linux/include/net/xfrm.h
<<
>>
Prefs 
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15#include <linux/slab.h>
  16
  17#include <net/sock.h>
  18#include <net/dst.h>
  19#include <net/ip.h>
  20#include <net/route.h>
  21#include <net/ipv6.h>
  22#include <net/ip6_fib.h>
  23#include <net/flow.h>
  24
  25#include <linux/interrupt.h>
  26
  27#ifdef CONFIG_XFRM_STATISTICS
  28#include <net/snmp.h>
  29#endif
  30
  31#define XFRM_PROTO_ESP          50
  32#define XFRM_PROTO_AH           51
  33#define XFRM_PROTO_COMP         108
  34#define XFRM_PROTO_IPIP         4
  35#define XFRM_PROTO_IPV6         41
  36#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  37#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  38
  39#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  40#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  41        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  42#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  43        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  44
  45#ifdef CONFIG_XFRM_STATISTICS
  46#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  47#define XFRM_INC_STATS_BH(net, field)   SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
  48#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
  49#else
  50#define XFRM_INC_STATS(net, field)      ((void)(net))
  51#define XFRM_INC_STATS_BH(net, field)   ((void)(net))
  52#define XFRM_INC_STATS_USER(net, field) ((void)(net))
  53#endif
  54
  55extern struct mutex xfrm_cfg_mutex;
  56
  57/* Organization of SPD aka "XFRM rules"
  58   ------------------------------------
  59
  60   Basic objects:
  61   - policy rule, struct xfrm_policy (=SPD entry)
  62   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  63   - instance of a transformer, struct xfrm_state (=SA)
  64   - template to clone xfrm_state, struct xfrm_tmpl
  65
  66   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  67   (To be compatible with existing pfkeyv2 implementations,
  68   many rules with priority of 0x7fffffff are allowed to exist and
  69   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  70
  71   Lookup is plain linear search until the first match with selector.
  72
  73   If "action" is "block", then we prohibit the flow, otherwise:
  74   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  75   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  76   described by templates xfrm_tmpl. Each template is resolved
  77   to a complete xfrm_state (see below) and we pack bundle of transformations
  78   to a dst_entry returned to requestor.
  79
  80   dst -. xfrm  .-> xfrm_state #1
  81    |---. child .-> dst -. xfrm .-> xfrm_state #2
  82                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  83                                      |---. child .-> NULL
  84
  85   Bundles are cached at xrfm_policy struct (field ->bundles).
  86
  87
  88   Resolution of xrfm_tmpl
  89   -----------------------
  90   Template contains:
  91   1. ->mode            Mode: transport or tunnel
  92   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  93   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  94      Q: allow to resolve security gateway?
  95   4. ->id.spi          If not zero, static SPI.
  96   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  97   6. ->algos           List of allowed algos. Plain bitmask now.
  98      Q: ealgos, aalgos, calgos. What a mess...
  99   7. ->share           Sharing mode.
 100      Q: how to implement private sharing mode? To add struct sock* to
 101      flow id?
 102
 103   Having this template we search through SAD searching for entries
 104   with appropriate mode/proto/algo, permitted by selector.
 105   If no appropriate entry found, it is requested from key manager.
 106
 107   PROBLEMS:
 108   Q: How to find all the bundles referring to a physical path for
 109      PMTU discovery? Seems, dst should contain list of all parents...
 110      and enter to infinite locking hierarchy disaster.
 111      No! It is easier, we will not search for them, let them find us.
 112      We add genid to each dst plus pointer to genid of raw IP route,
 113      pmtu disc will update pmtu on raw IP route and increase its genid.
