linux/include/net/xfrm.h
<<
>>
Prefs 
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15
  16#include <net/sock.h>
  17#include <net/dst.h>
  18#include <net/ip.h>
  19#include <net/route.h>
  20#include <net/ipv6.h>
  21#include <net/ip6_fib.h>
  22
  23#include <linux/interrupt.h>
  24
  25#ifdef CONFIG_XFRM_STATISTICS
  26#include <net/snmp.h>
  27#endif
  28
  29#define XFRM_PROTO_ESP          50
  30#define XFRM_PROTO_AH           51
  31#define XFRM_PROTO_COMP         108
  32#define XFRM_PROTO_IPIP         4
  33#define XFRM_PROTO_IPV6         41
  34#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  35#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  36
  37#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  38#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  39        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  40#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  41        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  42
  43#ifdef CONFIG_XFRM_STATISTICS
  44#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  45#define XFRM_INC_STATS_BH(net, field)   SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
  46#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
  47#else
  48#define XFRM_INC_STATS(net, field)      ((void)(net))
  49#define XFRM_INC_STATS_BH(net, field)   ((void)(net))
  50#define XFRM_INC_STATS_USER(net, field) ((void)(net))
  51#endif
  52
  53extern struct mutex xfrm_cfg_mutex;
  54
  55/* Organization of SPD aka "XFRM rules"
  56   ------------------------------------
  57
  58   Basic objects:
  59   - policy rule, struct xfrm_policy (=SPD entry)
  60   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  61   - instance of a transformer, struct xfrm_state (=SA)
  62   - template to clone xfrm_state, struct xfrm_tmpl
  63
  64   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  65   (To be compatible with existing pfkeyv2 implementations,
  66   many rules with priority of 0x7fffffff are allowed to exist and
  67   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  68
  69   Lookup is plain linear search until the first match with selector.
  70
  71   If "action" is "block", then we prohibit the flow, otherwise:
  72   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  73   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  74   described by templates xfrm_tmpl. Each template is resolved
  75   to a complete xfrm_state (see below) and we pack bundle of transformations
  76   to a dst_entry returned to requestor.
  77
  78   dst -. xfrm  .-> xfrm_state #1
  79    |---. child .-> dst -. xfrm .-> xfrm_state #2
  80                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  81                                      |---. child .-> NULL
  82
  83   Bundles are cached at xrfm_policy struct (field ->bundles).
  84
  85
  86   Resolution of xrfm_tmpl
  87   -----------------------
  88   Template contains:
  89   1. ->mode            Mode: transport or tunnel
  90   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  91   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  92      Q: allow to resolve security gateway?
  93   4. ->id.spi          If not zero, static SPI.
  94   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  95   6. ->algos           List of allowed algos. Plain bitmask now.
  96      Q: ealgos, aalgos, calgos. What a mess...
  97   7. ->share           Sharing mode.
  98      Q: how to implement private sharing mode? To add struct sock* to
  99      flow id?
 100
 101   Having this template we search through SAD searching for entries
 102   with appropriate mode/proto/algo, permitted by selector.
 103   If no appropriate entry found, it is requested from key manager.
 104
 105   PROBLEMS:
 106   Q: How to find all the bundles referring to a physical path for
 107      PMTU discovery? Seems, dst should contain list of all parents...
 108      and enter to infinite locking hierarchy disaster.
 109      No! It is easier, we will not search for them, let them find us.
 110      We add genid to each dst plus pointer to genid of raw IP route,
 111      pmtu disc will update pmtu on raw IP route and increase its genid.
 112      dst_check() will see this for top level and trigger resyncing
 113      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 114 */
 115
 116struct xfrm_state_walk {
 117        struct list_head        all;
 118        u8                      state;
 119        union {
 120                u8              dying;
 121                u8              proto;
 122        };
 123        u32                     seq;
 124};
 125
 126/* Full description of state of transformer. */
 127struct xfrm_state {
 128#ifdef CONFIG_NET_NS
 129        struct net              *xs_net;
 130#endif
 131        union {
 132                struct hlist_node       gclist;
 133                struct hlist_node       bydst;
 134        };
 135        struct hlist_node       bysrc;
 136        struct hlist_node       byspi;
 137
 138        atomic_t                refcnt;
 139        spinlock_t              lock;
 140
 141        struct xfrm_id          id;
 142        struct xfrm_selector    sel;
 143
 144        u32                     genid;
 145
 146        /* Key manager bits */
 147        struct xfrm_state_walk  km;
 148
 149        /* Parameters of this state. */
 150        struct {
 151                u32             reqid;
 152                u8              mode;
 153                u8              replay_window;
 154                u8              aalgo, ealgo, calgo;
 155                u8              flags;
 156                u16             family;
 157                xfrm_address_t  saddr;
 158                int             header_len;
 159                int             trailer_len;
 160        } props;
 161
 162        struct xfrm_lifetime_cfg lft;
 163
 164        /* Data for transformer */
 165        struct xfrm_algo_auth   *aalg;
 166        struct xfrm_algo        *ealg;
 167        struct xfrm_algo        *calg;
 168        struct xfrm_algo_aead   *aead;
 169
 170        /* Data for encapsulator */
 171        struct xfrm_encap_tmpl  *encap;
 172
 173        /* Data for care-of address */
 174        xfrm_address_t  *coaddr;
 175
 176        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 177        struct xfrm_state       *tunnel;
 178
 179        /* If a tunnel, number of users + 1 */
 180        atomic_t                tunnel_users;
 181
 182        /* State for replay detection */
 183        struct xfrm_replay_state replay;
 184
 185        /* Replay detection state at the time we sent the last notification */
 186        struct xfrm_replay_state preplay;
 187
 188        /* internal flag that only holds state for delayed aevent at the
 189         * moment
 190        */
 191        u32                     xflags;
 192
 193        /* Replay detection notification settings */
 194        u32                     replay_maxage;
