linux/include/net/xfrm.h
<<
>>
Prefs 
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15
  16#include <net/sock.h>
  17#include <net/dst.h>
  18#include <net/ip.h>
  19#include <net/route.h>
  20#include <net/ipv6.h>
  21#include <net/ip6_fib.h>
  22#ifdef CONFIG_XFRM_STATISTICS
  23#include <net/snmp.h>
  24#endif
  25
  26#define XFRM_PROTO_ESP          50
  27#define XFRM_PROTO_AH           51
  28#define XFRM_PROTO_COMP         108
  29#define XFRM_PROTO_IPIP         4
  30#define XFRM_PROTO_IPV6         41
  31#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  32#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  33
  34#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  35#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  36        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  37#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  38        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  39
  40#ifdef CONFIG_XFRM_STATISTICS
  41DECLARE_SNMP_STAT(struct linux_xfrm_mib, xfrm_statistics);
  42#define XFRM_INC_STATS(field)           SNMP_INC_STATS(xfrm_statistics, field)
  43#define XFRM_INC_STATS_BH(field)        SNMP_INC_STATS_BH(xfrm_statistics, field)
  44#define XFRM_INC_STATS_USER(field)      SNMP_INC_STATS_USER(xfrm_statistics, field)
  45#else
  46#define XFRM_INC_STATS(field)
  47#define XFRM_INC_STATS_BH(field)
  48#define XFRM_INC_STATS_USER(field)
  49#endif
  50
  51extern struct sock *xfrm_nl;
  52extern u32 sysctl_xfrm_aevent_etime;
  53extern u32 sysctl_xfrm_aevent_rseqth;
  54extern int sysctl_xfrm_larval_drop;
  55extern u32 sysctl_xfrm_acq_expires;
  56
  57extern struct mutex xfrm_cfg_mutex;
  58
  59/* Organization of SPD aka "XFRM rules"
  60   ------------------------------------
  61
  62   Basic objects:
  63   - policy rule, struct xfrm_policy (=SPD entry)
  64   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  65   - instance of a transformer, struct xfrm_state (=SA)
  66   - template to clone xfrm_state, struct xfrm_tmpl
  67
  68   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  69   (To be compatible with existing pfkeyv2 implementations,
  70   many rules with priority of 0x7fffffff are allowed to exist and
  71   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  72
  73   Lookup is plain linear search until the first match with selector.
  74
  75   If "action" is "block", then we prohibit the flow, otherwise:
  76   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  77   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  78   described by templates xfrm_tmpl. Each template is resolved
  79   to a complete xfrm_state (see below) and we pack bundle of transformations
  80   to a dst_entry returned to requestor.
  81
  82   dst -. xfrm  .-> xfrm_state #1
  83    |---. child .-> dst -. xfrm .-> xfrm_state #2
  84                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  85                                      |---. child .-> NULL
  86
  87   Bundles are cached at xrfm_policy struct (field ->bundles).
  88
  89
  90   Resolution of xrfm_tmpl
  91   -----------------------
  92   Template contains:
  93   1. ->mode            Mode: transport or tunnel
  94   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  95   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  96      Q: allow to resolve security gateway?
  97   4. ->id.spi          If not zero, static SPI.
  98   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  99   6. ->algos           List of allowed algos. Plain bitmask now.
 100      Q: ealgos, aalgos, calgos. What a mess...
 101   7. ->share           Sharing mode.
 102      Q: how to implement private sharing mode? To add struct sock* to
 103      flow id?
 104
 105   Having this template we search through SAD searching for entries
 106   with appropriate mode/proto/algo, permitted by selector.
 107   If no appropriate entry found, it is requested from key manager.
 108
 109   PROBLEMS:
 110   Q: How to find all the bundles referring to a physical path for
 111      PMTU discovery? Seems, dst should contain list of all parents...
 112      and enter to infinite locking hierarchy disaster.
 113      No! It is easier, we will not search for them, let them find us.
 114      We add genid to each dst plus pointer to genid of raw IP route,
 115      pmtu disc will update pmtu on raw IP route and increase its genid.