 114      dst_check() will see this for top level and trigger resyncing
 115      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 116 */
 117
 118struct xfrm_state_walk {
 119        struct list_head        all;
 120        u8                      state;
 121        union {
 122                u8              dying;
 123                u8              proto;
 124        };
 125        u32                     seq;
 126};
 127
 128/* Full description of state of transformer. */
 129struct xfrm_state {
 130#ifdef CONFIG_NET_NS
 131        struct net              *xs_net;
 132#endif
 133        union {
 134                struct hlist_node       gclist;
 135                struct hlist_node       bydst;
 136        };
 137        struct hlist_node       bysrc;
 138        struct hlist_node       byspi;
 139
 140        atomic_t                refcnt;
 141        spinlock_t              lock;
 142
 143        struct xfrm_id          id;
 144        struct xfrm_selector    sel;
 145        struct xfrm_mark        mark;
 146
 147        u32                     genid;
 148
 149        /* Key manager bits */
 150        struct xfrm_state_walk  km;
 151
 152        /* Parameters of this state. */
 153        struct {
 154                u32             reqid;
 155                u8              mode;
 156                u8              replay_window;
 157                u8              aalgo, ealgo, calgo;
 158                u8              flags;
 159                u16             family;
 160                xfrm_address_t  saddr;
 161                int             header_len;
 162                int             trailer_len;
 163        } props;
 164
 165        struct xfrm_lifetime_cfg lft;
 166
 167        /* Data for transformer */
 168        struct xfrm_algo_auth   *aalg;
 169        struct xfrm_algo        *ealg;
 170        struct xfrm_algo        *calg;
 171        struct xfrm_algo_aead   *aead;
 172
 173        /* Data for encapsulator */
 174        struct xfrm_encap_tmpl  *encap;
 175
 176        /* Data for care-of address */
 177        xfrm_address_t  *coaddr;
 178
 179        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 180        struct xfrm_state       *tunnel;
 181
 182        /* If a tunnel, number of users + 1 */
 183        atomic_t                tunnel_users;
 184
 185        /* State for replay detection */
 186        struct xfrm_replay_state replay;
 187
 188        /* Replay detection state at the time we sent the last notification */
 189        struct xfrm_replay_state preplay;
 190
 191        /* internal flag that only holds state for delayed aevent at the
 192         * moment
 193        */
 194        u32                     xflags;
 195
 196        /* Replay detection notification settings */
 197        u32                     replay_maxage;
 198        u32                     replay_maxdiff;
 199
 200        /* Replay detection notification timer */
 201        struct timer_list       rtimer;
 202
 203        /* Statistics */
 204        struct xfrm_stats       stats;
 205
 206        struct xfrm_lifetime_cur curlft;
 207        struct tasklet_hrtimer  mtimer;
 208
 209        /* Last used time */
 210        unsigned long           lastused;
 211
 212        /* Reference to data common to all the instances of this
 213         * transformer. */
 214        const struct xfrm_type  *type;
 215        struct xfrm_mode        *inner_mode;
 216        struct xfrm_mode        *inner_mode_iaf;
 217        struct xfrm_mode        *outer_mode;
 218
 219        /* Security context */
 220        struct xfrm_sec_ctx     *security;
 221
 222        /* Private data of this transformer, format is opaque,
 223         * interpreted by xfrm_type methods. */
 224        void                    *data;
 225};
 226
 227static inline struct net *xs_net(struct xfrm_state *x)
 228{
 229        return read_pnet(&x->xs_net);
 230}
 231
 232/* xflags - make enum if more show up */
 233#define XFRM_TIME_DEFER 1
 234
 235enum {
 236        XFRM_STATE_VOID,
 237        XFRM_STATE_ACQ,
 238        XFRM_STATE_VALID,
 239        XFRM_STATE_ERROR,
 240        XFRM_STATE_EXPIRED,
 241        XFRM_STATE_DEAD
 242};
 243
 244/* callback structure passed from either netlink or pfkey */
 245struct km_event {
 246        union {
 247                u32 hard;
 248                u32 proto;
 249                u32 byid;
 250                u32 aevent;
 251                u32 type;
 252        } data;
 253
 254        u32     seq;
 255        u32     pid;
 256        u32     event;
 257        struct net *net;
 258};
 259
 260struct net_device;
 261struct xfrm_type;
 262struct xfrm_dst;
 263struct xfrm_policy_afinfo {
 264        unsigned short          family;
 265        struct dst_ops          *dst_ops;
 266        void                    (*garbage_collect)(struct net *net);
 267        struct dst_entry        *(*dst_lookup)(struct net *net, int tos,
 268                                               xfrm_address_t *saddr,
 269                                               xfrm_address_t *daddr);
 270        int                     (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
 271        void                    (*decode_session)(struct sk_buff *skb,
 272                                                  struct flowi *fl,
 273                                                  int reverse);
 274        int                     (*get_tos)(struct flowi *fl);
