linux/include/net/xfrm.h
<<
>>
Prefs 
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15
  16#include <net/sock.h>
  17#include <net/dst.h>
  18#include <net/ip.h>
  19#include <net/route.h>
  20#include <net/ipv6.h>
  21#include <net/ip6_fib.h>
  22#ifdef CONFIG_XFRM_STATISTICS
  23#include <net/snmp.h>
  24#endif
  25
  26#define XFRM_PROTO_ESP          50
  27#define XFRM_PROTO_AH           51
  28#define XFRM_PROTO_COMP         108
  29#define XFRM_PROTO_IPIP         4
  30#define XFRM_PROTO_IPV6         41
  31#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  32#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  33
  34#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  35#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  36        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  37#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  38        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  39
  40#ifdef CONFIG_XFRM_STATISTICS
  41DECLARE_SNMP_STAT(struct linux_xfrm_mib, xfrm_statistics);
  42#define XFRM_INC_STATS(field)           SNMP_INC_STATS(xfrm_statistics, field)
  43#define XFRM_INC_STATS_BH(field)        SNMP_INC_STATS_BH(xfrm_statistics, field)
  44#define XFRM_INC_STATS_USER(field)      SNMP_INC_STATS_USER(xfrm_statistics, field)
  45#else
  46#define XFRM_INC_STATS(field)
  47#define XFRM_INC_STATS_BH(field)
  48#define XFRM_INC_STATS_USER(field)
  49#endif
  50
  51extern struct sock *xfrm_nl;
  52extern u32 sysctl_xfrm_aevent_etime;
  53extern u32 sysctl_xfrm_aevent_rseqth;
  54extern int sysctl_xfrm_larval_drop;
  55extern u32 sysctl_xfrm_acq_expires;
  56
  57extern struct mutex xfrm_cfg_mutex;
  58
  59/* Organization of SPD aka "XFRM rules"
  60   ------------------------------------
  61
  62   Basic objects:
  63   - policy rule, struct xfrm_policy (=SPD entry)
  64   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  65   - instance of a transformer, struct xfrm_state (=SA)
  66   - template to clone xfrm_state, struct xfrm_tmpl
  67
  68   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  69   (To be compatible with existing pfkeyv2 implementations,
  70   many rules with priority of 0x7fffffff are allowed to exist and
  71   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  72
  73   Lookup is plain linear search until the first match with selector.
  74
  75   If "action" is "block", then we prohibit the flow, otherwise:
  76   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  77   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  78   described by templates xfrm_tmpl. Each template is resolved
  79   to a complete xfrm_state (see below) and we pack bundle of transformations
  80   to a dst_entry returned to requestor.
  81
  82   dst -. xfrm  .-> xfrm_state #1
  83    |---. child .-> dst -. xfrm .-> xfrm_state #2
  84                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  85                                      |---. child .-> NULL
  86
  87   Bundles are cached at xrfm_policy struct (field ->bundles).
  88
  89
  90   Resolution of xrfm_tmpl
  91   -----------------------
  92   Template contains:
  93   1. ->mode            Mode: transport or tunnel
  94   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  95   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  96      Q: allow to resolve security gateway?
  97   4. ->id.spi          If not zero, static SPI.
  98   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  99   6. ->algos           List of allowed algos. Plain bitmask now.
 100      Q: ealgos, aalgos, calgos. What a mess...
 101   7. ->share           Sharing mode.
 102      Q: how to implement private sharing mode? To add struct sock* to
 103      flow id?
 104
 105   Having this template we search through SAD searching for entries
 106   with appropriate mode/proto/algo, permitted by selector.
 107   If no appropriate entry found, it is requested from key manager.
 108
 109   PROBLEMS:
 110   Q: How to find all the bundles referring to a physical path for
 111      PMTU discovery? Seems, dst should contain list of all parents...
 112      and enter to infinite locking hierarchy disaster.
 113      No! It is easier, we will not search for them, let them find us.
 114      We add genid to each dst plus pointer to genid of raw IP route,
 115      pmtu disc will update pmtu on raw IP route and increase its genid.