 116      dst_check() will see this for top level and trigger resyncing
 117      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 118 */
 119
 120/* Full description of state of transformer. */
 121struct xfrm_state
 122{
 123        /* Note: bydst is re-used during gc */
 124        struct list_head        all;
 125        struct hlist_node       bydst;
 126        struct hlist_node       bysrc;
 127        struct hlist_node       byspi;
 128
 129        atomic_t                refcnt;
 130        spinlock_t              lock;
 131
 132        struct xfrm_id          id;
 133        struct xfrm_selector    sel;
 134
 135        u32                     genid;
 136
 137        /* Key manger bits */
 138        struct {
 139                u8              state;
 140                u8              dying;
 141                u32             seq;
 142        } km;
 143
 144        /* Parameters of this state. */
 145        struct {
 146                u32             reqid;
 147                u8              mode;
 148                u8              replay_window;
 149                u8              aalgo, ealgo, calgo;
 150                u8              flags;
 151                u16             family;
 152                xfrm_address_t  saddr;
 153                int             header_len;
 154                int             trailer_len;
 155        } props;
 156
 157        struct xfrm_lifetime_cfg lft;
 158
 159        /* Data for transformer */
 160        struct xfrm_algo        *aalg;
 161        struct xfrm_algo        *ealg;
 162        struct xfrm_algo        *calg;
 163        struct xfrm_algo_aead   *aead;
 164
 165        /* Data for encapsulator */
 166        struct xfrm_encap_tmpl  *encap;
 167
 168        /* Data for care-of address */
 169        xfrm_address_t  *coaddr;
 170
 171        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 172        struct xfrm_state       *tunnel;
 173
 174        /* If a tunnel, number of users + 1 */
 175        atomic_t                tunnel_users;
 176
 177        /* State for replay detection */
 178        struct xfrm_replay_state replay;
 179
 180        /* Replay detection state at the time we sent the last notification */
 181        struct xfrm_replay_state preplay;
 182
 183        /* internal flag that only holds state for delayed aevent at the
 184         * moment
 185        */
 186        u32                     xflags;
 187
 188        /* Replay detection notification settings */
 189        u32                     replay_maxage;
 190        u32                     replay_maxdiff;
 191
 192        /* Replay detection notification timer */
 193        struct timer_list       rtimer;
 194
 195        /* Statistics */
 196        struct xfrm_stats       stats;
 197
 198        struct xfrm_lifetime_cur curlft;
 199        struct timer_list       timer;
 200
 201        /* Last used time */
 202        unsigned long           lastused;
 203
 204        /* Reference to data common to all the instances of this
 205         * transformer. */
 206        const struct xfrm_type  *type;
 207        struct xfrm_mode        *inner_mode;
 208        struct xfrm_mode        *inner_mode_iaf;
 209        struct xfrm_mode        *outer_mode;
 210
 211        /* Security context */
 212        struct xfrm_sec_ctx     *security;
 213
 214        /* Private data of this transformer, format is opaque,
 215         * interpreted by xfrm_type methods. */
 216        void                    *data;
 217};
 218
 219/* xflags - make enum if more show up */
 220#define XFRM_TIME_DEFER 1
 221
 222enum {
 223        XFRM_STATE_VOID,
 224        XFRM_STATE_ACQ,
 225        XFRM_STATE_VALID,
 226        XFRM_STATE_ERROR,
 227        XFRM_STATE_EXPIRED,
 228        XFRM_STATE_DEAD
 229};
 230
 231/* callback structure passed from either netlink or pfkey */
 232struct km_event
 233{
 234        union {
 235                u32 hard;
 236                u32 proto;
 237                u32 byid;
 238                u32 aevent;
 239                u32 type;
 240        } data;
 241
 242        u32     seq;
 243        u32     pid;
 244        u32     event;
 245};
 246
 247struct net_device;
 248struct xfrm_type;
 249struct xfrm_dst;
 250struct xfrm_policy_afinfo {
 251        unsigned short          family;
 252        struct dst_ops          *dst_ops;
 253        void                    (*garbage_collect)(void);
 254        struct dst_entry        *(*dst_lookup)(int tos, xfrm_address_t *saddr,
 255                                               xfrm_address_t *daddr);
 256        int                     (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
 257        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
 258        void                    (*decode_session)(struct sk_buff *skb,
 259                                                  struct flowi *fl,
 260                                                  int reverse);
 261        int                     (*get_tos)(struct flowi *fl);
 262        int                     (*init_path)(struct xfrm_dst *path,
 263                                             struct dst_entry *dst,
 264                                             int nfheader_len);
 265        int                     (*fill_dst)(struct xfrm_dst *xdst,
 266                                            struct net_device *dev);
 267};
 268
 269extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 270extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 271extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 272extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 273
 274struct xfrm_tmpl;
 275extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 276extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 277extern int __xfrm_state_delete(struct xfrm_state *x);
 278
 279struct xfrm_state_afinfo {
 280        unsigned int            family;
 281        unsigned int            proto;
 282        __be16                  eth_proto;
 283        struct module           *owner;
 284        const struct xfrm_type  *type_map[IPPROTO_MAX];
 285        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 286        int                     (*init_flags)(struct xfrm_state *x);
 287        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 288                                                struct xfrm_tmpl *tmpl,
 289                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 290        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 291        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 292        int                     (*output)(struct sk_buff *skb);
 293        int                     (*extract_input)(struct xfrm_state *x,
 294                                                 struct sk_buff *skb);
 295        int                     (*extract_output)(struct xfrm_state *x,
 296                                                  struct sk_buff *skb);
 297        int                     (*transport_finish)(struct sk_buff *skb,
 298                                                    int async);
 299};
 300
 301extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 302extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 303
 304extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 305
 306struct xfrm_type
 307{
 308        char                    *description;
 309        struct module           *owner;
 310        __u8                    proto;
 311        __u8                    flags;
 312#define XFRM_TYPE_NON_FRAGMENT  1
 313#define XFRM_TYPE_REPLAY_PROT   2
 314#define XFRM_TYPE_LOCAL_COADDR  4
 315#define XFRM_TYPE_REMOTE_COADDR 8
 316
 317        int                     (*init_state)(struct xfrm_state *x);
 318        void                    (*destructor)(struct xfrm_state *);
 319        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 320        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 321        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
 322        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 323        /* Estimate maximal size of result of transformation of a dgram */
 324        u32                     (*get_mtu)(struct xfrm_state *, int size);
 325};
 326
 327extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 328extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 329
 330struct xfrm_mode {
 331        /*
 332         * Remove encapsulation header.
 333         *
 334         * The IP header will be moved over the top of the encapsulation
 335         * header.
 336         *
 337         * On entry, the transport header shall point to where the IP header
 338         * should be and the network header shall be set to where the IP
 339         * header currently is.  skb->data shall point to the start of the
 340         * payload.
 341         */
 342        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 343
 344        /*
 345         * This is the actual input entry point.