 195        u32                     replay_maxdiff;
 196
 197        /* Replay detection notification timer */
 198        struct timer_list       rtimer;
 199
 200        /* Statistics */
 201        struct xfrm_stats       stats;
 202
 203        struct xfrm_lifetime_cur curlft;
 204        struct tasklet_hrtimer  mtimer;
 205
 206        /* Last used time */
 207        unsigned long           lastused;
 208
 209        /* Reference to data common to all the instances of this
 210         * transformer. */
 211        const struct xfrm_type  *type;
 212        struct xfrm_mode        *inner_mode;
 213        struct xfrm_mode        *inner_mode_iaf;
 214        struct xfrm_mode        *outer_mode;
 215
 216        /* Security context */
 217        struct xfrm_sec_ctx     *security;
 218
 219        /* Private data of this transformer, format is opaque,
 220         * interpreted by xfrm_type methods. */
 221        void                    *data;
 222};
 223
 224static inline struct net *xs_net(struct xfrm_state *x)
 225{
 226        return read_pnet(&x->xs_net);
 227}
 228
 229/* xflags - make enum if more show up */
 230#define XFRM_TIME_DEFER 1
 231
 232enum {
 233        XFRM_STATE_VOID,
 234        XFRM_STATE_ACQ,
 235        XFRM_STATE_VALID,
 236        XFRM_STATE_ERROR,
 237        XFRM_STATE_EXPIRED,
 238        XFRM_STATE_DEAD
 239};
 240
 241/* callback structure passed from either netlink or pfkey */
 242struct km_event {
 243        union {
 244                u32 hard;
 245                u32 proto;
 246                u32 byid;
 247                u32 aevent;
 248                u32 type;
 249        } data;
 250
 251        u32     seq;
 252        u32     pid;
 253        u32     event;
 254        struct net *net;
 255};
 256
 257struct net_device;
 258struct xfrm_type;
 259struct xfrm_dst;
 260struct xfrm_policy_afinfo {
 261        unsigned short          family;
 262        struct dst_ops          *dst_ops;
 263        void                    (*garbage_collect)(struct net *net);
 264        struct dst_entry        *(*dst_lookup)(struct net *net, int tos,
 265                                               xfrm_address_t *saddr,
 266                                               xfrm_address_t *daddr);
 267        int                     (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
 268        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
 269        void                    (*decode_session)(struct sk_buff *skb,
 270                                                  struct flowi *fl,
 271                                                  int reverse);
 272        int                     (*get_tos)(struct flowi *fl);
 273        int                     (*init_path)(struct xfrm_dst *path,
 274                                             struct dst_entry *dst,
 275                                             int nfheader_len);
 276        int                     (*fill_dst)(struct xfrm_dst *xdst,
 277                                            struct net_device *dev);
 278};
 279
 280extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 281extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 282extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 283extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 284
 285struct xfrm_tmpl;
 286extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 287extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 288extern int __xfrm_state_delete(struct xfrm_state *x);
 289
 290struct xfrm_state_afinfo {
 291        unsigned int            family;
 292        unsigned int            proto;
 293        __be16                  eth_proto;
 294        struct module           *owner;
 295        const struct xfrm_type  *type_map[IPPROTO_MAX];
 296        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 297        int                     (*init_flags)(struct xfrm_state *x);
 298        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 299                                                struct xfrm_tmpl *tmpl,
 300                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 301        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 302        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 303        int                     (*output)(struct sk_buff *skb);
 304        int                     (*extract_input)(struct xfrm_state *x,
 305                                                 struct sk_buff *skb);
 306        int                     (*extract_output)(struct xfrm_state *x,
 307                                                  struct sk_buff *skb);
 308        int                     (*transport_finish)(struct sk_buff *skb,
 309                                                    int async);
 310};
 311
 312extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 313extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 314
 315extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 316
 317struct xfrm_type {
 318        char                    *description;
 319        struct module           *owner;
 320        __u8                    proto;
 321        __u8                    flags;
 322#define XFRM_TYPE_NON_FRAGMENT  1
 323#define XFRM_TYPE_REPLAY_PROT   2
 324#define XFRM_TYPE_LOCAL_COADDR  4
 325#define XFRM_TYPE_REMOTE_COADDR 8
 326
 327        int                     (*init_state)(struct xfrm_state *x);
 328        void                    (*destructor)(struct xfrm_state *);
 329        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 330        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 331        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
 332        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 333        /* Estimate maximal size of result of transformation of a dgram */
 334        u32                     (*get_mtu)(struct xfrm_state *, int size);
 335};
 336
 337extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 338extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 339
 340struct xfrm_mode {
 341        /*
 342         * Remove encapsulation header.
 343         *
 344         * The IP header will be moved over the top of the encapsulation
 345         * header.
 346         *
 347         * On entry, the transport header shall point to where the IP header
 348         * should be and the network header shall be set to where the IP
 349         * header currently is.  skb->data shall point to the start of the
 350         * payload.
 351         */
 352        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 353
 354        /*
 355         * This is the actual input entry point.
 356         *
 357         * For transport mode and equivalent this would be identical to
 358         * input2 (which does not need to be set).  While tunnel mode
 359         * and equivalent would set this to the tunnel encapsulation function
 360         * xfrm4_prepare_input that would in turn call input2.
