595 const xfrm_address_t *daddr, __be32 spi,
1596 u8 proto, unsigned short family);
1597 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1598 const xfrm_address_t *daddr,
1599 const xfrm_address_t *saddr,
1601 unsigned short family);
1602 #ifdef CONFIG_XFRM_SUB_POLICY
1603 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1604 unsigned short family);
1605 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1606 unsigned short family);
1608 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1609 int n, unsigned short family)
1613 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1614 int n, unsigned short family)
1619 struct xfrmk_sadinfo {
1620 u32 sadhcnt; /* current hash bkts */
1621 u32 sadhmcnt; /* max allowed hash bkts */
1622 u32 sadcnt; /* current running count */
1625 struct xfrmk_spdinfo {
1636 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1637 int xfrm_state_delete(struct xfrm_state *x);
1638 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1639 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1640 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1642 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1643 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1644 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1645 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack);
1646 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1647 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
1648 struct netlink_ext_ack *extack);
1649 int xfrm_init_state(struct xfrm_state *x);
1650 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1651 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1652 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1653 int (*finish)(struct net *, struct sock *,
1655 int xfrm_trans_queue(struct sk_buff *skb,
1656 int (*finish)(struct net *, struct sock *,
1658 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1659 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1661 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1662 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1665 void xfrm_local_error(struct sk_buff *skb, int mtu);
1666 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1667 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1669 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1670 int xfrm4_rcv(struct sk_buff *skb);
1672 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1674 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1675 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1676 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1677 return xfrm_input(skb, nexthdr, spi, 0);
1680 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1681 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1682 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1683 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1684 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1685 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1686 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1687 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1689 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1691 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1692 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1693 int xfrm6_rcv(struct sk_buff *skb);
1694 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1695 xfrm_address_t *saddr, u8 proto);
1696 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1697 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1698 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1699 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1700 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1701 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1702 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1703 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1706 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1707 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1708 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1709 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1712 static inline int xfrm_user_policy(struct sock *sk, int optname,
1713 sockptr_t optval, int optlen)
1715 return -ENOPROTOOPT;
1719 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1720 const xfrm_address_t *saddr,
1721 const xfrm_address_t *daddr,
1722 int family, u32 mark);
1724 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1726 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1727 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1728 int (*func)(struct xfrm_policy *, int, int, void*),
1730 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1731 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1732 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1733 const struct xfrm_mark *mark,
1734 u32 if_id, u8 type, int dir,
1735 struct xfrm_selector *sel,
1736 struct xfrm_sec_ctx *ctx, int delete,
1738 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1739 const struct xfrm_mark *mark, u32 if_id,
1740 u8 type, int dir, u32 id, int delete,
1742 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1743 void xfrm_policy_hash_rebuild(struct net *net);
1744 u32 xfrm_get_acqseq(void);
1745 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
1746 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
1747 struct netlink_ext_ack *extack);
1748 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1749 u8 mode, u32 reqid, u32 if_id, u8 proto,
1750 const xfrm_address_t *daddr,
1751 const xfrm_address_t *saddr, int create,
1752 unsigned short family);
1753 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1755 #ifdef CONFIG_XFRM_MIGRATE
1756 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1757 const struct xfrm_migrate *m, int num_bundles,
1758 const struct xfrm_kmaddress *k,
1759 const struct xfrm_encap_tmpl *encap);
1760 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1762 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1763 struct xfrm_migrate *m,
1764 struct xfrm_encap_tmpl *encap);
1765 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1766 struct xfrm_migrate *m, int num_bundles,
1767 struct xfrm_kmaddress *k, struct net *net,
1768 struct xfrm_encap_tmpl *encap, u32 if_id,
1769 struct netlink_ext_ack *extack);
1772 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1773 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1774 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1775 xfrm_address_t *addr);
1777 void xfrm_input_init(void);
1778 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1780 void xfrm_probe_algs(void);
1781 int xfrm_count_pfkey_auth_supported(void);
1782 int xfrm_count_pfkey_enc_supported(void);
1783 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1784 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1785 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1786 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1787 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1788 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1789 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1790 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1791 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1794 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1795 const xfrm_address_t *b)
1797 return ipv6_addr_equal((const struct in6_addr *)a,
1798 (const struct in6_addr *)b);
1801 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1802 const xfrm_address_t *b,