 346         *
 347         * For transport mode and equivalent this would be identical to
 348         * input2 (which does not need to be set).  While tunnel mode
 349         * and equivalent would set this to the tunnel encapsulation function
 350         * xfrm4_prepare_input that would in turn call input2.
 351         */
 352        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 353
 354        /*
 355         * Add encapsulation header.
 356         *
 357         * On exit, the transport header will be set to the start of the
 358         * encapsulation header to be filled in by x->type->output and
 359         * the mac header will be set to the nextheader (protocol for
 360         * IPv4) field of the extension header directly preceding the
 361         * encapsulation header, or in its absence, that of the top IP
 362         * header.  The value of the network header will always point
 363         * to the top IP header while skb->data will point to the payload.
 364         */
 365        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 366
 367        /*
 368         * This is the actual output entry point.
 369         *
 370         * For transport mode and equivalent this would be identical to
 371         * output2 (which does not need to be set).  While tunnel mode
 372         * and equivalent would set this to a tunnel encapsulation function
 373         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 374         * call output2.
 375         */
 376        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 377
 378        struct xfrm_state_afinfo *afinfo;
 379        struct module *owner;
 380        unsigned int encap;
 381        int flags;
 382};
 383
 384/* Flags for xfrm_mode. */
 385enum {
 386        XFRM_MODE_FLAG_TUNNEL = 1,
 387};
 388
 389extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 390extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 391
 392static inline int xfrm_af2proto(unsigned int family)
 393{
 394        switch(family) {
 395        case AF_INET:
 396                return IPPROTO_IPIP;
 397        case AF_INET6:
 398                return IPPROTO_IPV6;
 399        default:
 400                return 0;
 401        }
 402}
 403
 404static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 405{
 406        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 407            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 408                return x->inner_mode;
 409        else
 410                return x->inner_mode_iaf;
 411}
 412
 413struct xfrm_tmpl
 414{
 415/* id in template is interpreted as:
 416 * daddr - destination of tunnel, may be zero for transport mode.
 417 * spi   - zero to acquire spi. Not zero if spi is static, then
 418 *         daddr must be fixed too.
 419 * proto - AH/ESP/IPCOMP
 420 */
 421        struct xfrm_id          id;
 422
 423/* Source address of tunnel. Ignored, if it is not a tunnel. */
 424        xfrm_address_t          saddr;
 425
 426        unsigned short          encap_family;
 427
 428        __u32                   reqid;
 429
 430/* Mode: transport, tunnel etc. */
 431        __u8                    mode;
 432
 433/* Sharing mode: unique, this session only, this user only etc. */
 434        __u8                    share;
 435
 436/* May skip this transfomration if no SA is found */
 437        __u8                    optional;
 438
 439/* Skip aalgos/ealgos/calgos checks. */
 440        __u8                    allalgs;
 441
 442/* Bit mask of algos allowed for acquisition */
 443        __u32                   aalgos;
 444        __u32                   ealgos;
 445        __u32                   calgos;
 446};
 447
 448#define XFRM_MAX_DEPTH          6
 449
 450struct xfrm_policy
 451{
 452        struct xfrm_policy      *next;
 453        struct list_head        bytype;
 454        struct hlist_node       bydst;
 455        struct hlist_node       byidx;
 456
 457        /* This lock only affects elements except for entry. */
 458        rwlock_t                lock;
 459        atomic_t                refcnt;
 460        struct timer_list       timer;
 461
 462        u32                     priority;
 463        u32                     index;
 464        struct xfrm_selector    selector;
 465        struct xfrm_lifetime_cfg lft;
 466        struct xfrm_lifetime_cur curlft;
 467        struct dst_entry       *bundles;
 468        u16                     family;
 469        u8                      type;
 470        u8                      action;
 471        u8                      flags;
 472        u8                      dead;
 473        u8                      xfrm_nr;
 474        /* XXX 1 byte hole, try to pack */
 475        struct xfrm_sec_ctx     *security;
 476        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 477};
 478
 479struct xfrm_migrate {
 480        xfrm_address_t          old_daddr;
 481        xfrm_address_t          old_saddr;
 482        xfrm_address_t          new_daddr;
 483        xfrm_address_t          new_saddr;
 484        u8                      proto;
 485        u8                      mode;
 486        u16                     reserved;
 487        u32                     reqid;
 488        u16                     old_family;
 489        u16                     new_family;
 490};
 491
 492#define XFRM_KM_TIMEOUT                30
 493/* which seqno */
 494#define XFRM_REPLAY_SEQ         1
 495#define XFRM_REPLAY_OSEQ        2
 496#define XFRM_REPLAY_SEQ_MASK    3
 497/* what happened */
 498#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 499#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 500
 501/* default aevent timeout in units of 100ms */
 502#define XFRM_AE_ETIME                   10
 503/* Async Event timer multiplier */
 504#define XFRM_AE_ETH_M                   10
 505/* default seq threshold size */
 506#define XFRM_AE_SEQT_SIZE               2
 507
 508struct xfrm_mgr
 509{
 510        struct list_head        list;
 511        char                    *id;
 512        int                     (*notify)(struct xfrm_state *x, struct km_event *c);
 513        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 514        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 515        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 516        int                     (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
 517        int                     (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 518        int                     (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles);
 519};
 520
 521extern int xfrm_register_km(struct xfrm_mgr *km);
 522extern int xfrm_unregister_km(struct xfrm_mgr *km);
 523
 524extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
 525
 526/*
 527 * This structure is used for the duration where packets are being
 528 * transformed by IPsec.  As soon as the packet leaves IPsec the
 529 * area beyond the generic IP part may be overwritten.