 361         */
 362        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 363
 364        /*
 365         * Add encapsulation header.
 366         *
 367         * On exit, the transport header will be set to the start of the
 368         * encapsulation header to be filled in by x->type->output and
 369         * the mac header will be set to the nextheader (protocol for
 370         * IPv4) field of the extension header directly preceding the
 371         * encapsulation header, or in its absence, that of the top IP
 372         * header.  The value of the network header will always point
 373         * to the top IP header while skb->data will point to the payload.
 374         */
 375        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 376
 377        /*
 378         * This is the actual output entry point.
 379         *
 380         * For transport mode and equivalent this would be identical to
 381         * output2 (which does not need to be set).  While tunnel mode
 382         * and equivalent would set this to a tunnel encapsulation function
 383         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 384         * call output2.
 385         */
 386        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 387
 388        struct xfrm_state_afinfo *afinfo;
 389        struct module *owner;
 390        unsigned int encap;
 391        int flags;
 392};
 393
 394/* Flags for xfrm_mode. */
 395enum {
 396        XFRM_MODE_FLAG_TUNNEL = 1,
 397};
 398
 399extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 400extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 401
 402static inline int xfrm_af2proto(unsigned int family)
 403{
 404        switch(family) {
 405        case AF_INET:
 406                return IPPROTO_IPIP;
 407        case AF_INET6:
 408                return IPPROTO_IPV6;
 409        default:
 410                return 0;
 411        }
 412}
 413
 414static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 415{
 416        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 417            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 418                return x->inner_mode;
 419        else
 420                return x->inner_mode_iaf;
 421}
 422
 423struct xfrm_tmpl {
 424/* id in template is interpreted as:
 425 * daddr - destination of tunnel, may be zero for transport mode.
 426 * spi   - zero to acquire spi. Not zero if spi is static, then
 427 *         daddr must be fixed too.
 428 * proto - AH/ESP/IPCOMP
 429 */
 430        struct xfrm_id          id;
 431
 432/* Source address of tunnel. Ignored, if it is not a tunnel. */
 433        xfrm_address_t          saddr;
 434
 435        unsigned short          encap_family;
 436
 437        __u32                   reqid;
 438
 439/* Mode: transport, tunnel etc. */
 440        __u8                    mode;
 441
 442/* Sharing mode: unique, this session only, this user only etc. */
 443        __u8                    share;
 444
 445/* May skip this transfomration if no SA is found */
 446        __u8                    optional;
 447
 448/* Skip aalgos/ealgos/calgos checks. */
 449        __u8                    allalgs;
 450
 451/* Bit mask of algos allowed for acquisition */
 452        __u32                   aalgos;
 453        __u32                   ealgos;
 454        __u32                   calgos;
 455};
 456
 457#define XFRM_MAX_DEPTH          6
 458
 459struct xfrm_policy_walk_entry {
 460        struct list_head        all;
 461        u8                      dead;
 462};
 463
 464struct xfrm_policy_walk {
 465        struct xfrm_policy_walk_entry walk;
 466        u8 type;
 467        u32 seq;
 468};
 469
 470struct xfrm_policy {
 471#ifdef CONFIG_NET_NS
 472        struct net              *xp_net;
 473#endif
 474        struct hlist_node       bydst;
 475        struct hlist_node       byidx;
 476
 477        /* This lock only affects elements except for entry. */
 478        rwlock_t                lock;
 479        atomic_t                refcnt;
 480        struct timer_list       timer;
 481
 482        u32                     priority;
 483        u32                     index;
 484        struct xfrm_selector    selector;
 485        struct xfrm_lifetime_cfg lft;
 486        struct xfrm_lifetime_cur curlft;
 487        struct dst_entry       *bundles;
 488        struct xfrm_policy_walk_entry walk;
 489        u8                      type;
 490        u8                      action;
 491        u8                      flags;
 492        u8                      xfrm_nr;
 493        u16                     family;
 494        struct xfrm_sec_ctx     *security;
 495        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 496};
 497
 498static inline struct net *xp_net(struct xfrm_policy *xp)
 499{
 500        return read_pnet(&xp->xp_net);
 501}
 502
 503struct xfrm_kmaddress {
 504        xfrm_address_t          local;
 505        xfrm_address_t          remote;
 506        u32                     reserved;
 507        u16                     family;
 508};
 509
 510struct xfrm_migrate {
 511        xfrm_address_t          old_daddr;
 512        xfrm_address_t          old_saddr;
 513        xfrm_address_t          new_daddr;
 514        xfrm_address_t          new_saddr;
 515        u8                      proto;
 516        u8                      mode;
 517        u16                     reserved;
 518        u32                     reqid;
 519        u16                     old_family;
 520        u16                     new_family;
 521};
 522
 523#define XFRM_KM_TIMEOUT                30
 524/* which seqno */
 525#define XFRM_REPLAY_SEQ         1
 526#define XFRM_REPLAY_OSEQ        2
 527#define XFRM_REPLAY_SEQ_MASK    3
 528/* what happened */
 529#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 530#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 531
 532/* default aevent timeout in units of 100ms */
 533#define XFRM_AE_ETIME                   10
 534/* Async Event timer multiplier */
 535#define XFRM_AE_ETH_M                   10
 536/* default seq threshold size */
 537#define XFRM_AE_SEQT_SIZE               2
 538
 539struct xfrm_mgr {
 540        struct list_head        list;
 541        char                    *id;
 542        int                     (*notify)(struct xfrm_state *x, struct km_event *c);
 543        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 544        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 545        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 546        int                     (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
 547        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 548        int                     (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k);
 549};
 550
 551extern int xfrm_register_km(struct xfrm_mgr *km);
 552extern int xfrm_unregister_km(struct xfrm_mgr *km);
 553
 554/*
 555 * This structure is used for the duration where packets are being
 556 * transformed by IPsec.  As soon as the packet leaves IPsec the
 557 * area beyond the generic IP part may be overwritten.