 275        int                     (*init_path)(struct xfrm_dst *path,
 276                                             struct dst_entry *dst,
 277                                             int nfheader_len);
 278        int                     (*fill_dst)(struct xfrm_dst *xdst,
 279                                            struct net_device *dev,
 280                                            struct flowi *fl);
 281};
 282
 283extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 284extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 285extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 286extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 287
 288struct xfrm_tmpl;
 289extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 290extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 291extern int __xfrm_state_delete(struct xfrm_state *x);
 292
 293struct xfrm_state_afinfo {
 294        unsigned int            family;
 295        unsigned int            proto;
 296        __be16                  eth_proto;
 297        struct module           *owner;
 298        const struct xfrm_type  *type_map[IPPROTO_MAX];
 299        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 300        int                     (*init_flags)(struct xfrm_state *x);
 301        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 302                                                struct xfrm_tmpl *tmpl,
 303                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 304        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 305        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 306        int                     (*output)(struct sk_buff *skb);
 307        int                     (*extract_input)(struct xfrm_state *x,
 308                                                 struct sk_buff *skb);
 309        int                     (*extract_output)(struct xfrm_state *x,
 310                                                  struct sk_buff *skb);
 311        int                     (*transport_finish)(struct sk_buff *skb,
 312                                                    int async);
 313};
 314
 315extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 316extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 317
 318extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 319
 320struct xfrm_type {
 321        char                    *description;
 322        struct module           *owner;
 323        u8                      proto;
 324        u8                      flags;
 325#define XFRM_TYPE_NON_FRAGMENT  1
 326#define XFRM_TYPE_REPLAY_PROT   2
 327#define XFRM_TYPE_LOCAL_COADDR  4
 328#define XFRM_TYPE_REMOTE_COADDR 8
 329
 330        int                     (*init_state)(struct xfrm_state *x);
 331        void                    (*destructor)(struct xfrm_state *);
 332        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 333        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 334        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
 335        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 336        /* Estimate maximal size of result of transformation of a dgram */
 337        u32                     (*get_mtu)(struct xfrm_state *, int size);
 338};
 339
 340extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 341extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 342
 343struct xfrm_mode {
 344        /*
 345         * Remove encapsulation header.
 346         *
 347         * The IP header will be moved over the top of the encapsulation
 348         * header.
 349         *
 350         * On entry, the transport header shall point to where the IP header
 351         * should be and the network header shall be set to where the IP
 352         * header currently is.  skb->data shall point to the start of the
 353         * payload.
 354         */
 355        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 356
 357        /*
 358         * This is the actual input entry point.
 359         *
 360         * For transport mode and equivalent this would be identical to
 361         * input2 (which does not need to be set).  While tunnel mode
 362         * and equivalent would set this to the tunnel encapsulation function
 363         * xfrm4_prepare_input that would in turn call input2.
 364         */
 365        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 366
 367        /*
 368         * Add encapsulation header.
 369         *
 370         * On exit, the transport header will be set to the start of the
 371         * encapsulation header to be filled in by x->type->output and
 372         * the mac header will be set to the nextheader (protocol for
 373         * IPv4) field of the extension header directly preceding the
 374         * encapsulation header, or in its absence, that of the top IP
 375         * header.  The value of the network header will always point
 376         * to the top IP header while skb->data will point to the payload.
 377         */
 378        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 379
 380        /*
 381         * This is the actual output entry point.
 382         *
 383         * For transport mode and equivalent this would be identical to
 384         * output2 (which does not need to be set).  While tunnel mode
 385         * and equivalent would set this to a tunnel encapsulation function
 386         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 387         * call output2.