 116      dst_check() will see this for top level and trigger resyncing
 117      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 118 */
 119
 120struct xfrm_state_walk {
 121        struct list_head        all;
 122        u8                      state;
 123        union {
 124                u8              dying;
 125                u8              proto;
 126        };
 127        u32                     seq;
 128};
 129
 130/* Full description of state of transformer. */
 131struct xfrm_state
 132{
 133        union {
 134                struct hlist_node       gclist;
 135                struct hlist_node       bydst;
 136        };
 137        struct hlist_node       bysrc;
 138        struct hlist_node       byspi;
 139
 140        atomic_t                refcnt;
 141        spinlock_t              lock;
 142
 143        struct xfrm_id          id;
 144        struct xfrm_selector    sel;
 145
 146        u32                     genid;
 147
 148        /* Key manager bits */
 149        struct xfrm_state_walk  km;
 150
 151        /* Parameters of this state. */
 152        struct {
 153                u32             reqid;
 154                u8              mode;
 155                u8              replay_window;
 156                u8              aalgo, ealgo, calgo;
 157                u8              flags;
 158                u16             family;
 159                xfrm_address_t  saddr;
 160                int             header_len;
 161                int             trailer_len;
 162        } props;
 163
 164        struct xfrm_lifetime_cfg lft;
 165
 166        /* Data for transformer */
 167        struct xfrm_algo        *aalg;
 168        struct xfrm_algo        *ealg;
 169        struct xfrm_algo        *calg;
 170        struct xfrm_algo_aead   *aead;
 171
 172        /* Data for encapsulator */
 173        struct xfrm_encap_tmpl  *encap;
 174
 175        /* Data for care-of address */
 176        xfrm_address_t  *coaddr;
 177
 178        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 179        struct xfrm_state       *tunnel;
 180
 181        /* If a tunnel, number of users + 1 */
 182        atomic_t                tunnel_users;
 183
 184        /* State for replay detection */
 185        struct xfrm_replay_state replay;
 186
 187        /* Replay detection state at the time we sent the last notification */
 188        struct xfrm_replay_state preplay;
 189
 190        /* internal flag that only holds state for delayed aevent at the
 191         * moment
 192        */
 193        u32                     xflags;
 194
 195        /* Replay detection notification settings */
 196        u32                     replay_maxage;
 197        u32                     replay_maxdiff;
 198
 199        /* Replay detection notification timer */
 200        struct timer_list       rtimer;
 201
 202        /* Statistics */
 203        struct xfrm_stats       stats;
 204
 205        struct xfrm_lifetime_cur curlft;
 206        struct timer_list       timer;
 207
 208        /* Last used time */
 209        unsigned long           lastused;
 210
 211        /* Reference to data common to all the instances of this
 212         * transformer. */
 213        const struct xfrm_type  *type;
 214        struct xfrm_mode        *inner_mode;
 215        struct xfrm_mode        *inner_mode_iaf;
 216        struct xfrm_mode        *outer_mode;
 217
 218        /* Security context */
 219        struct xfrm_sec_ctx     *security;
 220
 221        /* Private data of this transformer, format is opaque,
 222         * interpreted by xfrm_type methods. */
 223        void                    *data;
 224};
 225
 226/* xflags - make enum if more show up */
 227#define XFRM_TIME_DEFER 1
 228
 229enum {
 230        XFRM_STATE_VOID,
 231        XFRM_STATE_ACQ,
 232        XFRM_STATE_VALID,
 233        XFRM_STATE_ERROR,
 234        XFRM_STATE_EXPIRED,
 235        XFRM_STATE_DEAD
 236};
 237
 238/* callback structure passed from either netlink or pfkey */
 239struct km_event
 240{
 241        union {
 242                u32 hard;
 243                u32 proto;
 244                u32 byid;
 245                u32 aevent;
 246                u32 type;
 247        } data;
 248
 249        u32     seq;
 250        u32     pid;
 251        u32     event;
 252};
 253
 254struct net_device;
 255struct xfrm_type;
 256struct xfrm_dst;
 257struct xfrm_policy_afinfo {
 258        unsigned short          family;
 259        struct dst_ops          *dst_ops;
 260        void                    (*garbage_collect)(void);
 261        struct dst_entry        *(*dst_lookup)(int tos, xfrm_address_t *saddr,
 262                                               xfrm_address_t *daddr);
 263        int                     (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
 264        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
 265        void                    (*decode_session)(struct sk_buff *skb,
 266                                                  struct flowi *fl,
 267                                                  int reverse);
 268        int                     (*get_tos)(struct flowi *fl);
 269        int                     (*init_path)(struct xfrm_dst *path,
 270                                             struct dst_entry *dst,
 271                                             int nfheader_len);
 272        int                     (*fill_dst)(struct xfrm_dst *xdst,
 273                                            struct net_device *dev);
 274};
 275
 276extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 277extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 278extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 279extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 280
 281struct xfrm_tmpl;
 282extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 283extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 284extern int __xfrm_state_delete(struct xfrm_state *x);
 285
 286struct xfrm_state_afinfo {
 287        unsigned int            family;
 288        unsigned int            proto;
 289        __be16                  eth_proto;
 290        struct module           *owner;
 291        const struct xfrm_type  *type_map[IPPROTO_MAX];
 292        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 293        int                     (*init_flags)(struct xfrm_state *x);
 294        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 295                                                struct xfrm_tmpl *tmpl,
 296                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 297        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 298        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 299        int                     (*output)(struct sk_buff *skb);
 300        int                     (*extract_input)(struct xfrm_state *x,
 301                                                 struct sk_buff *skb);
 302        int                     (*extract_output)(struct xfrm_state *x,
 303                                                  struct sk_buff *skb);
 304        int                     (*transport_finish)(struct sk_buff *skb,
 305                                                    int async);
 306};
 307
 308extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 309extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 310
 311extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 312
 313struct xfrm_type
 314{
 315        char                    *description;
 316        struct module           *owner;
 317        __u8                    proto;
 318        __u8                    flags;
 319#define XFRM_TYPE_NON_FRAGMENT  1
 320#define XFRM_TYPE_REPLAY_PROT   2
 321#define XFRM_TYPE_LOCAL_COADDR  4
 322#define XFRM_TYPE_REMOTE_COADDR 8
 323
 324        int                     (*init_state)(struct xfrm_state *x);
 325        void                    (*destructor)(struct xfrm_state *);
 326        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 327        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 328        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
 329        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 330        /* Estimate maximal size of result of transformation of a dgram */
 331        u32                     (*get_mtu)(struct xfrm_state *, int size);
 332};
 333
 334extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 335extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 336
 337struct xfrm_mode {
 338        /*
 339         * Remove encapsulation header.
 340         *
 341         * The IP header will be moved over the top of the encapsulation
 342         * header.