 558 */
 559struct xfrm_skb_cb {
 560        union {
 561                struct inet_skb_parm h4;
 562                struct inet6_skb_parm h6;
 563        } header;
 564
 565        /* Sequence number for replay protection. */
 566        union {
 567                u64 output;
 568                __be32 input;
 569        } seq;
 570};
 571
 572#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 573
 574/*
 575 * This structure is used by the afinfo prepare_input/prepare_output functions
 576 * to transmit header information to the mode input/output functions.
 577 */
 578struct xfrm_mode_skb_cb {
 579        union {
 580                struct inet_skb_parm h4;
 581                struct inet6_skb_parm h6;
 582        } header;
 583
 584        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 585        __be16 id;
 586        __be16 frag_off;
 587
 588        /* IP header length (excluding options or extension headers). */
 589        u8 ihl;
 590
 591        /* TOS for IPv4, class for IPv6. */
 592        u8 tos;
 593
 594        /* TTL for IPv4, hop limitfor IPv6. */
 595        u8 ttl;
 596
 597        /* Protocol for IPv4, NH for IPv6. */
 598        u8 protocol;
 599
 600        /* Option length for IPv4, zero for IPv6. */
 601        u8 optlen;
 602
 603        /* Used by IPv6 only, zero for IPv4. */
 604        u8 flow_lbl[3];
 605};
 606
 607#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 608
 609/*
 610 * This structure is used by the input processing to locate the SPI and
 611 * related information.
 612 */
 613struct xfrm_spi_skb_cb {
 614        union {
 615                struct inet_skb_parm h4;
 616                struct inet6_skb_parm h6;
 617        } header;
 618
 619        unsigned int daddroff;
 620        unsigned int family;
 621};
 622
 623#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 624
 625/* Audit Information */
 626struct xfrm_audit {
 627        u32     secid;
 628        uid_t   loginuid;
 629        u32     sessionid;
 630};
 631
 632#ifdef CONFIG_AUDITSYSCALL
 633static inline struct audit_buffer *xfrm_audit_start(const char *op)
 634{
 635        struct audit_buffer *audit_buf = NULL;
 636
 637        if (audit_enabled == 0)
 638                return NULL;
 639        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 640                                    AUDIT_MAC_IPSEC_EVENT);
 641        if (audit_buf == NULL)
 642                return NULL;
 643        audit_log_format(audit_buf, "op=%s", op);
 644        return audit_buf;
 645}
 646
 647static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 648                                             struct audit_buffer *audit_buf)
 649{
 650        char *secctx;
 651        u32 secctx_len;
 652
 653        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 654        if (secid != 0 &&
 655            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 656                audit_log_format(audit_buf, " subj=%s", secctx);
 657                security_release_secctx(secctx, secctx_len);
 658        } else
 659                audit_log_task_context(audit_buf);
 660}
 661
 662extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 663                                  u32 auid, u32 ses, u32 secid);
 664extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 665                                  u32 auid, u32 ses, u32 secid);
 666extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 667                                 u32 auid, u32 ses, u32 secid);
 668extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 669                                    u32 auid, u32 ses, u32 secid);
 670extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 671                                             struct sk_buff *skb);
 672extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 673extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 674                                      __be32 net_spi, __be32 net_seq);
 675extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 676                                     struct sk_buff *skb, u8 proto);
 677#else
 678
 679static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 680                                  u32 auid, u32 ses, u32 secid)
 681{
 682}
 683
 684static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 685                                  u32 auid, u32 ses, u32 secid)
 686{
 687}
 688
 689static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 690                                 u32 auid, u32 ses, u32 secid)
 691{
 692}
 693
 694static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 695                                    u32 auid, u32 ses, u32 secid)
 696{
 697}
 698
 699static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 700                                             struct sk_buff *skb)
 701{
 702}
 703
 704static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 705                                      u16 family)
 706{
 707}
 708
 709static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 710                                      __be32 net_spi, __be32 net_seq)
 711{
 712}
 713
 714static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 715                                     struct sk_buff *skb, u8 proto)
 716{
 717}
 718#endif /* CONFIG_AUDITSYSCALL */
 719
 720static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 721{
 722        if (likely(policy != NULL))
 723                atomic_inc(&policy->refcnt);
 724}
 725
 726extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 727
 728static inline void xfrm_pol_put(struct xfrm_policy *policy)
 729{
 730        if (atomic_dec_and_test(&policy->refcnt))
 731                xfrm_policy_destroy(policy);
 732}
 733
 734#ifdef CONFIG_XFRM_SUB_POLICY
 735static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 736{
 737        int i;
 738        for (i = npols - 1; i >= 0; --i)
 739                xfrm_pol_put(pols[i]);
 740}
 741#else
 742static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 743{
 744        xfrm_pol_put(pols[0]);
 745}
 746#endif
 747
 748extern void __xfrm_state_destroy(struct xfrm_state *);
 749
 750static inline void __xfrm_state_put(struct xfrm_state *x)
 751{
 752        atomic_dec(&x->refcnt);
 753}
 754
 755static inline void xfrm_state_put(struct xfrm_state *x)
 756{
 757        if (atomic_dec_and_test(&x->refcnt))
 758                __xfrm_state_destroy(x);
 759}
 760
 761static inline void xfrm_state_hold(struct xfrm_state *x)
 762{
 763        atomic_inc(&x->refcnt);
 764}
 765
 766static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 767{
 768        __be32 *a1 = token1;
 769        __be32 *a2 = token2;
 770        int pdw;
 771        int pbi;
 772
 773        pdw = prefixlen >> 5;     /* num of whole __u32 in prefix */
 774        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 775
 776        if (pdw)
 777                if (memcmp(a1, a2, pdw << 2))