 388         */
 389        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 390
 391        struct xfrm_state_afinfo *afinfo;
 392        struct module *owner;
 393        unsigned int encap;
 394        int flags;
 395};
 396
 397/* Flags for xfrm_mode. */
 398enum {
 399        XFRM_MODE_FLAG_TUNNEL = 1,
 400};
 401
 402extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 403extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 404
 405static inline int xfrm_af2proto(unsigned int family)
 406{
 407        switch(family) {
 408        case AF_INET:
 409                return IPPROTO_IPIP;
 410        case AF_INET6:
 411                return IPPROTO_IPV6;
 412        default:
 413                return 0;
 414        }
 415}
 416
 417static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 418{
 419        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 420            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 421                return x->inner_mode;
 422        else
 423                return x->inner_mode_iaf;
 424}
 425
 426struct xfrm_tmpl {
 427/* id in template is interpreted as:
 428 * daddr - destination of tunnel, may be zero for transport mode.
 429 * spi   - zero to acquire spi. Not zero if spi is static, then
 430 *         daddr must be fixed too.
 431 * proto - AH/ESP/IPCOMP
 432 */
 433        struct xfrm_id          id;
 434
 435/* Source address of tunnel. Ignored, if it is not a tunnel. */
 436        xfrm_address_t          saddr;
 437
 438        unsigned short          encap_family;
 439
 440        u32                     reqid;
 441
 442/* Mode: transport, tunnel etc. */
 443        u8                      mode;
 444
 445/* Sharing mode: unique, this session only, this user only etc. */
 446        u8                      share;
 447
 448/* May skip this transfomration if no SA is found */
 449        u8                      optional;
 450
 451/* Skip aalgos/ealgos/calgos checks. */
 452        u8                      allalgs;
 453
 454/* Bit mask of algos allowed for acquisition */
 455        u32                     aalgos;
 456        u32                     ealgos;
 457        u32                     calgos;
 458};
 459
 460#define XFRM_MAX_DEPTH          6
 461
 462struct xfrm_policy_walk_entry {
 463        struct list_head        all;
 464        u8                      dead;
 465};
 466
 467struct xfrm_policy_walk {
 468        struct xfrm_policy_walk_entry walk;
 469        u8 type;
 470        u32 seq;
 471};
 472
 473struct xfrm_policy {
 474#ifdef CONFIG_NET_NS
 475        struct net              *xp_net;
 476#endif
 477        struct hlist_node       bydst;
 478        struct hlist_node       byidx;
 479
 480        /* This lock only affects elements except for entry. */
 481        rwlock_t                lock;
 482        atomic_t                refcnt;
 483        struct timer_list       timer;
 484
 485        struct flow_cache_object flo;
 486        atomic_t                genid;
 487        u32                     priority;
 488        u32                     index;
 489        struct xfrm_mark        mark;
 490        struct xfrm_selector    selector;
 491        struct xfrm_lifetime_cfg lft;
 492        struct xfrm_lifetime_cur curlft;
 493        struct xfrm_policy_walk_entry walk;
 494        u8                      type;
 495        u8                      action;
 496        u8                      flags;
 497        u8                      xfrm_nr;
 498        u16                     family;
 499        struct xfrm_sec_ctx     *security;
 500        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 501};
 502
 503static inline struct net *xp_net(struct xfrm_policy *xp)
 504{
 505        return read_pnet(&xp->xp_net);
 506}
 507
 508struct xfrm_kmaddress {
 509        xfrm_address_t          local;
 510        xfrm_address_t          remote;
 511        u32                     reserved;
 512        u16                     family;
 513};
 514
 515struct xfrm_migrate {
 516        xfrm_address_t          old_daddr;
 517        xfrm_address_t          old_saddr;
 518        xfrm_address_t          new_daddr;
 519        xfrm_address_t          new_saddr;
 520        u8                      proto;
 521        u8                      mode;
 522        u16                     reserved;
 523        u32                     reqid;
 524        u16                     old_family;
 525        u16                     new_family;
 526};
 527
 528#define XFRM_KM_TIMEOUT                30
 529/* which seqno */
 530#define XFRM_REPLAY_SEQ         1
 531#define XFRM_REPLAY_OSEQ        2
 532#define XFRM_REPLAY_SEQ_MASK    3
 533/* what happened */
 534#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 535#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 536
 537/* default aevent timeout in units of 100ms */
 538#define XFRM_AE_ETIME                   10
 539/* Async Event timer multiplier */
 540#define XFRM_AE_ETH_M                   10
 541/* default seq threshold size */
 542#define XFRM_AE_SEQT_SIZE               2
 543
 544struct xfrm_mgr {
 545        struct list_head        list;
 546        char                    *id;
 547        int                     (*notify)(struct xfrm_state *x, struct km_event *c);
 548        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 549        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 550        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 551        int                     (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
 552        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 553        int                     (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k);
 554};
 555
 556extern int xfrm_register_km(struct xfrm_mgr *km);
 557extern int xfrm_unregister_km(struct xfrm_mgr *km);
 558
 559/*
 560 * This structure is used for the duration where packets are being
 561 * transformed by IPsec.  As soon as the packet leaves IPsec the
 562 * area beyond the generic IP part may be overwritten.