 530 */
 531struct xfrm_skb_cb {
 532        union {
 533                struct inet_skb_parm h4;
 534                struct inet6_skb_parm h6;
 535        } header;
 536
 537        /* Sequence number for replay protection. */
 538        union {
 539                u64 output;
 540                __be32 input;
 541        } seq;
 542};
 543
 544#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 545
 546/*
 547 * This structure is used by the afinfo prepare_input/prepare_output functions
 548 * to transmit header information to the mode input/output functions.
 549 */
 550struct xfrm_mode_skb_cb {
 551        union {
 552                struct inet_skb_parm h4;
 553                struct inet6_skb_parm h6;
 554        } header;
 555
 556        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 557        __be16 id;
 558        __be16 frag_off;
 559
 560        /* IP header length (excluding options or extension headers). */
 561        u8 ihl;
 562
 563        /* TOS for IPv4, class for IPv6. */
 564        u8 tos;
 565
 566        /* TTL for IPv4, hop limitfor IPv6. */
 567        u8 ttl;
 568
 569        /* Protocol for IPv4, NH for IPv6. */
 570        u8 protocol;
 571
 572        /* Option length for IPv4, zero for IPv6. */
 573        u8 optlen;
 574
 575        /* Used by IPv6 only, zero for IPv4. */
 576        u8 flow_lbl[3];
 577};
 578
 579#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 580
 581/*
 582 * This structure is used by the input processing to locate the SPI and
 583 * related information.
 584 */
 585struct xfrm_spi_skb_cb {
 586        union {
 587                struct inet_skb_parm h4;
 588                struct inet6_skb_parm h6;
 589        } header;
 590
 591        unsigned int daddroff;
 592        unsigned int family;
 593};
 594
 595#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 596
 597/* Audit Information */
 598struct xfrm_audit
 599{
 600        u32     secid;
 601        uid_t   loginuid;
 602        u32     sessionid;
 603};
 604
 605#ifdef CONFIG_AUDITSYSCALL
 606static inline struct audit_buffer *xfrm_audit_start(const char *op)
 607{
 608        struct audit_buffer *audit_buf = NULL;
 609
 610        if (audit_enabled == 0)
 611                return NULL;
 612        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 613                                    AUDIT_MAC_IPSEC_EVENT);
 614        if (audit_buf == NULL)
 615                return NULL;
 616        audit_log_format(audit_buf, "op=%s", op);
 617        return audit_buf;
 618}
 619
 620static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 621                                             struct audit_buffer *audit_buf)
 622{
 623        char *secctx;
 624        u32 secctx_len;
 625
 626        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 627        if (secid != 0 &&
 628            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 629                audit_log_format(audit_buf, " subj=%s", secctx);
 630                security_release_secctx(secctx, secctx_len);
 631        } else
 632                audit_log_task_context(audit_buf);
 633}
 634
 635extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 636                                  u32 auid, u32 ses, u32 secid);
 637extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 638                                  u32 auid, u32 ses, u32 secid);
 639extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 640                                 u32 auid, u32 ses, u32 secid);
 641extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 642                                    u32 auid, u32 ses, u32 secid);
 643extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 644                                             struct sk_buff *skb);
 645extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 646extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 647                                      __be32 net_spi, __be32 net_seq);
 648extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 649                                     struct sk_buff *skb, u8 proto);
 650#else
 651
 652static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 653                                  u32 auid, u32 ses, u32 secid)
 654{
 655}
 656
 657static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 658                                  u32 auid, u32 ses, u32 secid)
 659{
 660}
 661
 662static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 663                                 u32 auid, u32 ses, u32 secid)
 664{
 665}
 666
 667static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 668                                    u32 auid, u32 ses, u32 secid)
 669{
 670}
 671
 672static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 673                                             struct sk_buff *skb)
 674{
 675}
 676
 677static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 678                                      u16 family)
 679{
 680}
 681
 682static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 683                                      __be32 net_spi, __be32 net_seq)
 684{
 685}
 686
 687static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 688                                     struct sk_buff *skb, u8 proto)
 689{
 690}
 691#endif /* CONFIG_AUDITSYSCALL */
 692
 693static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 694{
 695        if (likely(policy != NULL))
 696                atomic_inc(&policy->refcnt);
 697}
 698
 699extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 700
 701static inline void xfrm_pol_put(struct xfrm_policy *policy)
 702{
 703        if (atomic_dec_and_test(&policy->refcnt))
 704                xfrm_policy_destroy(policy);
 705}
 706
 707#ifdef CONFIG_XFRM_SUB_POLICY
 708static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 709{
 710        int i;
 711        for (i = npols - 1; i >= 0; --i)
 712                xfrm_pol_put(pols[i]);
 713}
 714#else
 715static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 716{
 717        xfrm_pol_put(pols[0]);
 718}
 719#endif
 720
 721extern void __xfrm_state_destroy(struct xfrm_state *);
 722
 723static inline void __xfrm_state_put(struct xfrm_state *x)
 724{
 725        atomic_dec(&x->refcnt);
 726}
 727
 728static inline void xfrm_state_put(struct xfrm_state *x)
 729{
 730        if (atomic_dec_and_test(&x->refcnt))
 731                __xfrm_state_destroy(x);
 732}
 733
 734static inline void xfrm_state_hold(struct xfrm_state *x)
 735{
 736        atomic_inc(&x->refcnt);
 737}
 738
 739static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 740{
 741        __be32 *a1 = token1;
 742        __be32 *a2 = token2;
 743        int pdw;
 744        int pbi;
 745
 746        pdw = prefixlen >> 5;     /* num of whole __u32 in prefix */
 747        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 748
 749        if (pdw)
 750                if (memcmp(a1, a2, pdw << 2))