 778                        return 0;
 779
 780        if (pbi) {
 781                __be32 mask;
 782
 783                mask = htonl((0xffffffff) << (32 - pbi));
 784
 785                if ((a1[pdw] ^ a2[pdw]) & mask)
 786                        return 0;
 787        }
 788
 789        return 1;
 790}
 791
 792static __inline__
 793__be16 xfrm_flowi_sport(struct flowi *fl)
 794{
 795        __be16 port;
 796        switch(fl->proto) {
 797        case IPPROTO_TCP:
 798        case IPPROTO_UDP:
 799        case IPPROTO_UDPLITE:
 800        case IPPROTO_SCTP:
 801                port = fl->fl_ip_sport;
 802                break;
 803        case IPPROTO_ICMP:
 804        case IPPROTO_ICMPV6:
 805                port = htons(fl->fl_icmp_type);
 806                break;
 807        case IPPROTO_MH:
 808                port = htons(fl->fl_mh_type);
 809                break;
 810        default:
 811                port = 0;       /*XXX*/
 812        }
 813        return port;
 814}
 815
 816static __inline__
 817__be16 xfrm_flowi_dport(struct flowi *fl)
 818{
 819        __be16 port;
 820        switch(fl->proto) {
 821        case IPPROTO_TCP:
 822        case IPPROTO_UDP:
 823        case IPPROTO_UDPLITE:
 824        case IPPROTO_SCTP:
 825                port = fl->fl_ip_dport;
 826                break;
 827        case IPPROTO_ICMP:
 828        case IPPROTO_ICMPV6:
 829                port = htons(fl->fl_icmp_code);
 830                break;
 831        default:
 832                port = 0;       /*XXX*/
 833        }
 834        return port;
 835}
 836
 837extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 838                               unsigned short family);
 839
 840#ifdef CONFIG_SECURITY_NETWORK_XFRM
 841/*      If neither has a context --> match
 842 *      Otherwise, both must have a context and the sids, doi, alg must match
 843 */
 844static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 845{
 846        return ((!s1 && !s2) ||
 847                (s1 && s2 &&
 848                 (s1->ctx_sid == s2->ctx_sid) &&
 849                 (s1->ctx_doi == s2->ctx_doi) &&
 850                 (s1->ctx_alg == s2->ctx_alg)));
 851}
 852#else
 853static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 854{
 855        return 1;
 856}
 857#endif
 858
 859/* A struct encoding bundle of transformations to apply to some set of flow.
 860 *
 861 * dst->child points to the next element of bundle.
 862 * dst->xfrm  points to an instanse of transformer.
 863 *
 864 * Due to unfortunate limitations of current routing cache, which we
 865 * have no time to fix, it mirrors struct rtable and bound to the same
 866 * routing key, including saddr,daddr. However, we can have many of
 867 * bundles differing by session id. All the bundles grow from a parent
 868 * policy rule.
 869 */
 870struct xfrm_dst {
 871        union {
 872                struct dst_entry        dst;
 873                struct rtable           rt;
 874                struct rt6_info         rt6;
 875        } u;
 876        struct dst_entry *route;
 877#ifdef CONFIG_XFRM_SUB_POLICY
 878        struct flowi *origin;
 879        struct xfrm_selector *partner;
 880#endif
 881        u32 genid;
 882        u32 route_mtu_cached;
 883        u32 child_mtu_cached;
 884        u32 route_cookie;
 885        u32 path_cookie;
 886};
 887
 888#ifdef CONFIG_XFRM
 889static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 890{
 891        dst_release(xdst->route);
 892        if (likely(xdst->u.dst.xfrm))
 893                xfrm_state_put(xdst->u.dst.xfrm);
 894#ifdef CONFIG_XFRM_SUB_POLICY
 895        kfree(xdst->origin);
 896        xdst->origin = NULL;
 897        kfree(xdst->partner);
 898        xdst->partner = NULL;
 899#endif
 900}
 901#endif
 902
 903extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 904
 905struct sec_path {
 906        atomic_t                refcnt;
 907        int                     len;
 908        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 909};
 910
 911static inline struct sec_path *
 912secpath_get(struct sec_path *sp)
 913{
 914        if (sp)
 915                atomic_inc(&sp->refcnt);
 916        return sp;
 917}
 918
 919extern void __secpath_destroy(struct sec_path *sp);
 920
 921static inline void
 922secpath_put(struct sec_path *sp)
 923{
 924        if (sp && atomic_dec_and_test(&sp->refcnt))
 925                __secpath_destroy(sp);
 926}
 927
 928extern struct sec_path *secpath_dup(struct sec_path *src);
 929
 930static inline void
 931secpath_reset(struct sk_buff *skb)
 932{
 933#ifdef CONFIG_XFRM
 934        secpath_put(skb->sp);
 935        skb->sp = NULL;
 936#endif
 937}
 938
 939static inline int
 940xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
 941{
 942        switch (family) {
 943        case AF_INET:
 944                return addr->a4 == 0;
 945        case AF_INET6:
 946                return ipv6_addr_any((struct in6_addr *)&addr->a6);
 947        }
 948        return 0;
 949}
 950
 951static inline int
 952__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 953{
 954        return  (tmpl->saddr.a4 &&
 955                 tmpl->saddr.a4 != x->props.saddr.a4);
 956}
 957
 958static inline int
 959__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 960{
 961        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 962                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 963}
 964
 965static inline int
 966xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 967{
 968        switch (family) {
 969        case AF_INET:
 970                return __xfrm4_state_addr_cmp(tmpl, x);
 971        case AF_INET6:
 972                return __xfrm6_state_addr_cmp(tmpl, x);
 973        }
 974        return !0;
 975}
 976
 977#ifdef CONFIG_XFRM
 978extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 979
 980static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 981                                       struct sk_buff *skb,
 982                                       unsigned int family, int reverse)
 983{
 984        struct net *net = dev_net(skb->dev);
 985        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
 986
 987        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 988                return __xfrm_policy_check(sk, ndir, skb, family);
 989
 990        return  (!net->xfrm.policy_count[dir] && !skb->sp) ||
 991                (skb_dst(skb)->flags & DST_NOPOLICY) ||
 992                __xfrm_policy_check(sk, ndir, skb, family);
 993}
 994
 995static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 996{
 997        return __xfrm_policy_check2(sk, dir, skb, family, 0);
 998}
 999
1000static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)

1001{
1002        return xfrm_policy_check(sk, dir, skb, AF_INET);
1003}
1004
1005static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1006{
1007        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1008}
