6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/err.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
26 #include <linux/cache.h>
27 #include <linux/audit.h>
32 #ifdef CONFIG_XFRM_STATISTICS
36 #include "xfrm_hash.h"
38 #define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10))
39 #define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
40 #define XFRM_MAX_QUEUE_LEN 100
42 static struct dst_entry *xfrm_policy_sk_bundles;
45 struct dst_entry *dst_orig;
49 static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);
50 static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO]
53 static struct kmem_cache *xfrm_dst_cache __read_mostly;
55 static void xfrm_init_pmtu(struct dst_entry *dst);
56 static int stale_bundle(struct dst_entry *dst);
57 static int xfrm_bundle_ok(struct xfrm_dst *xdst);
58 static void xfrm_policy_queue_process(unsigned long arg);
60 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
64 __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
66 const struct flowi4 *fl4 = &fl->u.ip4;
68 return addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) &&
69 addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) &&
70 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
71 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
72 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
73 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
77 __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
79 const struct flowi6 *fl6 = &fl->u.ip6;
81 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
82 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
83 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
84 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
85 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
86 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
89 bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
90 unsigned short family)
94 return __xfrm4_selector_match(sel, fl);
96 return __xfrm6_selector_match(sel, fl);
101 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
103 struct xfrm_policy_afinfo *afinfo;
105 if (unlikely(family >= NPROTO))
108 afinfo = rcu_dereference(xfrm_policy_afinfo[family]);
109 if (unlikely(!afinfo))
114 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
119 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
120 const xfrm_address_t *saddr,
121 const xfrm_address_t *daddr,
124 struct xfrm_policy_afinfo *afinfo;
125 struct dst_entry *dst;
127 afinfo = xfrm_policy_get_afinfo(family);
128 if (unlikely(afinfo == NULL))
129 return ERR_PTR(-EAFNOSUPPORT);
131 dst = afinfo->dst_lookup(net, tos, saddr, daddr);
133 xfrm_policy_put_afinfo(afinfo);
138 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, int tos,
139 xfrm_address_t *prev_saddr,
140 xfrm_address_t *prev_daddr,
143 struct net *net = xs_net(x);
144 xfrm_address_t *saddr = &x->props.saddr;
145 xfrm_address_t *daddr = &x->id.daddr;
146 struct dst_entry *dst;
148 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
152 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
157 dst = __xfrm_dst_lookup(net, tos, saddr, daddr, family);
160 if (prev_saddr != saddr)
161 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
162 if (prev_daddr != daddr)
163 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
169 static inline unsigned long make_jiffies(long secs)
171 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
172 return MAX_SCHEDULE_TIMEOUT-1;
177 static void xfrm_policy_timer(unsigned long data)
179 struct xfrm_policy *xp = (struct xfrm_policy *)data;
180 unsigned long now = get_seconds();
181 long next = LONG_MAX;
185 read_lock(&xp->lock);
187 if (unlikely(xp->walk.dead))
190 dir = xfrm_policy_id2dir(xp->index);
192 if (xp->lft.hard_add_expires_seconds) {
193 long tmo = xp->lft.hard_add_expires_seconds +
194 xp->curlft.add_time - now;
200 if (xp->lft.hard_use_expires_seconds) {
201 long tmo = xp->lft.hard_use_expires_seconds +
202 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
208 if (xp->lft.soft_add_expires_seconds) {
209 long tmo = xp->lft.soft_add_expires_seconds +
210 xp->curlft.add_time - now;
213 tmo = XFRM_KM_TIMEOUT;
218 if (xp->lft.soft_use_expires_seconds) {
219 long tmo = xp->lft.soft_use_expires_seconds +
220 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
223 tmo = XFRM_KM_TIMEOUT;
230 km_policy_expired(xp, dir, 0, 0);
231 if (next != LONG_MAX &&
232 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
236 read_unlock(&xp->lock);
241 read_unlock(&xp->lock);
242 if (!xfrm_policy_delete(xp, dir))
243 km_policy_expired(xp, dir, 1, 0);
247 static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo)
249 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
251 if (unlikely(pol->walk.dead))
259 static int xfrm_policy_flo_check(struct flow_cache_object *flo)
261 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
263 return !pol->walk.dead;
266 static void xfrm_policy_flo_delete(struct flow_cache_object *flo)
268 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo));
271 static const struct flow_cache_ops xfrm_policy_fc_ops = {
272 .get = xfrm_policy_flo_get,
273 .check = xfrm_policy_flo_check,
274 .delete = xfrm_policy_flo_delete,
277 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
281 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
283 struct xfrm_policy *policy;
285 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
288 write_pnet(&policy->xp_net, net);
289 INIT_LIST_HEAD(&policy->walk.all);
290 INIT_HLIST_NODE(&policy->bydst);
291 INIT_HLIST_NODE(&policy->byidx);
292 rwlock_init(&policy->lock);
293 atomic_set(&policy->refcnt, 1);
294 skb_queue_head_init(&policy->polq.hold_queue);
295 setup_timer(&policy->timer, xfrm_policy_timer,
296 (unsigned long)policy);
297 setup_timer(&policy->polq.hold_timer, xfrm_policy_queue_process,
298 (unsigned long)policy);
299 policy->flo.ops = &xfrm_policy_fc_ops;
303 EXPORT_SYMBOL(xfrm_policy_alloc);
305 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
307 void xfrm_policy_destroy(struct xfrm_policy *policy)
309 BUG_ON(!policy->walk.dead);
311 if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
314 security_xfrm_policy_free(policy->security);
317 EXPORT_SYMBOL(xfrm_policy_destroy);
319 static void xfrm_queue_purge(struct sk_buff_head *list)
323 while ((skb = skb_dequeue(list)) != NULL)
327 /* Rule must be locked. Release descentant resources, announce
328 * entry dead. The rule must be unlinked from lists to the moment.
331 static void xfrm_policy_kill(struct xfrm_policy *policy)
333 policy->walk.dead = 1;
335 atomic_inc(&policy->genid);
337 if (del_timer(&policy->polq.hold_timer))
338 xfrm_pol_put(policy);
339 xfrm_queue_purge(&policy->polq.hold_queue);
341 if (del_timer(&policy->timer))
342 xfrm_pol_put(policy);
344 xfrm_pol_put(policy);
347 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
349 static inline unsigned int idx_hash(struct net *net, u32 index)
351 return __idx_hash(index, net->xfrm.policy_idx_hmask);
354 static struct hlist_head *policy_hash_bysel(struct net *net,
355 const struct xfrm_selector *sel,
356 unsigned short family, int dir)
358 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
359 unsigned int hash = __sel_hash(sel, family, hmask);
361 return (hash == hmask + 1 ?