 751                        return 0;
 752
 753        if (pbi) {
 754                __be32 mask;
 755
 756                mask = htonl((0xffffffff) << (32 - pbi));
 757
 758                if ((a1[pdw] ^ a2[pdw]) & mask)
 759                        return 0;
 760        }
 761
 762        return 1;
 763}
 764
 765static __inline__
 766__be16 xfrm_flowi_sport(struct flowi *fl)
 767{
 768        __be16 port;
 769        switch(fl->proto) {
 770        case IPPROTO_TCP:
 771        case IPPROTO_UDP:
 772        case IPPROTO_UDPLITE:
 773        case IPPROTO_SCTP:
 774                port = fl->fl_ip_sport;
 775                break;
 776        case IPPROTO_ICMP:
 777        case IPPROTO_ICMPV6:
 778                port = htons(fl->fl_icmp_type);
 779                break;
 780        case IPPROTO_MH:
 781                port = htons(fl->fl_mh_type);
 782                break;
 783        default:
 784                port = 0;       /*XXX*/
 785        }
 786        return port;
 787}
 788
 789static __inline__
 790__be16 xfrm_flowi_dport(struct flowi *fl)
 791{
 792        __be16 port;
 793        switch(fl->proto) {
 794        case IPPROTO_TCP:
 795        case IPPROTO_UDP:
 796        case IPPROTO_UDPLITE:
 797        case IPPROTO_SCTP:
 798                port = fl->fl_ip_dport;
 799                break;
 800        case IPPROTO_ICMP:
 801        case IPPROTO_ICMPV6:
 802                port = htons(fl->fl_icmp_code);
 803                break;
 804        default:
 805                port = 0;       /*XXX*/
 806        }
 807        return port;
 808}
 809
 810extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 811                               unsigned short family);
 812
 813#ifdef CONFIG_SECURITY_NETWORK_XFRM
 814/*      If neither has a context --> match
 815 *      Otherwise, both must have a context and the sids, doi, alg must match
 816 */
 817static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 818{
 819        return ((!s1 && !s2) ||
 820                (s1 && s2 &&
 821                 (s1->ctx_sid == s2->ctx_sid) &&
 822                 (s1->ctx_doi == s2->ctx_doi) &&
 823                 (s1->ctx_alg == s2->ctx_alg)));
 824}
 825#else
 826static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 827{
 828        return 1;
 829}
 830#endif
 831
 832/* A struct encoding bundle of transformations to apply to some set of flow.
 833 *
 834 * dst->child points to the next element of bundle.
 835 * dst->xfrm  points to an instanse of transformer.
 836 *
 837 * Due to unfortunate limitations of current routing cache, which we
 838 * have no time to fix, it mirrors struct rtable and bound to the same
 839 * routing key, including saddr,daddr. However, we can have many of
 840 * bundles differing by session id. All the bundles grow from a parent
 841 * policy rule.
 842 */
 843struct xfrm_dst
 844{
 845        union {
 846                struct dst_entry        dst;
 847                struct rtable           rt;
 848                struct rt6_info         rt6;
 849        } u;
 850        struct dst_entry *route;
 851#ifdef CONFIG_XFRM_SUB_POLICY
 852        struct flowi *origin;
 853        struct xfrm_selector *partner;
 854#endif
 855        u32 genid;
 856        u32 route_mtu_cached;
 857        u32 child_mtu_cached;
 858        u32 route_cookie;
 859        u32 path_cookie;
 860};
 861
 862static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 863{
 864        dst_release(xdst->route);
 865        if (likely(xdst->u.dst.xfrm))
 866                xfrm_state_put(xdst->u.dst.xfrm);
 867#ifdef CONFIG_XFRM_SUB_POLICY
 868        kfree(xdst->origin);
 869        xdst->origin = NULL;
 870        kfree(xdst->partner);
 871        xdst->partner = NULL;
 872#endif
 873}
 874
 875extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 876
 877struct sec_path
 878{
 879        atomic_t                refcnt;
 880        int                     len;
 881        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 882};
 883
 884static inline struct sec_path *
 885secpath_get(struct sec_path *sp)
 886{
 887        if (sp)
 888                atomic_inc(&sp->refcnt);
 889        return sp;
 890}
 891
 892extern void __secpath_destroy(struct sec_path *sp);
 893
 894static inline void
 895secpath_put(struct sec_path *sp)
 896{
 897        if (sp && atomic_dec_and_test(&sp->refcnt))
 898                __secpath_destroy(sp);
 899}
 900
 901extern struct sec_path *secpath_dup(struct sec_path *src);
 902
 903static inline void
 904secpath_reset(struct sk_buff *skb)
 905{
 906#ifdef CONFIG_XFRM
 907        secpath_put(skb->sp);
 908        skb->sp = NULL;
 909#endif
 910}
 911
 912static inline int
 913xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
 914{
 915        switch (family) {
 916        case AF_INET:
 917                return addr->a4 == 0;
 918        case AF_INET6:
 919                return ipv6_addr_any((struct in6_addr *)&addr->a6);
 920        }
 921        return 0;
 922}
 923
 924static inline int
 925__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 926{
 927        return  (tmpl->saddr.a4 &&
 928                 tmpl->saddr.a4 != x->props.saddr.a4);
 929}
 930
 931static inline int
 932__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 933{
 934        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 935                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 936}
 937
 938static inline int
 939xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 940{
 941        switch (family) {
 942        case AF_INET:
 943                return __xfrm4_state_addr_cmp(tmpl, x);
 944        case AF_INET6:
 945                return __xfrm6_state_addr_cmp(tmpl, x);
 946        }
 947        return !0;
 948}
 949
 950#ifdef CONFIG_XFRM
 951extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 952
 953static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 954                                       struct sk_buff *skb,
 955                                       unsigned int family, int reverse)
 956{
 957        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
 958
 959        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 960                return __xfrm_policy_check(sk, ndir, skb, family);
 961
 962        return  (!xfrm_policy_count[dir] && !skb->sp) ||
 963                (skb->dst->flags & DST_NOPOLICY) ||
 964                __xfrm_policy_check(sk, ndir, skb, family);
 965}
 966
 967static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 968{
 969        return __xfrm_policy_check2(sk, dir, skb, family, 0);
 970}
 971
 972static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 973{
 974        return xfrm_policy_check(sk, dir, skb, AF_INET);
 975}
 976
 977static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 978{
 979        return xfrm_policy_check(sk, dir, skb, AF_INET6);
 980}
 981
 982static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