1009
1010static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1011                                             struct sk_buff *skb)
1012{
1013        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1014}
1015
1016static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1017                                             struct sk_buff *skb)
1018{
1019        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1020}
1021
1022extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1023                                 unsigned int family, int reverse);
1024
1025static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1026                                      unsigned int family)
1027{
1028        return __xfrm_decode_session(skb, fl, family, 0);
1029}
1030
1031static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1032                                              struct flowi *fl,
1033                                              unsigned int family)
1034{
1035        return __xfrm_decode_session(skb, fl, family, 1);
1036}
1037
1038extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1039
1040static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1041{
1042        struct net *net = dev_net(skb->dev);
1043
1044        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1045                (skb_dst(skb)->flags & DST_NOXFRM) ||
1046                __xfrm_route_forward(skb, family);
1047}
1048
1049static inline int xfrm4_route_forward(struct sk_buff *skb)
1050{
1051        return xfrm_route_forward(skb, AF_INET);
1052}
1053
1054static inline int xfrm6_route_forward(struct sk_buff *skb)
1055{
1056        return xfrm_route_forward(skb, AF_INET6);
1057}
1058
1059extern int __xfrm_sk_clone_policy(struct sock *sk);
1060
1061static inline int xfrm_sk_clone_policy(struct sock *sk)
1062{
1063        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1064                return __xfrm_sk_clone_policy(sk);
1065        return 0;
1066}
1067
1068extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1069
1070static inline void xfrm_sk_free_policy(struct sock *sk)
1071{
1072        if (unlikely(sk->sk_policy[0] != NULL)) {
1073                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1074                sk->sk_policy[0] = NULL;
1075        }
1076        if (unlikely(sk->sk_policy[1] != NULL)) {
1077                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1078                sk->sk_policy[1] = NULL;
1079        }
1080}
1081
1082#else
1083
1084static inline void xfrm_sk_free_policy(struct sock *sk) {}
1085static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1086static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1087static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1088static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1089{ 
1090        return 1; 
1091} 
1092static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1093{
1094        return 1;
1095}
1096static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1097{
1098        return 1;
1099}
1100static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1101                                              struct flowi *fl,
1102                                              unsigned int family)
1103{
1104        return -ENOSYS;
1105}
1106static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1107                                             struct sk_buff *skb)
1108{
1109        return 1;
1110}
1111static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1112                                             struct sk_buff *skb)
1113{
1114        return 1;
1115}
1116#endif
1117
1118static __inline__
1119xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
1120{
1121        switch (family){
1122        case AF_INET:
1123                return (xfrm_address_t *)&fl->fl4_dst;
1124        case AF_INET6:
1125                return (xfrm_address_t *)&fl->fl6_dst;
1126        }
1127        return NULL;
1128}
1129
1130static __inline__
1131xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1132{
1133        switch (family){
1134        case AF_INET:
1135                return (xfrm_address_t *)&fl->fl4_src;
1136        case AF_INET6:
1137                return (xfrm_address_t *)&fl->fl6_src;
1138        }
1139        return NULL;
1140}
1141
1142static __inline__
1143void xfrm_flowi_addr_get(struct flowi *fl,
1144                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1145                         unsigned short family)
1146{
1147        switch(family) {
1148        case AF_INET:
1149                memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4));
1150                memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4));
1151                break;
1152        case AF_INET6:
1153                ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src);
1154                ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst);
1155                break;
1156        }
1157}
1158
1159static __inline__ int
1160__xfrm4_state_addr_check(struct xfrm_state *x,
1161                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1162{
1163        if (daddr->a4 == x->id.daddr.a4 &&
1164            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1165                return 1;
1166        return 0;
1167}
1168
1169static __inline__ int
1170__xfrm6_state_addr_check(struct xfrm_state *x,
1171                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1172{
1173        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1174            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1175             ipv6_addr_any((struct in6_addr *)saddr) || 
1176             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1177                return 1;
1178        return 0;
1179}
1180
1181static __inline__ int
1182xfrm_state_addr_check(struct xfrm_state *x,
1183                      xfrm_address_t *daddr, xfrm_address_t *saddr,
1184                      unsigned short family)
1185{
1186        switch (family) {
1187        case AF_INET:
1188                return __xfrm4_state_addr_check(x, daddr, saddr);
1189        case AF_INET6:
1190                return __xfrm6_state_addr_check(x, daddr, saddr);
1191        }
1192        return 0;
1193}
1194
1195static __inline__ int
1196xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1197                           unsigned short family)
1198{
1199        switch (family) {
1200        case AF_INET:
1201                return __xfrm4_state_addr_check(x,
1202                                                (xfrm_address_t *)&fl->fl4_dst,
1203                                                (xfrm_address_t *)&fl->fl4_src);
1204        case AF_INET6:
1205                return __xfrm6_state_addr_check(x,
1206                                                (xfrm_address_t *)&fl->fl6_dst,
1207                                                (xfrm_address_t *)&fl->fl6_src);