362 &net->xfrm.policy_inexact[dir] :
363 net->xfrm.policy_bydst[dir].table + hash);
366 static struct hlist_head *policy_hash_direct(struct net *net,
367 const xfrm_address_t *daddr,
368 const xfrm_address_t *saddr,
369 unsigned short family, int dir)
371 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
372 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
374 return net->xfrm.policy_bydst[dir].table + hash;
377 static void xfrm_dst_hash_transfer(struct hlist_head *list,
378 struct hlist_head *ndsttable,
379 unsigned int nhashmask)
381 struct hlist_node *tmp, *entry0 = NULL;
382 struct xfrm_policy *pol;
386 hlist_for_each_entry_safe(pol, tmp, list, bydst) {
389 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
390 pol->family, nhashmask);
392 hlist_del(&pol->bydst);
393 hlist_add_head(&pol->bydst, ndsttable+h);
398 hlist_del(&pol->bydst);
399 hlist_add_after(entry0, &pol->bydst);
401 entry0 = &pol->bydst;
403 if (!hlist_empty(list)) {
409 static void xfrm_idx_hash_transfer(struct hlist_head *list,
410 struct hlist_head *nidxtable,
411 unsigned int nhashmask)
413 struct hlist_node *tmp;
414 struct xfrm_policy *pol;
416 hlist_for_each_entry_safe(pol, tmp, list, byidx) {
419 h = __idx_hash(pol->index, nhashmask);
420 hlist_add_head(&pol->byidx, nidxtable+h);
424 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
426 return ((old_hmask + 1) << 1) - 1;
429 static void xfrm_bydst_resize(struct net *net, int dir)
431 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
432 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
433 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
434 struct hlist_head *odst = net->xfrm.policy_bydst[dir].table;
435 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
441 write_lock_bh(&net->xfrm.xfrm_policy_lock);
443 for (i = hmask; i >= 0; i--)
444 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
446 net->xfrm.policy_bydst[dir].table = ndst;
447 net->xfrm.policy_bydst[dir].hmask = nhashmask;
449 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
451 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
454 static void xfrm_byidx_resize(struct net *net, int total)
456 unsigned int hmask = net->xfrm.policy_idx_hmask;
457 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
458 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
459 struct hlist_head *oidx = net->xfrm.policy_byidx;
460 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
466 write_lock_bh(&net->xfrm.xfrm_policy_lock);
468 for (i = hmask; i >= 0; i--)
469 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
471 net->xfrm.policy_byidx = nidx;
472 net->xfrm.policy_idx_hmask = nhashmask;
474 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
476 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
479 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
481 unsigned int cnt = net->xfrm.policy_count[dir];
482 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
487 if ((hmask + 1) < xfrm_policy_hashmax &&
494 static inline int xfrm_byidx_should_resize(struct net *net, int total)
496 unsigned int hmask = net->xfrm.policy_idx_hmask;
498 if ((hmask + 1) < xfrm_policy_hashmax &&
505 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
507 read_lock_bh(&net->xfrm.xfrm_policy_lock);
508 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
509 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
510 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
511 si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
512 si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
513 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
514 si->spdhcnt = net->xfrm.policy_idx_hmask;
515 si->spdhmcnt = xfrm_policy_hashmax;
516 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
518 EXPORT_SYMBOL(xfrm_spd_getinfo);
520 static DEFINE_MUTEX(hash_resize_mutex);
521 static void xfrm_hash_resize(struct work_struct *work)
523 struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
526 mutex_lock(&hash_resize_mutex);
529 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
530 if (xfrm_bydst_should_resize(net, dir, &total))
531 xfrm_bydst_resize(net, dir);
533 if (xfrm_byidx_should_resize(net, total))
534 xfrm_byidx_resize(net, total);
536 mutex_unlock(&hash_resize_mutex);
539 /* Generate new index... KAME seems to generate them ordered by cost
540 * of an absolute inpredictability of ordering of rules. This will not pass. */
541 static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
543 static u32 idx_generator;
546 struct hlist_head *list;
547 struct xfrm_policy *p;
552 idx = (idx_generator | dir);
561 list = net->xfrm.policy_byidx + idx_hash(net, idx);
563 hlist_for_each_entry(p, list, byidx) {
564 if (p->index == idx) {
574 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
576 u32 *p1 = (u32 *) s1;
577 u32 *p2 = (u32 *) s2;
578 int len = sizeof(struct xfrm_selector) / sizeof(u32);
581 for (i = 0; i < len; i++) {
589 static void xfrm_policy_requeue(struct xfrm_policy *old,
590 struct xfrm_policy *new)
592 struct xfrm_policy_queue *pq = &old->polq;
593 struct sk_buff_head list;
595 __skb_queue_head_init(&list);
597 spin_lock_bh(&pq->hold_queue.lock);
598 skb_queue_splice_init(&pq->hold_queue, &list);
599 if (del_timer(&pq->hold_timer))
601 spin_unlock_bh(&pq->hold_queue.lock);
603 if (skb_queue_empty(&list))
608 spin_lock_bh(&pq->hold_queue.lock);
609 skb_queue_splice(&list, &pq->hold_queue);
610 pq->timeout = XFRM_QUEUE_TMO_MIN;
611 if (!mod_timer(&pq->hold_timer, jiffies))
613 spin_unlock_bh(&pq->hold_queue.lock);
616 static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
617 struct xfrm_policy *pol)
619 u32 mark = policy->mark.v & policy->mark.m;
621 if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m)
624 if ((mark & pol->mark.m) == pol->mark.v &&
625 policy->priority == pol->priority)
631 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
633 struct net *net = xp_net(policy);
634 struct xfrm_policy *pol;
635 struct xfrm_policy *delpol;
636 struct hlist_head *chain;
637 struct hlist_node *newpos;
639 write_lock_bh(&net->xfrm.xfrm_policy_lock);
640 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
643 hlist_for_each_entry(pol, chain, bydst) {
644 if (pol->type == policy->type &&
645 !selector_cmp(&pol->selector, &policy->selector) &&
646 xfrm_policy_mark_match(policy, pol) &&
647 xfrm_sec_ctx_match(pol->security, policy->security) &&
650 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
654 if (policy->priority > pol->priority)
656 } else if (policy->priority >= pol->priority) {
657 newpos = &pol->bydst;
664 hlist_add_after(newpos, &policy->bydst);
666 hlist_add_head(&policy->bydst, chain);
667 xfrm_pol_hold(policy);
668 net->xfrm.policy_count[dir]++;
669 atomic_inc(&flow_cache_genid);
671 /* After previous checking, family can either be AF_INET or AF_INET6 */
672 if (policy->family == AF_INET)
673 rt_genid_bump_ipv4(net);
675 rt_genid_bump_ipv6(net);
678 xfrm_policy_requeue(delpol, policy);
679 __xfrm_policy_unlink(delpol, dir);
681 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index);
682 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
683 policy->curlft.add_time = get_seconds();
684 policy->curlft.use_time = 0;
685 if (!mod_timer(&policy->timer, jiffies + HZ))
686 xfrm_pol_hold(policy);
687 list_add(&policy->walk.all, &net->xfrm.policy_all);
688 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
691 xfrm_policy_kill(delpol);
692 else if (xfrm_bydst_should_resize(net, dir, NULL))
693 schedule_work(&net->xfrm.policy_hash_work);
697 EXPORT_SYMBOL(xfrm_policy_insert);
699 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
700 int dir, struct xfrm_selector *sel,
701 struct xfrm_sec_ctx *ctx, int delete,
704 struct xfrm_policy *pol, *ret;
705 struct hlist_head *chain;
708 write_lock_bh(&net->xfrm.xfrm_policy_lock);
709 chain = policy_hash_bysel(net, sel, sel->family, dir);
711 hlist_for_each_entry(pol, chain, bydst) {
712 if (pol->type == type &&
713 (mark & pol->mark.m) == pol->mark.v &&
714 !selector_cmp(sel, &pol->selector) &&
715 xfrm_sec_ctx_match(ctx, pol->security)) {
718 *err = security_xfrm_policy_delete(
721 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
724 __xfrm_policy_unlink(pol, dir);
730 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
733 xfrm_policy_kill(ret);
736 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
738 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
739 int dir, u32 id, int delete, int *err)
741 struct xfrm_policy *pol, *ret;
742 struct hlist_head *chain;
745 if (xfrm_policy_id2dir(id) != dir)
749 write_lock_bh(&net->xfrm.xfrm_policy_lock);
750 chain = net->xfrm.policy_byidx + idx_hash(net, id);
752 hlist_for_each_entry(pol, chain, byidx) {
753 if (pol->type == type && pol->index == id &&
754 (mark & pol->mark.m) == pol->mark.v) {
757 *err = security_xfrm_policy_delete(
760 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
763 __xfrm_policy_unlink(pol, dir);
769 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
772 xfrm_policy_kill(ret);
775 EXPORT_SYMBOL(xfrm_policy_byid);
777 #ifdef CONFIG_SECURITY_NETWORK_XFRM
779 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
783 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
784 struct xfrm_policy *pol;
787 hlist_for_each_entry(pol,
788 &net->xfrm.policy_inexact[dir], bydst) {
789 if (pol->type != type)
791 err = security_xfrm_policy_delete(pol->security);
793 xfrm_audit_policy_delete(pol, 0,
794 audit_info->loginuid,
795 audit_info->sessionid,
800 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
801 hlist_for_each_entry(pol,
802 net->xfrm.policy_bydst[dir].table + i,
804 if (pol->type != type)
806 err = security_xfrm_policy_delete(
809 xfrm_audit_policy_delete(pol, 0,
810 audit_info->loginuid,
811 audit_info->sessionid,
822 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
828 int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
830 int dir, err = 0, cnt = 0;
832 write_lock_bh(&net->xfrm.xfrm_policy_lock);
834 err = xfrm_policy_flush_secctx_check(net, type, audit_info);
838 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
839 struct xfrm_policy *pol;
843 hlist_for_each_entry(pol,
844 &net->xfrm.policy_inexact[dir], bydst) {
845 if (pol->type != type)
847 __xfrm_policy_unlink(pol, dir);
848 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
851 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
852 audit_info->sessionid,
855 xfrm_policy_kill(pol);
857 write_lock_bh(&net->xfrm.xfrm_policy_lock);
861 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
863 hlist_for_each_entry(pol,
864 net->xfrm.policy_bydst[dir].table + i,
866 if (pol->type != type)
868 __xfrm_policy_unlink(pol, dir);
869 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
872 xfrm_audit_policy_delete(pol, 1,
873 audit_info->loginuid,
874 audit_info->sessionid,
876 xfrm_policy_kill(pol);
878 write_lock_bh(&net->xfrm.xfrm_policy_lock);
887 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
890 EXPORT_SYMBOL(xfrm_policy_flush);
892 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
893 int (*func)(struct xfrm_policy *, int, int, void*),
896 struct xfrm_policy *pol;
897 struct xfrm_policy_walk_entry *x;
900 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
901 walk->type != XFRM_POLICY_TYPE_ANY)
904 if (list_empty(&walk->walk.all) && walk->seq != 0)
907 write_lock_bh(&net->xfrm.xfrm_policy_lock);
908 if (list_empty(&walk->walk.all))
909 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
911 x = list_entry(&walk->walk.all, struct xfrm_policy_walk_entry, all);
912 list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
915 pol = container_of(x, struct xfrm_policy, walk);
916 if (walk->type != XFRM_POLICY_TYPE_ANY &&
917 walk->type != pol->type)
919 error = func(pol, xfrm_policy_id2dir(pol->index),
922 list_move_tail(&walk->walk.all, &x->all);
927 if (walk->seq == 0) {
931 list_del_init(&walk->walk.all);
933 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
936 EXPORT_SYMBOL(xfrm_policy_walk);
938 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
940 INIT_LIST_HEAD(&walk->walk.all);
945 EXPORT_SYMBOL(xfrm_policy_walk_init);
947 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)
949 if (list_empty(&walk->walk.all))
952 write_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */
953 list_del(&walk->walk.all);
954 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
956 EXPORT_SYMBOL(xfrm_policy_walk_done);
959 * Find policy to apply to this flow.