 983                                             struct sk_buff *skb)
 984{
 985        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
 986}
 987
 988static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
 989                                             struct sk_buff *skb)
 990{
 991        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
 992}
 993
 994extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
 995                                 unsigned int family, int reverse);
 996
 997static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
 998                                      unsigned int family)
 999{
1000        return __xfrm_decode_session(skb, fl, family, 0);

1001}
1002
1003static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1004                                              struct flowi *fl,
1005                                              unsigned int family)
1006{
1007        return __xfrm_decode_session(skb, fl, family, 1);
1008}
1009
1010extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1011
1012static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1013{
1014        return  !xfrm_policy_count[XFRM_POLICY_OUT] ||
1015                (skb->dst->flags & DST_NOXFRM) ||
1016                __xfrm_route_forward(skb, family);
1017}
1018
1019static inline int xfrm4_route_forward(struct sk_buff *skb)
1020{
1021        return xfrm_route_forward(skb, AF_INET);
1022}
1023
1024static inline int xfrm6_route_forward(struct sk_buff *skb)
1025{
1026        return xfrm_route_forward(skb, AF_INET6);
1027}
1028
1029extern int __xfrm_sk_clone_policy(struct sock *sk);
1030
1031static inline int xfrm_sk_clone_policy(struct sock *sk)
1032{
1033        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1034                return __xfrm_sk_clone_policy(sk);
1035        return 0;
1036}
1037
1038extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1039
1040static inline void xfrm_sk_free_policy(struct sock *sk)
1041{
1042        if (unlikely(sk->sk_policy[0] != NULL)) {
1043                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1044                sk->sk_policy[0] = NULL;
1045        }
1046        if (unlikely(sk->sk_policy[1] != NULL)) {
1047                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1048                sk->sk_policy[1] = NULL;
1049        }
1050}
1051
1052#else
1053
1054static inline void xfrm_sk_free_policy(struct sock *sk) {}
1055static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1056static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1057static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1058static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1059{ 
1060        return 1; 
1061} 
1062static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1063{
1064        return 1;
1065}
1066static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1067{
1068        return 1;
1069}
1070static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1071                                              struct flowi *fl,
1072                                              unsigned int family)
1073{
1074        return -ENOSYS;
1075}
1076static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1077                                             struct sk_buff *skb)
1078{
1079        return 1;
1080}
1081static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1082                                             struct sk_buff *skb)
1083{
1084        return 1;
1085}
1086#endif
1087
1088static __inline__
1089xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
1090{
1091        switch (family){
1092        case AF_INET:
1093                return (xfrm_address_t *)&fl->fl4_dst;
1094        case AF_INET6:
1095                return (xfrm_address_t *)&fl->fl6_dst;
1096        }
1097        return NULL;
1098}
1099
1100static __inline__
1101xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1102{
1103        switch (family){
1104        case AF_INET:
1105                return (xfrm_address_t *)&fl->fl4_src;
1106        case AF_INET6:
1107                return (xfrm_address_t *)&fl->fl6_src;
1108        }
1109        return NULL;
1110}
1111
1112static __inline__
1113void xfrm_flowi_addr_get(struct flowi *fl,
1114                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1115                         unsigned short family)
1116{
1117        switch(family) {
1118        case AF_INET:
1119                memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4));
1120                memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4));
1121                break;
1122        case AF_INET6:
1123                ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src);
1124                ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst);
1125                break;
1126        }
1127}
1128
1129static __inline__ int
1130__xfrm4_state_addr_check(struct xfrm_state *x,
1131                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1132{
1133        if (daddr->a4 == x->id.daddr.a4 &&
1134            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1135                return 1;
1136        return 0;
1137}
1138
1139static __inline__ int
1140__xfrm6_state_addr_check(struct xfrm_state *x,
1141                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1142{
1143        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1144            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1145             ipv6_addr_any((struct in6_addr *)saddr) || 
1146             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1147                return 1;
1148        return 0;
1149}
1150
1151static __inline__ int
1152xfrm_state_addr_check(struct xfrm_state *x,
1153                      xfrm_address_t *daddr, xfrm_address_t *saddr,
1154                      unsigned short family)
1155{
1156        switch (family) {
1157        case AF_INET:
1158                return __xfrm4_state_addr_check(x, daddr, saddr);
1159        case AF_INET6:
1160                return __xfrm6_state_addr_check(x, daddr, saddr);
1161        }
1162        return 0;
1163}
1164
1165static __inline__ int
1166xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1167                           unsigned short family)
1168{
1169        switch (family) {
1170        case AF_INET:
1171                return __xfrm4_state_addr_check(x,
1172                                                (xfrm_address_t *)&fl->fl4_dst,
1173                                                (xfrm_address_t *)&fl->fl4_src);
1174        case AF_INET6:
1175                return __xfrm6_state_addr_check(x,
1176                                                (xfrm_address_t *)&fl->fl6_dst,
1177                                                (xfrm_address_t *)&fl->fl6_src);
1178        }
1179        return 0;
1180}
1181
1182static inline int xfrm_state_kern(struct xfrm_state *x)