1808 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1810 return xfrm6_addr_equal(a, b);
1814 static inline int xfrm_policy_id2dir(u32 index)
1820 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1821 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1822 void xfrm_replay_notify(struct xfrm_state *x, int event);
1823 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1824 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1826 static inline int xfrm_aevent_is_on(struct net *net)
1832 nlsk = rcu_dereference(net->xfrm.nlsk);
1834 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1839 static inline int xfrm_acquire_is_on(struct net *net)
1845 nlsk = rcu_dereference(net->xfrm.nlsk);
1847 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1854 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1856 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1859 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1861 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1864 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1866 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1869 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1871 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1874 #ifdef CONFIG_XFRM_MIGRATE
1875 static inline int xfrm_replay_clone(struct xfrm_state *x,
1876 struct xfrm_state *orig)
1879 x->replay_esn = kmemdup(orig->replay_esn,
1880 xfrm_replay_state_esn_len(orig->replay_esn),
1884 x->preplay_esn = kmemdup(orig->preplay_esn,
1885 xfrm_replay_state_esn_len(orig->preplay_esn),
1887 if (!x->preplay_esn)
1893 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1895 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1899 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1901 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1904 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1906 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1909 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1912 for (i = 0; i < n; i++)
1913 xfrm_state_put(*(states + i));
1916 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1919 for (i = 0; i < n; i++)
1920 xfrm_state_delete(*(states + i));
1924 void __init xfrm_dev_init(void);
1926 #ifdef CONFIG_XFRM_OFFLOAD
1927 void xfrm_dev_resume(struct sk_buff *skb);
1928 void xfrm_dev_backlog(struct softnet_data *sd);
1929 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1930 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1931 struct xfrm_user_offload *xuo,
1932 struct netlink_ext_ack *extack);
1933 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
1934 struct xfrm_user_offload *xuo, u8 dir,
1935 struct netlink_ext_ack *extack);
1936 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1938 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1940 struct xfrm_dev_offload *xso = &x->xso;
1942 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1943 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1946 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1948 struct xfrm_state *x = dst->xfrm;
1949 struct xfrm_dst *xdst;
1951 if (!x || !x->type_offload)
1954 xdst = (struct xfrm_dst *) dst;
1955 if (!x->xso.offload_handle && !xdst->child->xfrm)
1957 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1964 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1966 struct xfrm_dev_offload *xso = &x->xso;
1969 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1972 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1974 struct xfrm_dev_offload *xso = &x->xso;
1975 struct net_device *dev = xso->dev;
1977 if (dev && dev->xfrmdev_ops) {
1978 if (dev->xfrmdev_ops->xdo_dev_state_free)
1979 dev->xfrmdev_ops->xdo_dev_state_free(x);
1981 netdev_put(dev, &xso->dev_tracker);
1985 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
1987 struct xfrm_dev_offload *xdo = &x->xdo;
1988 struct net_device *dev = xdo->dev;
1990 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete)
1991 dev->xfrmdev_ops->xdo_dev_policy_delete(x);
1994 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
1996 struct xfrm_dev_offload *xdo = &x->xdo;
1997 struct net_device *dev = xdo->dev;
1999 if (dev && dev->xfrmdev_ops) {
2000 if (dev->xfrmdev_ops->xdo_dev_policy_free)
2001 dev->xfrmdev_ops->xdo_dev_policy_free(x);
2003 netdev_put(dev, &xdo->dev_tracker);
2007 static inline void xfrm_dev_resume(struct sk_buff *skb)
2011 static inline void xfrm_dev_backlog(struct softnet_data *sd)
2015 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
2020 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack)
2025 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
2029 static inline void xfrm_dev_state_free(struct xfrm_state *x)
2033 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
2034 struct xfrm_user_offload *xuo, u8 dir,
2035 struct netlink_ext_ack *extack)
2040 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2044 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2048 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
2053 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2057 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2063 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
2065 if (attrs[XFRMA_MARK])
2066 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
2073 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
2078 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
2082 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
2084 struct xfrm_mark *m = &x->props.smark;
2086 return (m->v & m->m) | (mark & ~m->m);
2089 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2094 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2098 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2099 unsigned int family)
2101 bool tunnel = false;
2105 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2109 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2113 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2119 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2120 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2122 struct xfrm_translator {
2123 /* Allocate frag_list and put compat translation there */
2124 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2126 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2127 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2128 int maxtype, const struct nla_policy *policy,
2129 struct netlink_ext_ack *extack);
2131 /* Translate 32-bit user_policy from sockptr */
2132 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2134 struct module *owner;
2137 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2138 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2139 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2140 extern struct xfrm_translator *xfrm_get_translator(void);
2141 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2143 static inline struct xfrm_translator *xfrm_get_translator(void)
2147 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2152 #if IS_ENABLED(CONFIG_IPV6)
2153 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2157 if (!sk || sk->sk_family != AF_INET6)
2160 proto = sk->sk_protocol;
2161 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2162 return inet6_sk(sk)->dontfrag;
2168 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
2169 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))
2171 extern struct metadata_dst __percpu *xfrm_bpf_md_dst;
2173 int register_xfrm_interface_bpf(void);
2177 static inline int register_xfrm_interface_bpf(void)
2184 #endif /* _NET_XFRM_H */