961 * Returns 0 if policy found, else an -errno.
963 static int xfrm_policy_match(const struct xfrm_policy *pol,
964 const struct flowi *fl,
965 u8 type, u16 family, int dir)
967 const struct xfrm_selector *sel = &pol->selector;
971 if (pol->family != family ||
972 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
976 match = xfrm_selector_match(sel, fl, family);
978 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
984 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
985 const struct flowi *fl,
989 struct xfrm_policy *pol, *ret;
990 const xfrm_address_t *daddr, *saddr;
991 struct hlist_head *chain;
994 daddr = xfrm_flowi_daddr(fl, family);
995 saddr = xfrm_flowi_saddr(fl, family);
996 if (unlikely(!daddr || !saddr))
999 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1000 chain = policy_hash_direct(net, daddr, saddr, family, dir);
1002 hlist_for_each_entry(pol, chain, bydst) {
1003 err = xfrm_policy_match(pol, fl, type, family, dir);
1013 priority = ret->priority;
1017 chain = &net->xfrm.policy_inexact[dir];
1018 hlist_for_each_entry(pol, chain, bydst) {
1019 err = xfrm_policy_match(pol, fl, type, family, dir);
1027 } else if (pol->priority < priority) {
1035 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1040 static struct xfrm_policy *
1041 __xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
1043 #ifdef CONFIG_XFRM_SUB_POLICY
1044 struct xfrm_policy *pol;
1046 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
1050 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1053 static int flow_to_policy_dir(int dir)
1055 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1056 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1057 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1063 return XFRM_POLICY_IN;
1065 return XFRM_POLICY_OUT;
1067 return XFRM_POLICY_FWD;
1071 static struct flow_cache_object *
1072 xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
1073 u8 dir, struct flow_cache_object *old_obj, void *ctx)
1075 struct xfrm_policy *pol;
1078 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo));
1080 pol = __xfrm_policy_lookup(net, fl, family, flow_to_policy_dir(dir));
1081 if (IS_ERR_OR_NULL(pol))
1082 return ERR_CAST(pol);
1084 /* Resolver returns two references:
1085 * one for cache and one for caller of flow_cache_lookup() */
1091 static inline int policy_to_flow_dir(int dir)
1093 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1094 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1095 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1099 case XFRM_POLICY_IN:
1101 case XFRM_POLICY_OUT:
1102 return FLOW_DIR_OUT;
1103 case XFRM_POLICY_FWD:
1104 return FLOW_DIR_FWD;
1108 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1109 const struct flowi *fl)
1111 struct xfrm_policy *pol;
1112 struct net *net = sock_net(sk);
1114 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1115 if ((pol = sk->sk_policy[dir]) != NULL) {
1116 bool match = xfrm_selector_match(&pol->selector, fl,
1121 if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
1125 err = security_xfrm_policy_lookup(pol->security,
1127 policy_to_flow_dir(dir));
1130 else if (err == -ESRCH)
1138 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1142 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
1144 struct net *net = xp_net(pol);
1145 struct hlist_head *chain = policy_hash_bysel(net, &pol->selector,
1148 list_add(&pol->walk.all, &net->xfrm.policy_all);
1149 hlist_add_head(&pol->bydst, chain);
1150 hlist_add_head(&pol->byidx, net->xfrm.policy_byidx+idx_hash(net, pol->index));
1151 net->xfrm.policy_count[dir]++;
1154 if (xfrm_bydst_should_resize(net, dir, NULL))
1155 schedule_work(&net->xfrm.policy_hash_work);
1158 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1161 struct net *net = xp_net(pol);
1163 if (hlist_unhashed(&pol->bydst))
1166 hlist_del_init(&pol->bydst);
1167 hlist_del(&pol->byidx);
1168 list_del(&pol->walk.all);
1169 net->xfrm.policy_count[dir]--;
1174 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1176 struct net *net = xp_net(pol);
1178 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1179 pol = __xfrm_policy_unlink(pol, dir);
1180 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1182 xfrm_policy_kill(pol);
1187 EXPORT_SYMBOL(xfrm_policy_delete);
1189 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1191 struct net *net = xp_net(pol);
1192 struct xfrm_policy *old_pol;
1194 #ifdef CONFIG_XFRM_SUB_POLICY
1195 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
1199 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1200 old_pol = sk->sk_policy[dir];
1201 sk->sk_policy[dir] = pol;
1203 pol->curlft.add_time = get_seconds();
1204 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
1205 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1209 xfrm_policy_requeue(old_pol, pol);
1211 /* Unlinking succeeds always. This is the only function
1212 * allowed to delete or replace socket policy.
1214 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1216 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1219 xfrm_policy_kill(old_pol);
1224 static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1226 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1227 struct net *net = xp_net(old);
1230 newp->selector = old->selector;
1231 if (security_xfrm_policy_clone(old->security,
1234 return NULL; /* ENOMEM */
1236 newp->lft = old->lft;
1237 newp->curlft = old->curlft;
1238 newp->mark = old->mark;
1239 newp->action = old->action;
1240 newp->flags = old->flags;
1241 newp->xfrm_nr = old->xfrm_nr;
1242 newp->index = old->index;
1243 newp->type = old->type;
1244 memcpy(newp->xfrm_vec, old->xfrm_vec,
1245 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1246 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1247 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
1248 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1254 int __xfrm_sk_clone_policy(struct sock *sk)
1256 struct xfrm_policy *p0 = sk->sk_policy[0],
1257 *p1 = sk->sk_policy[1];
1259 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
1260 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
1262 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
1268 xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1269 unsigned short family)
1272 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1274 if (unlikely(afinfo == NULL))
1276 err = afinfo->get_saddr(net, local, remote);
1277 xfrm_policy_put_afinfo(afinfo);
1281 /* Resolve list of templates for the flow, given policy. */
1284 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1285 struct xfrm_state **xfrm, unsigned short family)
1287 struct net *net = xp_net(policy);
1290 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
1291 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
1294 for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
1295 struct xfrm_state *x;
1296 xfrm_address_t *remote = daddr;
1297 xfrm_address_t *local = saddr;
1298 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
1300 if (tmpl->mode == XFRM_MODE_TUNNEL ||
1301 tmpl->mode == XFRM_MODE_BEET) {
1302 remote = &tmpl->id.daddr;
1303 local = &tmpl->saddr;
1304 if (xfrm_addr_any(local, tmpl->encap_family)) {
1305 error = xfrm_get_saddr(net, &tmp, remote, tmpl->encap_family);
1312 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
1314 if (x && x->km.state == XFRM_STATE_VALID) {
1321 error = (x->km.state == XFRM_STATE_ERROR ?