1208        }
1209        return 0;
1210}
1211
1212static inline int xfrm_state_kern(struct xfrm_state *x)
1213{
1214        return atomic_read(&x->tunnel_users);
1215}
1216
1217static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1218{
1219        return (!userproto || proto == userproto ||
1220                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1221                                                  proto == IPPROTO_ESP ||
1222                                                  proto == IPPROTO_COMP)));
1223}
1224
1225/*
1226 * xfrm algorithm information
1227 */
1228struct xfrm_algo_aead_info {
1229        u16 icv_truncbits;
1230};
1231
1232struct xfrm_algo_auth_info {
1233        u16 icv_truncbits;
1234        u16 icv_fullbits;
1235};
1236
1237struct xfrm_algo_encr_info {
1238        u16 blockbits;
1239        u16 defkeybits;
1240};
1241
1242struct xfrm_algo_comp_info {
1243        u16 threshold;
1244};
1245
1246struct xfrm_algo_desc {
1247        char *name;
1248        char *compat;
1249        u8 available:1;
1250        union {
1251                struct xfrm_algo_aead_info aead;
1252                struct xfrm_algo_auth_info auth;
1253                struct xfrm_algo_encr_info encr;
1254                struct xfrm_algo_comp_info comp;
1255        } uinfo;
1256        struct sadb_alg desc;
1257};
1258
1259/* XFRM tunnel handlers.  */
1260struct xfrm_tunnel {
1261        int (*handler)(struct sk_buff *skb);
1262        int (*err_handler)(struct sk_buff *skb, __u32 info);
1263
1264        struct xfrm_tunnel *next;
1265        int priority;
1266};
1267
1268struct xfrm6_tunnel {
1269        int (*handler)(struct sk_buff *skb);
1270        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1271                           u8 type, u8 code, int offset, __be32 info);
1272        struct xfrm6_tunnel *next;
1273        int priority;
1274};
1275
1276extern void xfrm_init(void);
1277extern void xfrm4_init(int rt_hash_size);
1278extern int xfrm_state_init(struct net *net);
1279extern void xfrm_state_fini(struct net *net);
1280extern void xfrm4_state_init(void);
1281#ifdef CONFIG_XFRM
1282extern int xfrm6_init(void);
1283extern void xfrm6_fini(void);
1284extern int xfrm6_state_init(void);
1285extern void xfrm6_state_fini(void);
1286#else
1287static inline int xfrm6_init(void)
1288{
1289        return 0;
1290}
1291static inline void xfrm6_fini(void)
1292{
1293        ;
1294}
1295#endif
1296
1297#ifdef CONFIG_XFRM_STATISTICS
1298extern int xfrm_proc_init(struct net *net);
1299extern void xfrm_proc_fini(struct net *net);
1300#endif
1301
1302extern int xfrm_sysctl_init(struct net *net);
1303#ifdef CONFIG_SYSCTL
1304extern void xfrm_sysctl_fini(struct net *net);
1305#else
1306static inline void xfrm_sysctl_fini(struct net *net)
1307{
1308}
1309#endif
1310
1311extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1312extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1313                           int (*func)(struct xfrm_state *, int, void*), void *);
1314extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1315extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1316extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
1317                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
1318                                          struct xfrm_policy *pol, int *err,
1319                                          unsigned short family);
1320extern struct xfrm_state * xfrm_stateonly_find(struct net *net,
1321                                               xfrm_address_t *daddr,
1322                                               xfrm_address_t *saddr,
1323                                               unsigned short family,
1324                                               u8 mode, u8 proto, u32 reqid);
1325extern int xfrm_state_check_expire(struct xfrm_state *x);
1326extern void xfrm_state_insert(struct xfrm_state *x);
1327extern int xfrm_state_add(struct xfrm_state *x);
1328extern int xfrm_state_update(struct xfrm_state *x);
1329extern struct xfrm_state *xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1330extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1331#ifdef CONFIG_XFRM_SUB_POLICY
1332extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1333                          int n, unsigned short family);
1334extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1335                           int n, unsigned short family);
1336#else
1337static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1338                                 int n, unsigned short family)
1339{
1340        return -ENOSYS;
1341}
1342
1343static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1344                                  int n, unsigned short family)
1345{
1346        return -ENOSYS;
1347}
1348#endif
1349
1350struct xfrmk_sadinfo {
1351        u32 sadhcnt; /* current hash bkts */
1352        u32 sadhmcnt; /* max allowed hash bkts */
1353        u32 sadcnt; /* current running count */
1354};
1355
1356struct xfrmk_spdinfo {
1357        u32 incnt;
1358        u32 outcnt;
1359        u32 fwdcnt;
1360        u32 inscnt;
1361        u32 outscnt;
1362        u32 fwdscnt;
1363        u32 spdhcnt;
1364        u32 spdhmcnt;
1365};
1366
1367extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 seq);
1368extern int xfrm_state_delete(struct xfrm_state *x);
1369extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1370extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1371extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1372extern int xfrm_replay_check(struct xfrm_state *x,
1373                             struct sk_buff *skb, __be32 seq);
1374extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1375extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1376extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1377extern int xfrm_init_state(struct xfrm_state *x);
1378extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1379extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1380                      int encap_type);
1381extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1382extern int xfrm_output_resume(struct sk_buff *skb, int err);
1383extern int xfrm_output(struct sk_buff *skb);
1384extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1385extern int xfrm4_extract_header(struct sk_buff *skb);
1386extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1387extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1388                           int encap_type);
1389extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1390extern int xfrm4_rcv(struct sk_buff *skb);
1391
1392static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1393{
1394        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1395}
1396
1397extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1398extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1399extern int xfrm4_output(struct sk_buff *skb);