 343         *
 344         * On entry, the transport header shall point to where the IP header
 345         * should be and the network header shall be set to where the IP
 346         * header currently is.  skb->data shall point to the start of the
 347         * payload.
 348         */
 349        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 350
 351        /*
 352         * This is the actual input entry point.
 353         *
 354         * For transport mode and equivalent this would be identical to
 355         * input2 (which does not need to be set).  While tunnel mode
 356         * and equivalent would set this to the tunnel encapsulation function
 357         * xfrm4_prepare_input that would in turn call input2.
 358         */
 359        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 360
 361        /*
 362         * Add encapsulation header.
 363         *
 364         * On exit, the transport header will be set to the start of the
 365         * encapsulation header to be filled in by x->type->output and
 366         * the mac header will be set to the nextheader (protocol for
 367         * IPv4) field of the extension header directly preceding the
 368         * encapsulation header, or in its absence, that of the top IP
 369         * header.  The value of the network header will always point
 370         * to the top IP header while skb->data will point to the payload.
 371         */
 372        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 373
 374        /*
 375         * This is the actual output entry point.
 376         *
 377         * For transport mode and equivalent this would be identical to
 378         * output2 (which does not need to be set).  While tunnel mode
 379         * and equivalent would set this to a tunnel encapsulation function
 380         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 381         * call output2.
 382         */
 383        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 384
 385        struct xfrm_state_afinfo *afinfo;
 386        struct module *owner;
 387        unsigned int encap;
 388        int flags;
 389};
 390
 391/* Flags for xfrm_mode. */
 392enum {
 393        XFRM_MODE_FLAG_TUNNEL = 1,
 394};
 395
 396extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 397extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 398
 399static inline int xfrm_af2proto(unsigned int family)
 400{
 401        switch(family) {
 402        case AF_INET:
 403                return IPPROTO_IPIP;
 404        case AF_INET6:
 405                return IPPROTO_IPV6;
 406        default:
 407                return 0;
 408        }
 409}
 410
 411static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 412{
 413        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 414            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 415                return x->inner_mode;
 416        else
 417                return x->inner_mode_iaf;
 418}
 419
 420struct xfrm_tmpl
 421{
 422/* id in template is interpreted as:
 423 * daddr - destination of tunnel, may be zero for transport mode.
 424 * spi   - zero to acquire spi. Not zero if spi is static, then
 425 *         daddr must be fixed too.
 426 * proto - AH/ESP/IPCOMP
 427 */
 428        struct xfrm_id          id;
 429
 430/* Source address of tunnel. Ignored, if it is not a tunnel. */
 431        xfrm_address_t          saddr;
 432
 433        unsigned short          encap_family;
 434
 435        __u32                   reqid;
 436
 437/* Mode: transport, tunnel etc. */
 438        __u8                    mode;
 439
 440/* Sharing mode: unique, this session only, this user only etc. */
 441        __u8                    share;
 442
 443/* May skip this transfomration if no SA is found */
 444        __u8                    optional;
 445
 446/* Skip aalgos/ealgos/calgos checks. */
 447        __u8                    allalgs;
 448
 449/* Bit mask of algos allowed for acquisition */
 450        __u32                   aalgos;
 451        __u32                   ealgos;
 452        __u32                   calgos;
 453};
 454
 455#define XFRM_MAX_DEPTH          6
 456
 457struct xfrm_policy_walk_entry {
 458        struct list_head        all;
 459        u8                      dead;
 460};
 461
 462struct xfrm_policy_walk {
 463        struct xfrm_policy_walk_entry walk;
 464        u8 type;
 465        u32 seq;
 466};
 467
 468struct xfrm_policy
 469{
 470        struct xfrm_policy      *next;
 471        struct hlist_node       bydst;
 472        struct hlist_node       byidx;
 473
 474        /* This lock only affects elements except for entry. */
 475        rwlock_t                lock;
 476        atomic_t                refcnt;
 477        struct timer_list       timer;
 478
 479        u32                     priority;
 480        u32                     index;
 481        struct xfrm_selector    selector;
 482        struct xfrm_lifetime_cfg lft;
 483        struct xfrm_lifetime_cur curlft;
 484        struct dst_entry       *bundles;
 485        struct xfrm_policy_walk_entry walk;
 486        u8                      type;
 487        u8                      action;
 488        u8                      flags;
 489        u8                      xfrm_nr;
 490        u16                     family;
 491        struct xfrm_sec_ctx     *security;
 492        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 493};
 494
 495struct xfrm_kmaddress {
 496        xfrm_address_t          local;
 497        xfrm_address_t          remote;
 498        u32                     reserved;
 499        u16                     family;
 500};
 501
 502struct xfrm_migrate {
 503        xfrm_address_t          old_daddr;
 504        xfrm_address_t          old_saddr;
 505        xfrm_address_t          new_daddr;
 506        xfrm_address_t          new_saddr;
 507        u8                      proto;
 508        u8                      mode;
 509        u16                     reserved;
 510        u32                     reqid;
 511        u16                     old_family;
 512        u16                     new_family;
 513};
 514
 515#define XFRM_KM_TIMEOUT                30
 516/* which seqno */
 517#define XFRM_REPLAY_SEQ         1
 518#define XFRM_REPLAY_OSEQ        2
 519#define XFRM_REPLAY_SEQ_MASK    3
 520/* what happened */
 521#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 522#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 523
 524/* default aevent timeout in units of 100ms */
 525#define XFRM_AE_ETIME                   10
 526/* Async Event timer multiplier */
 527#define XFRM_AE_ETH_M                   10
 528/* default seq threshold size */
 529#define XFRM_AE_SEQT_SIZE               2
 530
 531struct xfrm_mgr
 532{
 533        struct list_head        list;
 534        char                    *id;
 535        int                     (*notify)(struct xfrm_state *x, struct km_event *c);
 536        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 537        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 538        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 539        int                     (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
 540        int                     (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 541        int                     (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k);
 542};
 543
 544extern int xfrm_register_km(struct xfrm_mgr *km);
 545extern int xfrm_unregister_km(struct xfrm_mgr *km);
 546
 547extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
 548
 549/*
 550 * This structure is used for the duration where packets are being
 551 * transformed by IPsec.  As soon as the packet leaves IPsec the
 552 * area beyond the generic IP part may be overwritten.