1324 } else if (error == -ESRCH) {
1328 if (!tmpl->optional)
1334 for (nx--; nx >= 0; nx--)
1335 xfrm_state_put(xfrm[nx]);
1340 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1341 struct xfrm_state **xfrm, unsigned short family)
1343 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1344 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
1350 for (i = 0; i < npols; i++) {
1351 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
1356 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
1364 /* found states are sorted for outbound processing */
1366 xfrm_state_sort(xfrm, tpp, cnx, family);
1371 for (cnx--; cnx >= 0; cnx--)
1372 xfrm_state_put(tpp[cnx]);
1377 /* Check that the bundle accepts the flow and its components are
1381 static inline int xfrm_get_tos(const struct flowi *fl, int family)
1383 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1389 tos = afinfo->get_tos(fl);
1391 xfrm_policy_put_afinfo(afinfo);
1396 static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo)
1398 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1399 struct dst_entry *dst = &xdst->u.dst;
1401 if (xdst->route == NULL) {
1402 /* Dummy bundle - if it has xfrms we were not
1403 * able to build bundle as template resolution failed.
1404 * It means we need to try again resolving. */
1405 if (xdst->num_xfrms > 0)
1407 } else if (dst->flags & DST_XFRM_QUEUE) {
1411 if (stale_bundle(dst))
1419 static int xfrm_bundle_flo_check(struct flow_cache_object *flo)
1421 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1422 struct dst_entry *dst = &xdst->u.dst;
1426 if (stale_bundle(dst))
1432 static void xfrm_bundle_flo_delete(struct flow_cache_object *flo)
1434 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1435 struct dst_entry *dst = &xdst->u.dst;
1440 static const struct flow_cache_ops xfrm_bundle_fc_ops = {
1441 .get = xfrm_bundle_flo_get,
1442 .check = xfrm_bundle_flo_check,
1443 .delete = xfrm_bundle_flo_delete,
1446 static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1448 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1449 struct dst_ops *dst_ops;
1450 struct xfrm_dst *xdst;
1453 return ERR_PTR(-EINVAL);
1457 dst_ops = &net->xfrm.xfrm4_dst_ops;
1459 #if IS_ENABLED(CONFIG_IPV6)
1461 dst_ops = &net->xfrm.xfrm6_dst_ops;
1467 xdst = dst_alloc(dst_ops, NULL, 0, DST_OBSOLETE_NONE, 0);
1470 struct dst_entry *dst = &xdst->u.dst;
1472 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
1473 xdst->flo.ops = &xfrm_bundle_fc_ops;
1474 if (afinfo->init_dst)
1475 afinfo->init_dst(net, xdst);
1477 xdst = ERR_PTR(-ENOBUFS);
1479 xfrm_policy_put_afinfo(afinfo);
1484 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1487 struct xfrm_policy_afinfo *afinfo =
1488 xfrm_policy_get_afinfo(dst->ops->family);
1494 err = afinfo->init_path(path, dst, nfheader_len);
1496 xfrm_policy_put_afinfo(afinfo);
1501 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1502 const struct flowi *fl)
1504 struct xfrm_policy_afinfo *afinfo =
1505 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
1511 err = afinfo->fill_dst(xdst, dev, fl);
1513 xfrm_policy_put_afinfo(afinfo);
1519 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
1520 * all the metrics... Shortly, bundle a bundle.
1523 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1524 struct xfrm_state **xfrm, int nx,
1525 const struct flowi *fl,
1526 struct dst_entry *dst)
1528 struct net *net = xp_net(policy);
1529 unsigned long now = jiffies;
1530 struct net_device *dev;
1531 struct xfrm_mode *inner_mode;
1532 struct dst_entry *dst_prev = NULL;
1533 struct dst_entry *dst0 = NULL;
1537 int nfheader_len = 0;
1538 int trailer_len = 0;
1540 int family = policy->selector.family;
1541 xfrm_address_t saddr, daddr;
1543 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
1545 tos = xfrm_get_tos(fl, family);
1552 for (; i < nx; i++) {
1553 struct xfrm_dst *xdst = xfrm_alloc_dst(net, family);
1554 struct dst_entry *dst1 = &xdst->u.dst;
1556 err = PTR_ERR(xdst);
1562 if (xfrm[i]->sel.family == AF_UNSPEC) {
1563 inner_mode = xfrm_ip2inner_mode(xfrm[i],
1564 xfrm_af2proto(family));
1566 err = -EAFNOSUPPORT;
1571 inner_mode = xfrm[i]->inner_mode;
1576 dst_prev->child = dst_clone(dst1);
1577 dst1->flags |= DST_NOHASH;
1581 dst_copy_metrics(dst1, dst);
1583 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1584 family = xfrm[i]->props.family;
1585 dst = xfrm_dst_lookup(xfrm[i], tos, &saddr, &daddr,
1593 dst1->xfrm = xfrm[i];
1594 xdst->xfrm_genid = xfrm[i]->genid;
1596 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
1597 dst1->flags |= DST_HOST;
1598 dst1->lastuse = now;
1600 dst1->input = dst_discard;
1601 dst1->output = inner_mode->afinfo->output;
1603 dst1->next = dst_prev;
1606 header_len += xfrm[i]->props.header_len;
1607 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
1608 nfheader_len += xfrm[i]->props.header_len;
1609 trailer_len += xfrm[i]->props.trailer_len;
1612 dst_prev->child = dst;
1620 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
1621 xfrm_init_pmtu(dst_prev);
1623 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1624 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1626 err = xfrm_fill_dst(xdst, dev, fl);
1630 dst_prev->header_len = header_len;
1631 dst_prev->trailer_len = trailer_len;
1632 header_len -= xdst->u.dst.xfrm->props.header_len;
1633 trailer_len -= xdst->u.dst.xfrm->props.trailer_len;
1641 xfrm_state_put(xfrm[i]);
1645 dst0 = ERR_PTR(err);
1649 #ifdef CONFIG_XFRM_SUB_POLICY
1650 static int xfrm_dst_alloc_copy(void **target, const void *src, int size)
1653 *target = kmalloc(size, GFP_ATOMIC);
1658 memcpy(*target, src, size);
1663 static int xfrm_dst_update_parent(struct dst_entry *dst,
1664 const struct xfrm_selector *sel)
1666 #ifdef CONFIG_XFRM_SUB_POLICY
1667 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1668 return xfrm_dst_alloc_copy((void **)&(xdst->partner),
1675 static int xfrm_dst_update_origin(struct dst_entry *dst,
1676 const struct flowi *fl)
1678 #ifdef CONFIG_XFRM_SUB_POLICY
1679 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1680 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
1686 static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1687 struct xfrm_policy **pols,
1688 int *num_pols, int *num_xfrms)
1692 if (*num_pols == 0 || !pols[0]) {
1697 if (IS_ERR(pols[0]))
1698 return PTR_ERR(pols[0]);
1700 *num_xfrms = pols[0]->xfrm_nr;
1702 #ifdef CONFIG_XFRM_SUB_POLICY
1703 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
1704 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1705 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
1706 XFRM_POLICY_TYPE_MAIN,
1710 if (IS_ERR(pols[1])) {
1711 xfrm_pols_put(pols, *num_pols);
1712 return PTR_ERR(pols[1]);
1715 (*num_xfrms) += pols[1]->xfrm_nr;