1183{
1184        return atomic_read(&x->tunnel_users);
1185}
1186
1187static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1188{
1189        return (!userproto || proto == userproto ||
1190                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1191                                                  proto == IPPROTO_ESP ||
1192                                                  proto == IPPROTO_COMP)));
1193}
1194
1195/*
1196 * xfrm algorithm information
1197 */
1198struct xfrm_algo_aead_info {
1199        u16 icv_truncbits;
1200};
1201
1202struct xfrm_algo_auth_info {
1203        u16 icv_truncbits;
1204        u16 icv_fullbits;
1205};
1206
1207struct xfrm_algo_encr_info {
1208        u16 blockbits;
1209        u16 defkeybits;
1210};
1211
1212struct xfrm_algo_comp_info {
1213        u16 threshold;
1214};
1215
1216struct xfrm_algo_desc {
1217        char *name;
1218        char *compat;
1219        u8 available:1;
1220        union {
1221                struct xfrm_algo_aead_info aead;
1222                struct xfrm_algo_auth_info auth;
1223                struct xfrm_algo_encr_info encr;
1224                struct xfrm_algo_comp_info comp;
1225        } uinfo;
1226        struct sadb_alg desc;
1227};
1228
1229/* XFRM tunnel handlers.  */
1230struct xfrm_tunnel {
1231        int (*handler)(struct sk_buff *skb);
1232        int (*err_handler)(struct sk_buff *skb, __u32 info);
1233
1234        struct xfrm_tunnel *next;
1235        int priority;
1236};
1237
1238struct xfrm6_tunnel {
1239        int (*handler)(struct sk_buff *skb);
1240        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1241                           int type, int code, int offset, __be32 info);
1242        struct xfrm6_tunnel *next;
1243        int priority;
1244};
1245
1246struct xfrm_state_walk {
1247        struct xfrm_state *state;
1248        int count;
1249        u8 proto;
1250};
1251
1252struct xfrm_policy_walk {
1253        struct xfrm_policy *policy;
1254        int count;
1255        u8 type, cur_type;
1256};
1257
1258extern void xfrm_init(void);
1259extern void xfrm4_init(void);
1260extern void xfrm_state_init(void);
1261extern void xfrm4_state_init(void);
1262#ifdef CONFIG_XFRM
1263extern int xfrm6_init(void);
1264extern void xfrm6_fini(void);
1265extern int xfrm6_state_init(void);
1266extern void xfrm6_state_fini(void);
1267#else
1268static inline int xfrm6_init(void)
1269{
1270        return 0;
1271}
1272static inline void xfrm6_fini(void)
1273{
1274        ;
1275}
1276#endif
1277
1278#ifdef CONFIG_XFRM_STATISTICS
1279extern int xfrm_proc_init(void);
1280#endif
1281
1282static inline void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1283{
1284        walk->proto = proto;
1285        walk->state = NULL;
1286        walk->count = 0;
1287}
1288
1289static inline void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1290{
1291        if (walk->state != NULL) {
1292                xfrm_state_put(walk->state);
1293                walk->state = NULL;
1294        }
1295}
1296
1297extern int xfrm_state_walk(struct xfrm_state_walk *walk,
1298                           int (*func)(struct xfrm_state *, int, void*), void *);
1299extern struct xfrm_state *xfrm_state_alloc(void);
1300extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
1301                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
1302                                          struct xfrm_policy *pol, int *err,
1303                                          unsigned short family);
1304extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr,
1305                                               xfrm_address_t *saddr,
1306                                               unsigned short family,
1307                                               u8 mode, u8 proto, u32 reqid);
1308extern int xfrm_state_check_expire(struct xfrm_state *x);
1309extern void xfrm_state_insert(struct xfrm_state *x);
1310extern int xfrm_state_add(struct xfrm_state *x);
1311extern int xfrm_state_update(struct xfrm_state *x);
1312extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1313extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1314#ifdef CONFIG_XFRM_SUB_POLICY
1315extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1316                          int n, unsigned short family);
1317extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1318                           int n, unsigned short family);
1319#else
1320static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1321                                 int n, unsigned short family)
1322{
1323        return -ENOSYS;
1324}
1325
1326static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1327                                  int n, unsigned short family)
1328{
1329        return -ENOSYS;
1330}
1331#endif
1332
1333struct xfrmk_sadinfo {
1334        u32 sadhcnt; /* current hash bkts */
1335        u32 sadhmcnt; /* max allowed hash bkts */
1336        u32 sadcnt; /* current running count */
1337};
1338
1339struct xfrmk_spdinfo {
1340        u32 incnt;
1341        u32 outcnt;
1342        u32 fwdcnt;
1343        u32 inscnt;
1344        u32 outscnt;
1345        u32 fwdscnt;
1346        u32 spdhcnt;
1347        u32 spdhmcnt;
1348};
1349
1350extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
1351extern int xfrm_state_delete(struct xfrm_state *x);
1352extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1353extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1354extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1355extern int xfrm_replay_check(struct xfrm_state *x,
1356                             struct sk_buff *skb, __be32 seq);
1357extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1358extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1359extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1360extern int xfrm_init_state(struct xfrm_state *x);
1361extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1362extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1363                      int encap_type);
1364extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1365extern int xfrm_output_resume(struct sk_buff *skb, int err);
1366extern int xfrm_output(struct sk_buff *skb);
1367extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1368extern int xfrm4_extract_header(struct sk_buff *skb);
1369extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1370extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1371                           int encap_type);
1372extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1373extern int xfrm4_rcv(struct sk_buff *skb);
1374
1375static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1376{
1377        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1378}
1379
1380extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1381extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1382extern int xfrm4_output(struct sk_buff *skb);