 553 */
 554struct xfrm_skb_cb {
 555        union {
 556                struct inet_skb_parm h4;
 557                struct inet6_skb_parm h6;
 558        } header;
 559
 560        /* Sequence number for replay protection. */
 561        union {
 562                u64 output;
 563                __be32 input;
 564        } seq;
 565};
 566
 567#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 568
 569/*
 570 * This structure is used by the afinfo prepare_input/prepare_output functions
 571 * to transmit header information to the mode input/output functions.
 572 */
 573struct xfrm_mode_skb_cb {
 574        union {
 575                struct inet_skb_parm h4;
 576                struct inet6_skb_parm h6;
 577        } header;
 578
 579        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 580        __be16 id;
 581        __be16 frag_off;
 582
 583        /* IP header length (excluding options or extension headers). */
 584        u8 ihl;
 585
 586        /* TOS for IPv4, class for IPv6. */
 587        u8 tos;
 588
 589        /* TTL for IPv4, hop limitfor IPv6. */
 590        u8 ttl;
 591
 592        /* Protocol for IPv4, NH for IPv6. */
 593        u8 protocol;
 594
 595        /* Option length for IPv4, zero for IPv6. */
 596        u8 optlen;
 597
 598        /* Used by IPv6 only, zero for IPv4. */
 599        u8 flow_lbl[3];
 600};
 601
 602#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 603
 604/*
 605 * This structure is used by the input processing to locate the SPI and
 606 * related information.
 607 */
 608struct xfrm_spi_skb_cb {
 609        union {
 610                struct inet_skb_parm h4;
 611                struct inet6_skb_parm h6;
 612        } header;
 613
 614        unsigned int daddroff;
 615        unsigned int family;
 616};
 617
 618#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 619
 620/* Audit Information */
 621struct xfrm_audit
 622{
 623        u32     secid;
 624        uid_t   loginuid;
 625        u32     sessionid;
 626};
 627
 628#ifdef CONFIG_AUDITSYSCALL
 629static inline struct audit_buffer *xfrm_audit_start(const char *op)
 630{
 631        struct audit_buffer *audit_buf = NULL;
 632
 633        if (audit_enabled == 0)
 634                return NULL;
 635        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 636                                    AUDIT_MAC_IPSEC_EVENT);
 637        if (audit_buf == NULL)
 638                return NULL;
 639        audit_log_format(audit_buf, "op=%s", op);
 640        return audit_buf;
 641}
 642
 643static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 644                                             struct audit_buffer *audit_buf)
 645{
 646        char *secctx;
 647        u32 secctx_len;
 648
 649        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 650        if (secid != 0 &&
 651            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 652                audit_log_format(audit_buf, " subj=%s", secctx);
 653                security_release_secctx(secctx, secctx_len);
 654        } else
 655                audit_log_task_context(audit_buf);
 656}
 657
 658extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 659                                  u32 auid, u32 ses, u32 secid);
 660extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 661                                  u32 auid, u32 ses, u32 secid);
 662extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 663                                 u32 auid, u32 ses, u32 secid);
 664extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 665                                    u32 auid, u32 ses, u32 secid);
 666extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 667                                             struct sk_buff *skb);
 668extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 669extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 670                                      __be32 net_spi, __be32 net_seq);
 671extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 672                                     struct sk_buff *skb, u8 proto);
 673#else
 674
 675static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 676                                  u32 auid, u32 ses, u32 secid)
 677{
 678}
 679
 680static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 681                                  u32 auid, u32 ses, u32 secid)
 682{
 683}
 684
 685static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 686                                 u32 auid, u32 ses, u32 secid)
 687{
 688}
 689
 690static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 691                                    u32 auid, u32 ses, u32 secid)
 692{
 693}
 694
 695static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 696                                             struct sk_buff *skb)
 697{
 698}
 699