1719 for (i = 0; i < *num_pols; i++) {
1720 if (pols[i]->action != XFRM_POLICY_ALLOW) {
1730 static struct xfrm_dst *
1731 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1732 const struct flowi *fl, u16 family,
1733 struct dst_entry *dst_orig)
1735 struct net *net = xp_net(pols[0]);
1736 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1737 struct dst_entry *dst;
1738 struct xfrm_dst *xdst;
1741 /* Try to instantiate a bundle */
1742 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
1744 if (err != 0 && err != -EAGAIN)
1745 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1746 return ERR_PTR(err);
1749 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
1751 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1752 return ERR_CAST(dst);
1755 xdst = (struct xfrm_dst *)dst;
1756 xdst->num_xfrms = err;
1758 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1760 err = xfrm_dst_update_origin(dst, fl);
1761 if (unlikely(err)) {
1763 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1764 return ERR_PTR(err);
1767 xdst->num_pols = num_pols;
1768 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
1769 xdst->policy_genid = atomic_read(&pols[0]->genid);
1774 static void xfrm_policy_queue_process(unsigned long arg)
1777 struct sk_buff *skb;
1779 struct dst_entry *dst;
1780 struct xfrm_policy *pol = (struct xfrm_policy *)arg;
1781 struct xfrm_policy_queue *pq = &pol->polq;
1783 struct sk_buff_head list;
1785 spin_lock(&pq->hold_queue.lock);
1786 skb = skb_peek(&pq->hold_queue);
1788 spin_unlock(&pq->hold_queue.lock);
1793 xfrm_decode_session(skb, &fl, dst->ops->family);
1794 spin_unlock(&pq->hold_queue.lock);
1796 dst_hold(dst->path);
1797 dst = xfrm_lookup(xp_net(pol), dst->path, &fl,
1802 if (dst->flags & DST_XFRM_QUEUE) {
1805 if (pq->timeout >= XFRM_QUEUE_TMO_MAX)
1808 pq->timeout = pq->timeout << 1;
1809 if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
1816 __skb_queue_head_init(&list);
1818 spin_lock(&pq->hold_queue.lock);
1820 skb_queue_splice_init(&pq->hold_queue, &list);
1821 spin_unlock(&pq->hold_queue.lock);
1823 while (!skb_queue_empty(&list)) {
1824 skb = __skb_dequeue(&list);
1826 xfrm_decode_session(skb, &fl, skb_dst(skb)->ops->family);
1827 dst_hold(skb_dst(skb)->path);
1828 dst = xfrm_lookup(xp_net(pol), skb_dst(skb)->path,
1837 skb_dst_set(skb, dst);
1839 err = dst_output(skb);
1848 xfrm_queue_purge(&pq->hold_queue);
1852 static int xdst_queue_output(struct sk_buff *skb)
1854 unsigned long sched_next;
1855 struct dst_entry *dst = skb_dst(skb);
1856 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
1857 struct xfrm_policy *pol = xdst->pols[0];
1858 struct xfrm_policy_queue *pq = &pol->polq;
1859 const struct sk_buff *fclone = skb + 1;
1861 if (unlikely(skb->fclone == SKB_FCLONE_ORIG &&
1862 fclone->fclone == SKB_FCLONE_CLONE)) {
1867 if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
1874 spin_lock_bh(&pq->hold_queue.lock);
1877 pq->timeout = XFRM_QUEUE_TMO_MIN;
1879 sched_next = jiffies + pq->timeout;
1881 if (del_timer(&pq->hold_timer)) {
1882 if (time_before(pq->hold_timer.expires, sched_next))
1883 sched_next = pq->hold_timer.expires;
1887 __skb_queue_tail(&pq->hold_queue, skb);
1888 if (!mod_timer(&pq->hold_timer, sched_next))
1891 spin_unlock_bh(&pq->hold_queue.lock);
1896 static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net,
1897 struct xfrm_flo *xflo,
1898 const struct flowi *fl,
1903 struct net_device *dev;
1904 struct dst_entry *dst;
1905 struct dst_entry *dst1;
1906 struct xfrm_dst *xdst;
1908 xdst = xfrm_alloc_dst(net, family);
1912 if (!(xflo->flags & XFRM_LOOKUP_QUEUE) ||
1913 net->xfrm.sysctl_larval_drop ||
1917 dst = xflo->dst_orig;
1918 dst1 = &xdst->u.dst;
1922 dst_copy_metrics(dst1, dst);
1924 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
1925 dst1->flags |= DST_HOST | DST_XFRM_QUEUE;
1926 dst1->lastuse = jiffies;
1928 dst1->input = dst_discard;
1929 dst1->output = xdst_queue_output;
1935 xfrm_init_path((struct xfrm_dst *)dst1, dst, 0);
1942 err = xfrm_fill_dst(xdst, dev, fl);
1951 xdst = ERR_PTR(err);
1955 static struct flow_cache_object *
1956 xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
1957 struct flow_cache_object *oldflo, void *ctx)
1959 struct xfrm_flo *xflo = (struct xfrm_flo *)ctx;
1960 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1961 struct xfrm_dst *xdst, *new_xdst;
1962 int num_pols = 0, num_xfrms = 0, i, err, pol_dead;
1964 /* Check if the policies from old bundle are usable */
1967 xdst = container_of(oldflo, struct xfrm_dst, flo);
1968 num_pols = xdst->num_pols;
1969 num_xfrms = xdst->num_xfrms;
1971 for (i = 0; i < num_pols; i++) {
1972 pols[i] = xdst->pols[i];
1973 pol_dead |= pols[i]->walk.dead;
1976 dst_free(&xdst->u.dst);
1984 /* Resolve policies to use if we couldn't get them from
1985 * previous cache entry */
1988 pols[0] = __xfrm_policy_lookup(net, fl, family,
1989 flow_to_policy_dir(dir));
1990 err = xfrm_expand_policies(fl, family, pols,
1991 &num_pols, &num_xfrms);
1997 goto make_dummy_bundle;
2000 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
2002 if (IS_ERR(new_xdst)) {
2003 err = PTR_ERR(new_xdst);
2007 goto make_dummy_bundle;
2008 dst_hold(&xdst->u.dst);
2010 } else if (new_xdst == NULL) {
2013 goto make_dummy_bundle;
2014 xdst->num_xfrms = 0;
2015 dst_hold(&xdst->u.dst);
2019 /* Kill the previous bundle */
2021 /* The policies were stolen for newly generated bundle */
2023 dst_free(&xdst->u.dst);
2026 /* Flow cache does not have reference, it dst_free()'s,
2027 * but we do need to return one reference for original caller */
2028 dst_hold(&new_xdst->u.dst);
2029 return &new_xdst->flo;
2032 /* We found policies, but there's no bundles to instantiate:
2033 * either because the policy blocks, has no transformations or
2034 * we could not build template (no xfrm_states).*/
2035 xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family);
2037 xfrm_pols_put(pols, num_pols);
2038 return ERR_CAST(xdst);
2040 xdst->num_pols = num_pols;
2041 xdst->num_xfrms = num_xfrms;
2042 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
2044 dst_hold(&xdst->u.dst);
2048 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
2051 dst_free(&xdst->u.dst);
2053 xfrm_pols_put(pols, num_pols);
2054 return ERR_PTR(err);
2057 static struct dst_entry *make_blackhole(struct net *net, u16 family,
2058 struct dst_entry *dst_orig)
2060 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2061 struct dst_entry *ret;
2064 dst_release(dst_orig);
2065 return ERR_PTR(-EINVAL);
2067 ret = afinfo->blackhole_route(net, dst_orig);
2069 xfrm_policy_put_afinfo(afinfo);
2074 /* Main function: finds/creates a bundle for given flow.
2076 * At the moment we eat a raw IP route. Mostly to speed up lookups
2077 * on interfaces with disabled IPsec.