1400extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1401extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1402extern int xfrm6_extract_header(struct sk_buff *skb);
1403extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1404extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1405extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1406extern int xfrm6_rcv(struct sk_buff *skb);
1407extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1408                            xfrm_address_t *saddr, u8 proto);
1409extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1410extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1411extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1412extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1413extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1414extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1415extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1416extern int xfrm6_output(struct sk_buff *skb);
1417extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1418                                 u8 **prevhdr);
1419
1420#ifdef CONFIG_XFRM
1421extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1422extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1423#else
1424static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1425{
1426        return -ENOPROTOOPT;
1427} 
1428
1429static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1430{
1431        /* should not happen */
1432        kfree_skb(skb);
1433        return 0;
1434}
1435#endif
1436
1437struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1438
1439extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1440extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1441        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1442extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1443int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1444struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir,
1445                                          struct xfrm_selector *sel,
1446                                          struct xfrm_sec_ctx *ctx, int delete,
1447                                          int *err);
1448struct xfrm_policy *xfrm_policy_byid(struct net *net, u8, int dir, u32 id, int delete, int *err);
1449int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1450u32 xfrm_get_acqseq(void);
1451extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1452struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
1453                                  xfrm_address_t *daddr, xfrm_address_t *saddr,
1454                                  int create, unsigned short family);
1455extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1456extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1457                          struct flowi *fl, int family, int strict);
1458
1459#ifdef CONFIG_XFRM_MIGRATE
1460extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1461                      struct xfrm_migrate *m, int num_bundles,
1462                      struct xfrm_kmaddress *k);
1463extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1464extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1465                                              struct xfrm_migrate *m);
1466extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1467                        struct xfrm_migrate *m, int num_bundles,
1468                        struct xfrm_kmaddress *k);
1469#endif
1470
1471extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1472extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1473extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1474
1475extern void xfrm_input_init(void);
1476extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1477
1478extern void xfrm_probe_algs(void);
1479extern int xfrm_count_auth_supported(void);
1480extern int xfrm_count_enc_supported(void);
1481extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1482extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1483extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1484extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1485extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1486extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1487extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1488extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1489extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
1490                                                   int probe);
1491
1492struct hash_desc;
1493struct scatterlist;
1494typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1495                              unsigned int);
1496
1497static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1498                                int family)
1499{
1500        switch (family) {
1501        default:
1502        case AF_INET:
1503                return (__force __u32)a->a4 - (__force __u32)b->a4;
1504        case AF_INET6:
1505                return ipv6_addr_cmp((struct in6_addr *)a,
1506                                     (struct in6_addr *)b);
1507        }
1508}
1509
1510static inline int xfrm_policy_id2dir(u32 index)
1511{
1512        return index & 7;
1513}
1514
1515#ifdef CONFIG_XFRM
1516static inline int xfrm_aevent_is_on(struct net *net)
1517{
1518        struct sock *nlsk;
1519        int ret = 0;
1520
1521        rcu_read_lock();
1522        nlsk = rcu_dereference(net->xfrm.nlsk);
1523        if (nlsk)
1524                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1525        rcu_read_unlock();
1526        return ret;
1527}
1528#endif
1529
1530static inline int xfrm_alg_len(struct xfrm_algo *alg)
1531{
1532        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1533}
1534
1535static inline int xfrm_alg_auth_len(struct xfrm_algo_auth *alg)
1536{
1537        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1538}
1539
1540#ifdef CONFIG_XFRM_MIGRATE
1541static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1542{
1543        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1544}
1545
1546static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1547{
1548        return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1549}
1550
1551static inline void xfrm_states_put(struct xfrm_state **states, int n)
1552{
1553        int i;
1554        for (i = 0; i < n; i++)
1555                xfrm_state_put(*(states + i));
1556}
1557
1558static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1559{
1560        int i;
1561        for (i = 0; i < n; i++)
1562                xfrm_state_delete(*(states + i));
1563}
1564#endif
1565
1566#ifdef CONFIG_XFRM
1567static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1568{
1569        return skb->sp->xvec[skb->sp->len - 1];
1570}
1571#endif
1572
1573#endif  /* _NET_XFRM_H */
1574
The original LXR software by the LXR community, this experimental version by lxr@linux.no.
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.