 700static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 701                                      u16 family)
 702{
 703}
 704
 705static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 706                                      __be32 net_spi, __be32 net_seq)
 707{
 708}
 709
 710static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 711                                     struct sk_buff *skb, u8 proto)
 712{
 713}
 714#endif /* CONFIG_AUDITSYSCALL */
 715
 716static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 717{
 718        if (likely(policy != NULL))
 719                atomic_inc(&policy->refcnt);
 720}
 721
 722extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 723
 724static inline void xfrm_pol_put(struct xfrm_policy *policy)
 725{
 726        if (atomic_dec_and_test(&policy->refcnt))
 727                xfrm_policy_destroy(policy);
 728}
 729
 730#ifdef CONFIG_XFRM_SUB_POLICY
 731static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 732{
 733        int i;
 734        for (i = npols - 1; i >= 0; --i)
 735                xfrm_pol_put(pols[i]);
 736}
 737#else
 738static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 739{
 740        xfrm_pol_put(pols[0]);
 741}
 742#endif
 743
 744extern void __xfrm_state_destroy(struct xfrm_state *);
 745
 746static inline void __xfrm_state_put(struct xfrm_state *x)
 747{
 748        atomic_dec(&x->refcnt);
 749}
 750
 751static inline void xfrm_state_put(struct xfrm_state *x)
 752{
 753        if (atomic_dec_and_test(&x->refcnt))
 754                __xfrm_state_destroy(x);
 755}
 756
 757static inline void xfrm_state_hold(struct xfrm_state *x)
 758{
 759        atomic_inc(&x->refcnt);
 760}
 761
 762static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 763{
 764        __be32 *a1 = token1;
 765        __be32 *a2 = token2;
 766        int pdw;
 767        int pbi;
 768
 769        pdw = prefixlen >> 5;     /* num of whole __u32 in prefix */
 770        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 771
 772        if (pdw)
 773                if (memcmp(a1, a2, pdw << 2))
 774                        return 0;
 775
 776        if (pbi) {
 777                __be32 mask;
 778
 779                mask = htonl((0xffffffff) << (32 - pbi));
 780
 781                if ((a1[pdw] ^ a2[pdw]) & mask)
 782                        return 0;
 783        }
 784
 785        return 1;
 786}
 787
 788static __inline__
 789__be16 xfrm_flowi_sport(struct flowi *fl)
 790{
 791        __be16 port;
 792        switch(fl->proto) {
 793        case IPPROTO_TCP:
 794        case IPPROTO_UDP:
 795        case IPPROTO_UDPLITE:
 796        case IPPROTO_SCTP:
 797                port = fl->fl_ip_sport;
 798                break;
 799        case IPPROTO_ICMP:
 800        case IPPROTO_ICMPV6:
 801                port = htons(fl->fl_icmp_type);
 802                break;
 803        case IPPROTO_MH:
 804                port = htons(fl->fl_mh_type);
 805                break;
 806        default:
 807                port = 0;       /*XXX*/
 808        }
 809        return port;
 810}
 811
 812static __inline__
 813__be16 xfrm_flowi_dport(struct flowi *fl)
 814{
 815        __be16 port;
 816        switch(fl->proto) {
 817        case IPPROTO_TCP:
 818        case IPPROTO_UDP:
 819        case IPPROTO_UDPLITE:
 820        case IPPROTO_SCTP:
 821                port = fl->fl_ip_dport;
 822                break;
 823        case IPPROTO_ICMP:
 824        case IPPROTO_ICMPV6:
 825                port = htons(fl->fl_icmp_code);
 826                break;
 827        default:
 828                port = 0;       /*XXX*/
 829        }
 830        return port;
 831}
 832
 833extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 834                               unsigned short family);
 835
 836#ifdef CONFIG_SECURITY_NETWORK_XFRM
 837/*      If neither has a context --> match
 838 *      Otherwise, both must have a context and the sids, doi, alg must match
 839 */
 840static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 841{
 842        return ((!s1 && !s2) ||
 843                (s1 && s2 &&
 844                 (s1->ctx_sid == s2->ctx_sid) &&
 845                 (s1->ctx_doi == s2->ctx_doi) &&
 846                 (s1->ctx_alg == s2->ctx_alg)));
 847}
 848#else
 849static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 850{
 851        return 1;
 852}
 853#endif
 854
 855/* A struct encoding bundle of transformations to apply to some set of flow.
 856 *
 857 * dst->child points to the next element of bundle.
 858 * dst->xfrm  points to an instanse of transformer.
 859 *
 860 * Due to unfortunate limitations of current routing cache, which we
 861 * have no time to fix, it mirrors struct rtable and bound to the same
 862 * routing key, including saddr,daddr. However, we can have many of
 863 * bundles differing by session id. All the bundles grow from a parent
 864 * policy rule.