2079 struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
2080 const struct flowi *fl,
2081 struct sock *sk, int flags)
2083 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2084 struct flow_cache_object *flo;
2085 struct xfrm_dst *xdst;
2086 struct dst_entry *dst, *route;
2087 u16 family = dst_orig->ops->family;
2088 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
2089 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
2095 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
2097 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
2098 err = xfrm_expand_policies(fl, family, pols,
2099 &num_pols, &num_xfrms);
2104 if (num_xfrms <= 0) {
2105 drop_pols = num_pols;
2109 xdst = xfrm_resolve_and_create_bundle(
2113 xfrm_pols_put(pols, num_pols);
2114 err = PTR_ERR(xdst);
2116 } else if (xdst == NULL) {
2118 drop_pols = num_pols;
2122 dst_hold(&xdst->u.dst);
2124 spin_lock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2125 xdst->u.dst.next = xfrm_policy_sk_bundles;
2126 xfrm_policy_sk_bundles = &xdst->u.dst;
2127 spin_unlock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2129 route = xdst->route;
2134 struct xfrm_flo xflo;
2136 xflo.dst_orig = dst_orig;
2139 /* To accelerate a bit... */
2140 if ((dst_orig->flags & DST_NOXFRM) ||
2141 !net->xfrm.policy_count[XFRM_POLICY_OUT])
2144 flo = flow_cache_lookup(net, fl, family, dir,
2145 xfrm_bundle_lookup, &xflo);
2152 xdst = container_of(flo, struct xfrm_dst, flo);
2154 num_pols = xdst->num_pols;
2155 num_xfrms = xdst->num_xfrms;
2156 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols);
2157 route = xdst->route;
2161 if (route == NULL && num_xfrms > 0) {
2162 /* The only case when xfrm_bundle_lookup() returns a
2163 * bundle with null route, is when the template could
2164 * not be resolved. It means policies are there, but
2165 * bundle could not be created, since we don't yet
2166 * have the xfrm_state's. We need to wait for KM to
2167 * negotiate new SA's or bail out with error.*/
2168 if (net->xfrm.sysctl_larval_drop) {
2170 xfrm_pols_put(pols, drop_pols);
2171 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
2173 return ERR_PTR(-EREMOTE);
2178 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
2186 if ((flags & XFRM_LOOKUP_ICMP) &&
2187 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
2192 for (i = 0; i < num_pols; i++)
2193 pols[i]->curlft.use_time = get_seconds();
2195 if (num_xfrms < 0) {
2196 /* Prohibit the flow */
2197 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
2200 } else if (num_xfrms > 0) {
2201 /* Flow transformed */
2202 dst_release(dst_orig);
2204 /* Flow passes untransformed */
2209 xfrm_pols_put(pols, drop_pols);
2210 if (dst && dst->xfrm &&
2211 dst->xfrm->props.mode == XFRM_MODE_TUNNEL)
2212 dst->flags |= DST_XFRM_TUNNEL;
2216 if (!(flags & XFRM_LOOKUP_ICMP)) {
2224 dst_release(dst_orig);
2225 xfrm_pols_put(pols, drop_pols);
2226 return ERR_PTR(err);
2228 EXPORT_SYMBOL(xfrm_lookup);
2230 /* Callers of xfrm_lookup_route() must ensure a call to dst_output().
2231 * Otherwise we may send out blackholed packets.
2233 struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
2234 const struct flowi *fl,
2235 struct sock *sk, int flags)
2237 struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
2238 flags | XFRM_LOOKUP_QUEUE);
2240 if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
2241 return make_blackhole(net, dst_orig->ops->family, dst_orig);
2245 EXPORT_SYMBOL(xfrm_lookup_route);
2248 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
2250 struct xfrm_state *x;
2252 if (!skb->sp || idx < 0 || idx >= skb->sp->len)
2254 x = skb->sp->xvec[idx];
2255 if (!x->type->reject)
2257 return x->type->reject(x, skb, fl);
2260 /* When skb is transformed back to its "native" form, we have to
2261 * check policy restrictions. At the moment we make this in maximally
2262 * stupid way. Shame on me. :-) Of course, connected sockets must
2263 * have policy cached at them.
2267 xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
2268 unsigned short family)
2270 if (xfrm_state_kern(x))
2271 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
2272 return x->id.proto == tmpl->id.proto &&
2273 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
2274 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
2275 x->props.mode == tmpl->mode &&
2276 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
2277 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
2278 !(x->props.mode != XFRM_MODE_TRANSPORT &&
2279 xfrm_state_addr_cmp(tmpl, x, family));
2283 * 0 or more than 0 is returned when validation is succeeded (either bypass
2284 * because of optional transport mode, or next index of the mathced secpath
2285 * state with the template.
2286 * -1 is returned when no matching template is found.
2287 * Otherwise "-2 - errored_index" is returned.
2290 xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
2291 unsigned short family)
2295 if (tmpl->optional) {
2296 if (tmpl->mode == XFRM_MODE_TRANSPORT)
2300 for (; idx < sp->len; idx++) {
2301 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
2303 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
2312 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
2313 unsigned int family, int reverse)
2315 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2318 if (unlikely(afinfo == NULL))
2319 return -EAFNOSUPPORT;
2321 afinfo->decode_session(skb, fl, reverse);
2322 err = security_xfrm_decode_session(skb, &fl->flowi_secid);
2323 xfrm_policy_put_afinfo(afinfo);
2326 EXPORT_SYMBOL(__xfrm_decode_session);
2328 static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
2330 for (; k < sp->len; k++) {
2331 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
2340 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
2341 unsigned short family)
2343 struct net *net = dev_net(skb->dev);
2344 struct xfrm_policy *pol;
2345 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2354 reverse = dir & ~XFRM_POLICY_MASK;
2355 dir &= XFRM_POLICY_MASK;
2356 fl_dir = policy_to_flow_dir(dir);
2358 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) {
2359 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
2363 nf_nat_decode_session(skb, &fl, family);
2365 /* First, check used SA against their selectors. */
2369 for (i = skb->sp->len-1; i >= 0; i--) {
2370 struct xfrm_state *x = skb->sp->xvec[i];
2371 if (!xfrm_selector_match(&x->sel, &fl, family)) {
2372 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
2379 if (sk && sk->sk_policy[dir]) {
2380 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
2382 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2388 struct flow_cache_object *flo;
2390 flo = flow_cache_lookup(net, &fl, family, fl_dir,
2391 xfrm_policy_lookup, NULL);
2392 if (IS_ERR_OR_NULL(flo))
2393 pol = ERR_CAST(flo);
2395 pol = container_of(flo, struct xfrm_policy, flo);
2399 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2404 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
2405 xfrm_secpath_reject(xerr_idx, skb, &fl);
2406 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
2412 pol->curlft.use_time = get_seconds();
2416 #ifdef CONFIG_XFRM_SUB_POLICY
2417 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
2418 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
2422 if (IS_ERR(pols[1])) {
2423 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2426 pols[1]->curlft.use_time = get_seconds();
2432 if (pol->action == XFRM_POLICY_ALLOW) {
2433 struct sec_path *sp;
2434 static struct sec_path dummy;
2435 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
2436 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
2437 struct xfrm_tmpl **tpp = tp;
2441 if ((sp = skb->sp) == NULL)
2444 for (pi = 0; pi < npols; pi++) {
2445 if (pols[pi] != pol &&
2446 pols[pi]->action != XFRM_POLICY_ALLOW) {
2447 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2450 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
2451 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
2454 for (i = 0; i < pols[pi]->xfrm_nr; i++)
2455 tpp[ti++] = &pols[pi]->xfrm_vec[i];
2459 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family, net);
2463 /* For each tunnel xfrm, find the first matching tmpl.
2464 * For each tmpl before that, find corresponding xfrm.
2465 * Order is _important_. Later we will implement
2466 * some barriers, but at the moment barriers
2467 * are implied between each two transformations.
2469 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
2470 k = xfrm_policy_ok(tpp[i], sp, k, family);
2473 /* "-2 - errored_index" returned */
2475 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2480 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
2481 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2485 xfrm_pols_put(pols, npols);
2488 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2491 xfrm_secpath_reject(xerr_idx, skb, &fl);
2493 xfrm_pols_put(pols, npols);
2496 EXPORT_SYMBOL(__xfrm_policy_check);
2498 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2500 struct net *net = dev_net(skb->dev);
2502 struct dst_entry *dst;
2505 if (xfrm_decode_session(skb, &fl, family) < 0) {
2506 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
2512 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
2517 skb_dst_set(skb, dst);
2520 EXPORT_SYMBOL(__xfrm_route_forward);
2522 /* Optimize later using cookies and generation ids. */
2524 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2526 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
2527 * to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to
2528 * get validated by dst_ops->check on every use. We do this
2529 * because when a normal route referenced by an XFRM dst is
2530 * obsoleted we do not go looking around for all parent
2531 * referencing XFRM dsts so that we can invalidate them. It
2532 * is just too much work. Instead we make the checks here on
2533 * every use. For example:
2535 * XFRM dst A --> IPv4 dst X
2537 * X is the "xdst->route" of A (X is also the "dst->path" of A
2538 * in this example). If X is marked obsolete, "A" will not
2539 * notice. That's what we are validating here via the
2540 * stale_bundle() check.