 563 */
 564struct xfrm_skb_cb {
 565        union {
 566                struct inet_skb_parm h4;
 567                struct inet6_skb_parm h6;
 568        } header;
 569
 570        /* Sequence number for replay protection. */
 571        union {
 572                u64 output;
 573                __be32 input;
 574        } seq;
 575};
 576
 577#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 578
 579/*
 580 * This structure is used by the afinfo prepare_input/prepare_output functions
 581 * to transmit header information to the mode input/output functions.
 582 */
 583struct xfrm_mode_skb_cb {
 584        union {
 585                struct inet_skb_parm h4;
 586                struct inet6_skb_parm h6;
 587        } header;
 588
 589        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 590        __be16 id;
 591        __be16 frag_off;
 592
 593        /* IP header length (excluding options or extension headers). */
 594        u8 ihl;
 595
 596        /* TOS for IPv4, class for IPv6. */
 597        u8 tos;
 598
 599        /* TTL for IPv4, hop limitfor IPv6. */
 600        u8 ttl;
 601
 602        /* Protocol for IPv4, NH for IPv6. */
 603        u8 protocol;
 604
 605        /* Option length for IPv4, zero for IPv6. */
 606        u8 optlen;
 607
 608        /* Used by IPv6 only, zero for IPv4. */
 609        u8 flow_lbl[3];
 610};
 611
 612#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 613
 614/*
 615 * This structure is used by the input processing to locate the SPI and
 616 * related information.
 617 */
 618struct xfrm_spi_skb_cb {
 619        union {
 620                struct inet_skb_parm h4;
 621                struct inet6_skb_parm h6;
 622        } header;
 623
 624        unsigned int daddroff;
 625        unsigned int family;
 626};
 627
 628#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 629
 630/* Audit Information */
 631struct xfrm_audit {
 632        u32     secid;
 633        uid_t   loginuid;
 634        u32     sessionid;
 635};
 636
 637#ifdef CONFIG_AUDITSYSCALL
 638static inline struct audit_buffer *xfrm_audit_start(const char *op)
 639{
 640        struct audit_buffer *audit_buf = NULL;
 641
 642        if (audit_enabled == 0)
 643                return NULL;
 644        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 645                                    AUDIT_MAC_IPSEC_EVENT);
 646        if (audit_buf == NULL)
 647                return NULL;
 648        audit_log_format(audit_buf, "op=%s", op);
 649        return audit_buf;
 650}
 651
 652static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 653                                             struct audit_buffer *audit_buf)
 654{
 655        char *secctx;
 656        u32 secctx_len;
 657
 658        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 659        if (secid != 0 &&
 660            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 661                audit_log_format(audit_buf, " subj=%s", secctx);
 662                security_release_secctx(secctx, secctx_len);
 663        } else
 664                audit_log_task_context(audit_buf);
 665}
 666
 667extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 668                                  u32 auid, u32 ses, u32 secid);
 669extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 670                                  u32 auid, u32 ses, u32 secid);
 671extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 672                                 u32 auid, u32 ses, u32 secid);
 673extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 674                                    u32 auid, u32 ses, u32 secid);
 675extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 676                                             struct sk_buff *skb);
 677extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 678extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 679                                      __be32 net_spi, __be32 net_seq);
 680extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 681                                     struct sk_buff *skb, u8 proto);
 682#else
 683
 684static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 685                                  u32 auid, u32 ses, u32 secid)