 865 */
 866struct xfrm_dst
 867{
 868        union {
 869                struct dst_entry        dst;
 870                struct rtable           rt;
 871                struct rt6_info         rt6;
 872        } u;
 873        struct dst_entry *route;
 874#ifdef CONFIG_XFRM_SUB_POLICY
 875        struct flowi *origin;
 876        struct xfrm_selector *partner;
 877#endif
 878        u32 genid;
 879        u32 route_mtu_cached;
 880        u32 child_mtu_cached;
 881        u32 route_cookie;
 882        u32 path_cookie;
 883};
 884
 885static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 886{
 887        dst_release(xdst->route);
 888        if (likely(xdst->u.dst.xfrm))
 889                xfrm_state_put(xdst->u.dst.xfrm);
 890#ifdef CONFIG_XFRM_SUB_POLICY
 891        kfree(xdst->origin);
 892        xdst->origin = NULL;
 893        kfree(xdst->partner);
 894        xdst->partner = NULL;
 895#endif
 896}
 897
 898extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 899
 900struct sec_path
 901{
 902        atomic_t                refcnt;
 903        int                     len;
 904        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 905};
 906
 907static inline struct sec_path *
 908secpath_get(struct sec_path *sp)
 909{
 910        if (sp)
 911                atomic_inc(&sp->refcnt);
 912        return sp;
 913}
 914
 915extern void __secpath_destroy(struct sec_path *sp);
 916
 917static inline void
 918secpath_put(struct sec_path *sp)
 919{
 920        if (sp && atomic_dec_and_test(&sp->refcnt))
 921                __secpath_destroy(sp);
 922}
 923
 924extern struct sec_path *secpath_dup(struct sec_path *src);
 925
 926static inline void
 927secpath_reset(struct sk_buff *skb)
 928{
 929#ifdef CONFIG_XFRM
 930        secpath_put(skb->sp);
 931        skb->sp = NULL;
 932#endif
 933}
 934
 935static inline int
 936xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
 937{
 938        switch (family) {
 939        case AF_INET:
 940                return addr->a4 == 0;
 941        case AF_INET6:
 942                return ipv6_addr_any((struct in6_addr *)&addr->a6);
 943        }
 944        return 0;
 945}
 946
 947static inline int
 948__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 949{
 950        return  (tmpl->saddr.a4 &&
 951                 tmpl->saddr.a4 != x->props.saddr.a4);
 952}
 953
 954static inline int
 955__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 956{
 957        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 958                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 959}
 960
 961static inline int
 962xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 963{
 964        switch (family) {
 965        case AF_INET:
 966                return __xfrm4_state_addr_cmp(tmpl, x);
 967        case AF_INET6:
 968                return __xfrm6_state_addr_cmp(tmpl, x);
 969        }
 970        return !0;
 971}
 972
 973#ifdef CONFIG_XFRM
 974extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 975
 976static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 977                                       struct sk_buff *skb,
 978                                       unsigned int family, int reverse)
 979{
 980        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
 981
 982        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 983                return __xfrm_policy_check(sk, ndir, skb, family);
 984
 985        return  (!xfrm_policy_count[dir] && !skb->sp) ||
 986                (skb->dst->flags & DST_NOPOLICY) ||
 987                __xfrm_policy_check(sk, ndir, skb, family);
 988}
 989
 990static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 991{
 992        return __xfrm_policy_check2(sk, dir, skb, family, 0);
 993}
 994
 995static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 996{
 997        return xfrm_policy_check(sk, dir, skb, AF_INET);
 998}
 999
1000static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)

1001{
1002        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1003}
1004
1005static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1006                                             struct sk_buff *skb)
1007{
1008        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1009}
1010
1011static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1012                                             struct sk_buff *skb)
1013{
1014        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1015}
1016
1017extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1018                                 unsigned int family, int reverse);
1019
1020static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1021                                      unsigned int family)
1022{
1023        return __xfrm_decode_session(skb, fl, family, 0);
1024}
1025
1026static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1027                                              struct flowi *fl,
1028                                              unsigned int family)
1029{
1030        return __xfrm_decode_session(skb, fl, family, 1);
1031}
1032
1033extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1034
1035static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1036{
1037        return  !xfrm_policy_count[XFRM_POLICY_OUT] ||
1038                (skb->dst->flags & DST_NOXFRM) ||
1039                __xfrm_route_forward(skb, family);
1040}
1041
1042static inline int xfrm4_route_forward(struct sk_buff *skb)
1043{
1044        return xfrm_route_forward(skb, AF_INET);
1045}
1046
1047static inline int xfrm6_route_forward(struct sk_buff *skb)
1048{
1049        return xfrm_route_forward(skb, AF_INET6);
1050}
1051
1052extern int __xfrm_sk_clone_policy(struct sock *sk);
1053
1054static inline int xfrm_sk_clone_policy(struct sock *sk)
1055{
1056        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1057                return __xfrm_sk_clone_policy(sk);
1058        return 0;
1059}
1060
1061extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1062
1063static inline void xfrm_sk_free_policy(struct sock *sk)
1064{
1065        if (unlikely(sk->sk_policy[0] != NULL)) {
1066                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1067                sk->sk_policy[0] = NULL;
1068        }
1069        if (unlikely(sk->sk_policy[1] != NULL)) {
1070                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1071                sk->sk_policy[1] = NULL;
1072        }
1073}
1074
1075#else
1076
1077static inline void xfrm_sk_free_policy(struct sock *sk) {}
1078static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1079static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1080static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1081static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1082{ 
1083        return 1; 
1084} 
1085static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1086{
1087        return 1;
1088}
1089static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1090{
1091        return 1;
1092}
1093static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1094                                              struct flowi *fl,
1095                                              unsigned int family)
1096{
1097        return -ENOSYS;
1098}
1099static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1100                                             struct sk_buff *skb)
1101{
1102        return 1;
1103}
1104static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1105                                             struct sk_buff *skb)
1106{
1107        return 1;
1108}
1109#endif
1110
1111static __inline__
1112xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
1113{
1114        switch (family){
1115        case AF_INET:
1116                return (xfrm_address_t *)&fl->fl4_dst;
1117        case AF_INET6:
1118                return (xfrm_address_t *)&fl->fl6_dst;
1119        }
1120        return NULL;
1121}
1122
1123static __inline__
1124xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1125{