2542 * When a policy's bundle is pruned, we dst_free() the XFRM
2543 * dst which causes it's ->obsolete field to be set to
2544 * DST_OBSOLETE_DEAD. If an XFRM dst has been pruned like
2545 * this, we want to force a new route lookup.
2547 if (dst->obsolete < 0 && !stale_bundle(dst))
2553 static int stale_bundle(struct dst_entry *dst)
2555 return !xfrm_bundle_ok((struct xfrm_dst *)dst);
2558 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
2560 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
2561 dst->dev = dev_net(dev)->loopback_dev;
2566 EXPORT_SYMBOL(xfrm_dst_ifdown);
2568 static void xfrm_link_failure(struct sk_buff *skb)
2570 /* Impossible. Such dst must be popped before reaches point of failure. */
2573 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2576 if (dst->obsolete) {
2584 static void __xfrm_garbage_collect(struct net *net)
2586 struct dst_entry *head, *next;
2588 spin_lock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2589 head = xfrm_policy_sk_bundles;
2590 xfrm_policy_sk_bundles = NULL;
2591 spin_unlock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2600 void xfrm_garbage_collect(struct net *net)
2603 __xfrm_garbage_collect(net);
2605 EXPORT_SYMBOL(xfrm_garbage_collect);
2607 static void xfrm_garbage_collect_deferred(struct net *net)
2609 flow_cache_flush_deferred();
2610 __xfrm_garbage_collect(net);
2613 static void xfrm_init_pmtu(struct dst_entry *dst)
2616 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2617 u32 pmtu, route_mtu_cached;
2619 pmtu = dst_mtu(dst->child);
2620 xdst->child_mtu_cached = pmtu;
2622 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
2624 route_mtu_cached = dst_mtu(xdst->route);
2625 xdst->route_mtu_cached = route_mtu_cached;
2627 if (pmtu > route_mtu_cached)
2628 pmtu = route_mtu_cached;
2630 dst_metric_set(dst, RTAX_MTU, pmtu);
2631 } while ((dst = dst->next));
2634 /* Check that the bundle accepts the flow and its components are
2638 static int xfrm_bundle_ok(struct xfrm_dst *first)
2640 struct dst_entry *dst = &first->u.dst;
2641 struct xfrm_dst *last;
2644 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2645 (dst->dev && !netif_running(dst->dev)))
2648 if (dst->flags & DST_XFRM_QUEUE)
2654 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2656 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2658 if (xdst->xfrm_genid != dst->xfrm->genid)
2660 if (xdst->num_pols > 0 &&
2661 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2664 mtu = dst_mtu(dst->child);
2665 if (xdst->child_mtu_cached != mtu) {
2667 xdst->child_mtu_cached = mtu;
2670 if (!dst_check(xdst->route, xdst->route_cookie))
2672 mtu = dst_mtu(xdst->route);
2673 if (xdst->route_mtu_cached != mtu) {
2675 xdst->route_mtu_cached = mtu;
2679 } while (dst->xfrm);
2684 mtu = last->child_mtu_cached;
2688 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2689 if (mtu > last->route_mtu_cached)
2690 mtu = last->route_mtu_cached;
2691 dst_metric_set(dst, RTAX_MTU, mtu);
2696 last = (struct xfrm_dst *)last->u.dst.next;
2697 last->child_mtu_cached = mtu;
2703 static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
2705 return dst_metric_advmss(dst->path);
2708 static unsigned int xfrm_mtu(const struct dst_entry *dst)
2710 unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
2712 return mtu ? : dst_mtu(dst->path);
2715 static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst,
2716 struct sk_buff *skb,
2719 return dst->path->ops->neigh_lookup(dst, skb, daddr);
2722 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2726 if (unlikely(afinfo == NULL))
2728 if (unlikely(afinfo->family >= NPROTO))
2729 return -EAFNOSUPPORT;
2730 spin_lock(&xfrm_policy_afinfo_lock);
2731 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
2734 struct dst_ops *dst_ops = afinfo->dst_ops;
2735 if (likely(dst_ops->kmem_cachep == NULL))
2736 dst_ops->kmem_cachep = xfrm_dst_cache;
2737 if (likely(dst_ops->check == NULL))
2738 dst_ops->check = xfrm_dst_check;
2739 if (likely(dst_ops->default_advmss == NULL))
2740 dst_ops->default_advmss = xfrm_default_advmss;
2741 if (likely(dst_ops->mtu == NULL))
2742 dst_ops->mtu = xfrm_mtu;
2743 if (likely(dst_ops->negative_advice == NULL))
2744 dst_ops->negative_advice = xfrm_negative_advice;
2745 if (likely(dst_ops->link_failure == NULL))
2746 dst_ops->link_failure = xfrm_link_failure;
2747 if (likely(dst_ops->neigh_lookup == NULL))
2748 dst_ops->neigh_lookup = xfrm_neigh_lookup;
2749 if (likely(afinfo->garbage_collect == NULL))
2750 afinfo->garbage_collect = xfrm_garbage_collect_deferred;
2751 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo);
2753 spin_unlock(&xfrm_policy_afinfo_lock);
2757 struct dst_ops *xfrm_dst_ops;
2759 switch (afinfo->family) {
2761 xfrm_dst_ops = &net->xfrm.xfrm4_dst_ops;
2763 #if IS_ENABLED(CONFIG_IPV6)
2765 xfrm_dst_ops = &net->xfrm.xfrm6_dst_ops;
2771 *xfrm_dst_ops = *afinfo->dst_ops;
2777 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
2779 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
2782 if (unlikely(afinfo == NULL))
2784 if (unlikely(afinfo->family >= NPROTO))
2785 return -EAFNOSUPPORT;
2786 spin_lock(&xfrm_policy_afinfo_lock);
2787 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
2788 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
2791 RCU_INIT_POINTER(xfrm_policy_afinfo[afinfo->family],
2794 spin_unlock(&xfrm_policy_afinfo_lock);
2796 struct dst_ops *dst_ops = afinfo->dst_ops;
2800 dst_ops->kmem_cachep = NULL;
2801 dst_ops->check = NULL;
2802 dst_ops->negative_advice = NULL;
2803 dst_ops->link_failure = NULL;
2804 afinfo->garbage_collect = NULL;
2808 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
2810 static void __net_init xfrm_dst_ops_init(struct net *net)
2812 struct xfrm_policy_afinfo *afinfo;
2815 afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET]);
2817 net->xfrm.xfrm4_dst_ops = *afinfo->dst_ops;
2818 #if IS_ENABLED(CONFIG_IPV6)
2819 afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET6]);
2821 net->xfrm.xfrm6_dst_ops = *afinfo->dst_ops;
2826 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
2828 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
2832 xfrm_garbage_collect(dev_net(dev));
2837 static struct notifier_block xfrm_dev_notifier = {
2838 .notifier_call = xfrm_dev_event,
2841 #ifdef CONFIG_XFRM_STATISTICS
2842 static int __net_init xfrm_statistics_init(struct net *net)
2846 if (snmp_mib_init((void __percpu **)net->mib.xfrm_statistics,
2847 sizeof(struct linux_xfrm_mib),
2848 __alignof__(struct linux_xfrm_mib)) < 0)
2850 rv = xfrm_proc_init(net);
2852 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2856 static void xfrm_statistics_fini(struct net *net)
2858 xfrm_proc_fini(net);
2859 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2862 static int __net_init xfrm_statistics_init(struct net *net)
2867 static void xfrm_statistics_fini(struct net *net)
2872 static int __net_init xfrm_policy_init(struct net *net)
2874 unsigned int hmask, sz;
2877 if (net_eq(net, &init_net))
2878 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
2879 sizeof(struct xfrm_dst),
2880 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2884 sz = (hmask+1) * sizeof(struct hlist_head);
2886 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
2887 if (!net->xfrm.policy_byidx)
2889 net->xfrm.policy_idx_hmask = hmask;
2891 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2892 struct xfrm_policy_hash *htab;
2894 net->xfrm.policy_count[dir] = 0;
2895 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
2897 htab = &net->xfrm.policy_bydst[dir];
2898 htab->table = xfrm_hash_alloc(sz);
2901 htab->hmask = hmask;
2904 INIT_LIST_HEAD(&net->xfrm.policy_all);
2905 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
2906 if (net_eq(net, &init_net))
2907 register_netdevice_notifier(&xfrm_dev_notifier);
2911 for (dir--; dir >= 0; dir--) {
2912 struct xfrm_policy_hash *htab;
2914 htab = &net->xfrm.policy_bydst[dir];
2915 xfrm_hash_free(htab->table, sz);
2917 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2922 static void xfrm_policy_fini(struct net *net)
2924 struct xfrm_audit audit_info;
2928 flush_work(&net->xfrm.policy_hash_work);
2929 #ifdef CONFIG_XFRM_SUB_POLICY
2930 audit_info.loginuid = INVALID_UID;
2931 audit_info.sessionid = (unsigned int)-1;
2932 audit_info.secid = 0;