1383extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1384extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1385extern int xfrm6_extract_header(struct sk_buff *skb);
1386extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1387extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1388extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1389extern int xfrm6_rcv(struct sk_buff *skb);
1390extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1391                            xfrm_address_t *saddr, u8 proto);
1392extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1393extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1394extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1395extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1396extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1397extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1398extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1399extern int xfrm6_output(struct sk_buff *skb);
1400extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1401                                 u8 **prevhdr);
1402
1403#ifdef CONFIG_XFRM
1404extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1405extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1406#else
1407static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1408{
1409        return -ENOPROTOOPT;
1410} 
1411
1412static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1413{
1414        /* should not happen */
1415        kfree_skb(skb);
1416        return 0;
1417}
1418#endif
1419
1420struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1421
1422static inline void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
1423{
1424        walk->cur_type = XFRM_POLICY_TYPE_MAIN;
1425        walk->type = type;
1426        walk->policy = NULL;
1427        walk->count = 0;
1428}
1429
1430static inline void xfrm_policy_walk_done(struct xfrm_policy_walk *walk)
1431{
1432        if (walk->policy != NULL) {
1433                xfrm_pol_put(walk->policy);
1434                walk->policy = NULL;
1435        }
1436}
1437
1438extern int xfrm_policy_walk(struct xfrm_policy_walk *walk,
1439        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1440int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1441struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
1442                                          struct xfrm_selector *sel,
1443                                          struct xfrm_sec_ctx *ctx, int delete,
1444                                          int *err);
1445struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
1446int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1447u32 xfrm_get_acqseq(void);
1448extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1449struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1450                                  xfrm_address_t *daddr, xfrm_address_t *saddr,
1451                                  int create, unsigned short family);
1452extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1453extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1454                          struct flowi *fl, int family, int strict);
1455
1456#ifdef CONFIG_XFRM_MIGRATE
1457extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1458                      struct xfrm_migrate *m, int num_bundles);
1459extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1460extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1461                                              struct xfrm_migrate *m);
1462extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1463                        struct xfrm_migrate *m, int num_bundles);
1464#endif
1465
1466extern wait_queue_head_t km_waitq;
1467extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1468extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1469extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1470
1471extern void xfrm_input_init(void);
1472extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1473
1474extern void xfrm_probe_algs(void);
1475extern int xfrm_count_auth_supported(void);
1476extern int xfrm_count_enc_supported(void);
1477extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1478extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1479extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1480extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1481extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1482extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1483extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1484extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1485extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
1486                                                   int probe);
1487
1488struct hash_desc;
1489struct scatterlist;
1490typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1491                              unsigned int);
1492
1493extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1494                        int offset, int len, icv_update_fn_t icv_update);
1495
1496static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1497                                int family)
1498{
1499        switch (family) {
1500        default:
1501        case AF_INET:
1502                return (__force __u32)a->a4 - (__force __u32)b->a4;
1503        case AF_INET6:
1504                return ipv6_addr_cmp((struct in6_addr *)a,
1505                                     (struct in6_addr *)b);
1506        }
1507}
1508
1509static inline int xfrm_policy_id2dir(u32 index)
1510{
1511        return index & 7;
1512}
1513
1514static inline int xfrm_aevent_is_on(void)
1515{
1516        struct sock *nlsk;
1517        int ret = 0;
1518
1519        rcu_read_lock();
1520        nlsk = rcu_dereference(xfrm_nl);
1521        if (nlsk)
1522                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1523        rcu_read_unlock();
1524        return ret;
1525}
1526
1527static inline int xfrm_alg_len(struct xfrm_algo *alg)
1528{
1529        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1530}
1531
1532#ifdef CONFIG_XFRM_MIGRATE
1533static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1534{
1535        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1536}
1537
1538static inline void xfrm_states_put(struct xfrm_state **states, int n)
1539{
1540        int i;
1541        for (i = 0; i < n; i++)
1542                xfrm_state_put(*(states + i));
1543}
1544
1545static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1546{
1547        int i;
1548        for (i = 0; i < n; i++)
1549                xfrm_state_delete(*(states + i));
1550}
1551#endif
1552
1553static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1554{
1555        return skb->sp->xvec[skb->sp->len - 1];
1556}
1557
1558#endif  /* _NET_XFRM_H */
1559
The original LXR software by the LXR community, this experimental version by lxr@linux.no.
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.