1126        switch (family){
1127        case AF_INET:
1128                return (xfrm_address_t *)&fl->fl4_src;
1129        case AF_INET6:
1130                return (xfrm_address_t *)&fl->fl6_src;
1131        }
1132        return NULL;
1133}
1134
1135static __inline__
1136void xfrm_flowi_addr_get(struct flowi *fl,
1137                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1138                         unsigned short family)
1139{
1140        switch(family) {
1141        case AF_INET:
1142                memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4));
1143                memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4));
1144                break;
1145        case AF_INET6:
1146                ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src);
1147                ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst);
1148                break;
1149        }
1150}
1151
1152static __inline__ int
1153__xfrm4_state_addr_check(struct xfrm_state *x,
1154                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1155{
1156        if (daddr->a4 == x->id.daddr.a4 &&
1157            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1158                return 1;
1159        return 0;
1160}
1161
1162static __inline__ int
1163__xfrm6_state_addr_check(struct xfrm_state *x,
1164                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1165{
1166        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1167            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1168             ipv6_addr_any((struct in6_addr *)saddr) || 
1169             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1170                return 1;
1171        return 0;
1172}
1173
1174static __inline__ int
1175xfrm_state_addr_check(struct xfrm_state *x,
1176                      xfrm_address_t *daddr, xfrm_address_t *saddr,
1177                      unsigned short family)
1178{
1179        switch (family) {
1180        case AF_INET:
1181                return __xfrm4_state_addr_check(x, daddr, saddr);
1182        case AF_INET6:
1183                return __xfrm6_state_addr_check(x, daddr, saddr);
1184        }
1185        return 0;
1186}
1187
1188static __inline__ int
1189xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1190                           unsigned short family)
1191{
1192        switch (family) {
1193        case AF_INET:
1194                return __xfrm4_state_addr_check(x,
1195                                                (xfrm_address_t *)&fl->fl4_dst,
1196                                                (xfrm_address_t *)&fl->fl4_src);
1197        case AF_INET6:
1198                return __xfrm6_state_addr_check(x,
1199                                                (xfrm_address_t *)&fl->fl6_dst,
1200                                                (xfrm_address_t *)&fl->fl6_src);
1201        }
1202        return 0;
1203}
1204
1205static inline int xfrm_state_kern(struct xfrm_state *x)
1206{
1207        return atomic_read(&x->tunnel_users);
1208}
1209
1210static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1211{
1212        return (!userproto || proto == userproto ||
1213                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1214                                                  proto == IPPROTO_ESP ||
1215                                                  proto == IPPROTO_COMP)));
1216}
1217
1218/*
1219 * xfrm algorithm information
1220 */
1221struct xfrm_algo_aead_info {
1222        u16 icv_truncbits;
1223};
1224
1225struct xfrm_algo_auth_info {
1226        u16 icv_truncbits;
1227        u16 icv_fullbits;
1228};
1229
1230struct xfrm_algo_encr_info {
1231        u16 blockbits;
1232        u16 defkeybits;
1233};
1234
1235struct xfrm_algo_comp_info {
1236        u16 threshold;
1237};
1238
1239struct xfrm_algo_desc {
1240        char *name;
1241        char *compat;
1242        u8 available:1;
1243        union {
1244                struct xfrm_algo_aead_info aead;
1245                struct xfrm_algo_auth_info auth;
1246                struct xfrm_algo_encr_info encr;
1247                struct xfrm_algo_comp_info comp;
1248        } uinfo;
1249        struct sadb_alg desc;
1250};
1251
1252/* XFRM tunnel handlers.  */
1253struct xfrm_tunnel {
1254        int (*handler)(struct sk_buff *skb);
1255        int (*err_handler)(struct sk_buff *skb, __u32 info);
1256
1257        struct xfrm_tunnel *next;
1258        int priority;
1259};
1260
1261struct xfrm6_tunnel {
1262        int (*handler)(struct sk_buff *skb);
1263        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1264                           int type, int code, int offset, __be32 info);
1265        struct xfrm6_tunnel *next;
1266        int priority;
1267};
1268
1269extern void xfrm_init(void);
1270extern void xfrm4_init(void);
1271extern void xfrm_state_init(void);
1272extern void xfrm4_state_init(void);
1273#ifdef CONFIG_XFRM
1274extern int xfrm6_init(void);
1275extern void xfrm6_fini(void);
1276extern int xfrm6_state_init(void);
1277extern void xfrm6_state_fini(void);
1278#else
1279static inline int xfrm6_init(void)
1280{
1281        return 0;
1282}
1283static inline void xfrm6_fini(void)
1284{
1285        ;
1286}
1287#endif
1288
1289#ifdef CONFIG_XFRM_STATISTICS
1290extern int xfrm_proc_init(void);
1291#endif
1292
1293extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1294extern int xfrm_state_walk(struct xfrm_state_walk *walk,
1295                           int (*func)(struct xfrm_state *, int, void*), void *);
1296extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1297extern struct xfrm_state *xfrm_state_alloc(void);
1298extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
1299                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
1300                                          struct xfrm_policy *pol, int *err,
1301                                          unsigned short family);
1302extern struct xfrm_state * xfrm_stateonly_find(xfrm_address_t *daddr,
1303                                               xfrm_address_t *saddr,
1304                                               unsigned short family,
1305                                               u8 mode, u8 proto, u32 reqid);
1306extern int xfrm_state_check_expire(struct xfrm_state *x);
1307extern void xfrm_state_insert(struct xfrm_state *x);
1308extern int xfrm_state_add(struct xfrm_state *x);
1309extern int xfrm_state_update(struct xfrm_state *x);
1310extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1311extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1312#ifdef CONFIG_XFRM_SUB_POLICY
1313extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1314                          int n, unsigned short family);
1315extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1316                           int n, unsigned short family);
1317#else
1318static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1319                                 int n, unsigned short family)
1320{
1321        return -ENOSYS;
1322}
1323
1324static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1325                                  int n, unsigned short family)
1326{
1327        return -ENOSYS;
1328}
1329#endif
1330
1331struct xfrmk_sadinfo {
1332        u32 sadhcnt; /* current hash bkts */
1333        u32 sadhmcnt; /* max allowed hash bkts */
1334        u32 sadcnt; /* current running count */
1335};
1336
1337struct xfrmk_spdinfo {
1338        u32 incnt;
1339        u32 outcnt;
1340        u32 fwdcnt;
1341        u32 inscnt;
1342        u32 outscnt;
1343        u32 fwdscnt;
1344        u32 spdhcnt;
1345        u32 spdhmcnt;
1346};
1347
1348extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
1349extern int xfrm_state_delete(struct xfrm_state *x);
1350extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1351extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1352extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1353extern int xfrm_replay_check(struct xfrm_state *x,