2933 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2935 audit_info.loginuid = INVALID_UID;
2936 audit_info.sessionid = (unsigned int)-1;
2937 audit_info.secid = 0;
2938 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2940 WARN_ON(!list_empty(&net->xfrm.policy_all));
2942 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2943 struct xfrm_policy_hash *htab;
2945 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
2947 htab = &net->xfrm.policy_bydst[dir];
2948 sz = (htab->hmask + 1) * sizeof(struct hlist_head);
2949 WARN_ON(!hlist_empty(htab->table));
2950 xfrm_hash_free(htab->table, sz);
2953 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
2954 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
2955 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2958 static int __net_init xfrm_net_init(struct net *net)
2962 rv = xfrm_statistics_init(net);
2964 goto out_statistics;
2965 rv = xfrm_state_init(net);
2968 rv = xfrm_policy_init(net);
2971 xfrm_dst_ops_init(net);
2972 rv = xfrm_sysctl_init(net);
2976 /* Initialize the per-net locks here */
2977 spin_lock_init(&net->xfrm.xfrm_state_lock);
2978 rwlock_init(&net->xfrm.xfrm_policy_lock);
2979 spin_lock_init(&net->xfrm.xfrm_policy_sk_bundle_lock);
2980 mutex_init(&net->xfrm.xfrm_cfg_mutex);
2985 xfrm_policy_fini(net);
2987 xfrm_state_fini(net);
2989 xfrm_statistics_fini(net);
2994 static void __net_exit xfrm_net_exit(struct net *net)
2996 xfrm_sysctl_fini(net);
2997 xfrm_policy_fini(net);
2998 xfrm_state_fini(net);
2999 xfrm_statistics_fini(net);
3002 static struct pernet_operations __net_initdata xfrm_net_ops = {
3003 .init = xfrm_net_init,
3004 .exit = xfrm_net_exit,
3007 void __init xfrm_init(void)
3009 register_pernet_subsys(&xfrm_net_ops);
3013 #ifdef CONFIG_AUDITSYSCALL
3014 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
3015 struct audit_buffer *audit_buf)
3017 struct xfrm_sec_ctx *ctx = xp->security;
3018 struct xfrm_selector *sel = &xp->selector;
3021 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
3022 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
3024 switch (sel->family) {
3026 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
3027 if (sel->prefixlen_s != 32)
3028 audit_log_format(audit_buf, " src_prefixlen=%d",
3030 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
3031 if (sel->prefixlen_d != 32)
3032 audit_log_format(audit_buf, " dst_prefixlen=%d",
3036 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
3037 if (sel->prefixlen_s != 128)
3038 audit_log_format(audit_buf, " src_prefixlen=%d",
3040 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
3041 if (sel->prefixlen_d != 128)
3042 audit_log_format(audit_buf, " dst_prefixlen=%d",
3048 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
3049 kuid_t auid, unsigned int sessionid, u32 secid)
3051 struct audit_buffer *audit_buf;
3053 audit_buf = xfrm_audit_start("SPD-add");
3054 if (audit_buf == NULL)
3056 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
3057 audit_log_format(audit_buf, " res=%u", result);
3058 xfrm_audit_common_policyinfo(xp, audit_buf);
3059 audit_log_end(audit_buf);
3061 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
3063 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
3064 kuid_t auid, unsigned int sessionid, u32 secid)
3066 struct audit_buffer *audit_buf;
3068 audit_buf = xfrm_audit_start("SPD-delete");
3069 if (audit_buf == NULL)
3071 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
3072 audit_log_format(audit_buf, " res=%u", result);
3073 xfrm_audit_common_policyinfo(xp, audit_buf);
3074 audit_log_end(audit_buf);
3076 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
3079 #ifdef CONFIG_XFRM_MIGRATE
3080 static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
3081 const struct xfrm_selector *sel_tgt)
3083 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
3084 if (sel_tgt->family == sel_cmp->family &&
3085 xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr,
3087 xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr,
3089 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
3090 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
3094 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
3101 static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel,
3102 u8 dir, u8 type, struct net *net)
3104 struct xfrm_policy *pol, *ret = NULL;
3105 struct hlist_head *chain;
3108 read_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME*/
3109 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
3110 hlist_for_each_entry(pol, chain, bydst) {
3111 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
3112 pol->type == type) {
3114 priority = ret->priority;
3118 chain = &net->xfrm.policy_inexact[dir];
3119 hlist_for_each_entry(pol, chain, bydst) {
3120 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
3121 pol->type == type &&
3122 pol->priority < priority) {
3131 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
3136 static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
3140 if (t->mode == m->mode && t->id.proto == m->proto &&
3141 (m->reqid == 0 || t->reqid == m->reqid)) {
3143 case XFRM_MODE_TUNNEL:
3144 case XFRM_MODE_BEET:
3145 if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr,
3147 xfrm_addr_equal(&t->saddr, &m->old_saddr,
3152 case XFRM_MODE_TRANSPORT:
3153 /* in case of transport mode, template does not store
3154 any IP addresses, hence we just compare mode and
3165 /* update endpoint address(es) of template(s) */
3166 static int xfrm_policy_migrate(struct xfrm_policy *pol,
3167 struct xfrm_migrate *m, int num_migrate)
3169 struct xfrm_migrate *mp;
3172 write_lock_bh(&pol->lock);
3173 if (unlikely(pol->walk.dead)) {
3174 /* target policy has been deleted */
3175 write_unlock_bh(&pol->lock);
3179 for (i = 0; i < pol->xfrm_nr; i++) {
3180 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
3181 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
3184 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
3185 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
3187 /* update endpoints */
3188 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
3189 sizeof(pol->xfrm_vec[i].id.daddr));
3190 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
3191 sizeof(pol->xfrm_vec[i].saddr));
3192 pol->xfrm_vec[i].encap_family = mp->new_family;
3194 atomic_inc(&pol->genid);
3198 write_unlock_bh(&pol->lock);
3206 static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
3210 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
3213 for (i = 0; i < num_migrate; i++) {
3214 if (xfrm_addr_equal(&m[i].old_daddr, &m[i].new_daddr,
3216 xfrm_addr_equal(&m[i].old_saddr, &m[i].new_saddr,
3219 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
3220 xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
3223 /* check if there is any duplicated entry */
3224 for (j = i + 1; j < num_migrate; j++) {
3225 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
3226 sizeof(m[i].old_daddr)) &&
3227 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
3228 sizeof(m[i].old_saddr)) &&
3229 m[i].proto == m[j].proto &&
3230 m[i].mode == m[j].mode &&
3231 m[i].reqid == m[j].reqid &&
3232 m[i].old_family == m[j].old_family)
3240 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
3241 struct xfrm_migrate *m, int num_migrate,
3242 struct xfrm_kmaddress *k, struct net *net)
3244 int i, err, nx_cur = 0, nx_new = 0;
3245 struct xfrm_policy *pol = NULL;
3246 struct xfrm_state *x, *xc;
3247 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
3248 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
3249 struct xfrm_migrate *mp;
3251 if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
3254 /* Stage 1 - find policy */
3255 if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
3260 /* Stage 2 - find and update state(s) */
3261 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
3262 if ((x = xfrm_migrate_state_find(mp, net))) {
3265 if ((xc = xfrm_state_migrate(x, mp))) {
3275 /* Stage 3 - update policy */
3276 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
3279 /* Stage 4 - delete old state(s) */
3281 xfrm_states_put(x_cur, nx_cur);
3282 xfrm_states_delete(x_cur, nx_cur);
3285 /* Stage 5 - announce */
3286 km_migrate(sel, dir, type, m, num_migrate, k);
3298 xfrm_states_put(x_cur, nx_cur);
3300 xfrm_states_delete(x_new, nx_new);
3304 EXPORT_SYMBOL(xfrm_migrate);