1354                             struct sk_buff *skb, __be32 seq);
1355extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1356extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1357extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1358extern int xfrm_init_state(struct xfrm_state *x);
1359extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1360extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1361                      int encap_type);
1362extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1363extern int xfrm_output_resume(struct sk_buff *skb, int err);
1364extern int xfrm_output(struct sk_buff *skb);
1365extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1366extern int xfrm4_extract_header(struct sk_buff *skb);
1367extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1368extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1369                           int encap_type);
1370extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1371extern int xfrm4_rcv(struct sk_buff *skb);
1372
1373static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1374{
1375        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1376}
1377
1378extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1379extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1380extern int xfrm4_output(struct sk_buff *skb);
1381extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1382extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1383extern int xfrm6_extract_header(struct sk_buff *skb);
1384extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1385extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1386extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1387extern int xfrm6_rcv(struct sk_buff *skb);
1388extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1389                            xfrm_address_t *saddr, u8 proto);
1390extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1391extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1392extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1393extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1394extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1395extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1396extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1397extern int xfrm6_output(struct sk_buff *skb);
1398extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1399                                 u8 **prevhdr);
1400
1401#ifdef CONFIG_XFRM
1402extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1403extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1404#else
1405static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1406{
1407        return -ENOPROTOOPT;
1408} 
1409
1410static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1411{
1412        /* should not happen */
1413        kfree_skb(skb);
1414        return 0;
1415}
1416#endif
1417
1418struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1419
1420extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1421extern int xfrm_policy_walk(struct xfrm_policy_walk *walk,
1422        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1423extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1424int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1425struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
1426                                          struct xfrm_selector *sel,
1427                                          struct xfrm_sec_ctx *ctx, int delete,
1428                                          int *err);
1429struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
1430int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
1431u32 xfrm_get_acqseq(void);
1432extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1433struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1434                                  xfrm_address_t *daddr, xfrm_address_t *saddr,
1435                                  int create, unsigned short family);
1436extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1437extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1438                          struct flowi *fl, int family, int strict);
1439
1440#ifdef CONFIG_XFRM_MIGRATE
1441extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1442                      struct xfrm_migrate *m, int num_bundles,
1443                      struct xfrm_kmaddress *k);
1444extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1445extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1446                                              struct xfrm_migrate *m);
1447extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1448                        struct xfrm_migrate *m, int num_bundles,
1449                        struct xfrm_kmaddress *k);
1450#endif
1451
1452extern wait_queue_head_t km_waitq;
1453extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1454extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1455extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1456
1457extern void xfrm_input_init(void);
1458extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1459
1460extern void xfrm_probe_algs(void);
1461extern int xfrm_count_auth_supported(void);
1462extern int xfrm_count_enc_supported(void);
1463extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1464extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1465extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1466extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1467extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1468extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1469extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1470extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1471extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
1472                                                   int probe);
1473
1474struct hash_desc;
1475struct scatterlist;
1476typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1477                              unsigned int);
1478
1479extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1480                        int offset, int len, icv_update_fn_t icv_update);
1481
1482static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1483                                int family)
1484{
1485        switch (family) {
1486        default:
1487        case AF_INET:
1488                return (__force __u32)a->a4 - (__force __u32)b->a4;
1489        case AF_INET6:
1490                return ipv6_addr_cmp((struct in6_addr *)a,
1491                                     (struct in6_addr *)b);
1492        }
1493}
1494
1495static inline int xfrm_policy_id2dir(u32 index)
1496{
1497        return index & 7;
1498}
1499
1500static inline int xfrm_aevent_is_on(void)
1501{
1502        struct sock *nlsk;
1503        int ret = 0;
1504
1505        rcu_read_lock();
1506        nlsk = rcu_dereference(xfrm_nl);
1507        if (nlsk)
1508                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1509        rcu_read_unlock();
1510        return ret;
1511}
1512
1513static inline int xfrm_alg_len(struct xfrm_algo *alg)
1514{
1515        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1516}
1517
1518#ifdef CONFIG_XFRM_MIGRATE
1519static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1520{
1521        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1522}
1523
1524static inline void xfrm_states_put(struct xfrm_state **states, int n)
1525{
1526        int i;
1527        for (i = 0; i < n; i++)
1528                xfrm_state_put(*(states + i));
1529}
1530
1531static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1532{
1533        int i;
1534        for (i = 0; i < n; i++)
1535                xfrm_state_delete(*(states + i));
1536}
1537#endif
1538
1539static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1540{
1541        return skb->sp->xvec[skb->sp->len - 1];
1542}
1543
1544#endif  /* _NET_XFRM_H */
1545
The original LXR software by the LXR community, this experimental version by lxr@linux.no.
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.