 686{
 687}
 688
 689static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 690                                  u32 auid, u32 ses, u32 secid)
 691{
 692}
 693
 694static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 695                                 u32 auid, u32 ses, u32 secid)
 696{
 697}
 698
 699static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 700                                    u32 auid, u32 ses, u32 secid)
 701{
 702}
 703
 704static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 705                                             struct sk_buff *skb)
 706{
 707}
 708
 709static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 710                                      u16 family)
 711{
 712}
 713
 714static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 715                                      __be32 net_spi, __be32 net_seq)
 716{
 717}
 718
 719static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 720                                     struct sk_buff *skb, u8 proto)
 721{
 722}
 723#endif /* CONFIG_AUDITSYSCALL */
 724
 725static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 726{
 727        if (likely(policy != NULL))
 728                atomic_inc(&policy->refcnt);
 729}
 730
 731extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 732
 733static inline void xfrm_pol_put(struct xfrm_policy *policy)
 734{
 735        if (atomic_dec_and_test(&policy->refcnt))
 736                xfrm_policy_destroy(policy);
 737}
 738
 739static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 740{
 741        int i;
 742        for (i = npols - 1; i >= 0; --i)
 743                xfrm_pol_put(pols[i]);
 744}
 745
 746extern void __xfrm_state_destroy(struct xfrm_state *);
 747
 748static inline void __xfrm_state_put(struct xfrm_state *x)
 749{
 750        atomic_dec(&x->refcnt);
 751}
 752
 753static inline void xfrm_state_put(struct xfrm_state *x)
 754{
 755        if (atomic_dec_and_test(&x->refcnt))
 756                __xfrm_state_destroy(x);
 757}
 758
 759static inline void xfrm_state_hold(struct xfrm_state *x)
 760{
 761        atomic_inc(&x->refcnt);
 762}
 763
 764static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 765{
 766        __be32 *a1 = token1;
 767        __be32 *a2 = token2;
 768        int pdw;
 769        int pbi;
 770
 771        pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
 772        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 773
 774        if (pdw)
 775                if (memcmp(a1, a2, pdw << 2))
 776                        return 0;
 777
 778        if (pbi) {
 779                __be32 mask;
 780
 781                mask = htonl((0xffffffff) << (32 - pbi));
 782
 783                if ((a1[pdw] ^ a2[pdw]) & mask)
 784                        return 0;
 785        }
 786
 787        return 1;
 788}
 789
 790static __inline__
 791__be16 xfrm_flowi_sport(struct flowi *fl)
 792{
 793        __be16 port;
 794        switch(fl->proto) {
 795        case IPPROTO_TCP:
 796        case IPPROTO_UDP:
 797        case IPPROTO_UDPLITE:
 798        case IPPROTO_SCTP:
 799                port = fl->fl_ip_sport;
 800                break;
 801        case IPPROTO_ICMP:
 802        case IPPROTO_ICMPV6:
 803                port = htons(fl->fl_icmp_type);
 804                break;
 805        case IPPROTO_MH:
 806                port = htons(fl->fl_mh_type);
 807                break;
 808        default:
 809                port = 0;       /*XXX*/
 810        }
 811        return port;
 812}
 813
 814static __inline__
 815__be16 xfrm_flowi_dport(struct flowi *fl)
 816{
 817        __be16 port;
 818        switch(fl->proto) {
 819        case IPPROTO_TCP:
 820        case IPPROTO_UDP:
 821        case IPPROTO_UDPLITE:
 822        case IPPROTO_SCTP:
 823                port = fl->fl_ip_dport;
 824                break;
 825        case IPPROTO_ICMP:
 826        case IPPROTO_ICMPV6:
 827                port = htons(fl->fl_icmp_code);
 828                break;
 829        default:
 830                port = 0;       /*XXX*/
 831        }
 832        return port;
 833}
 834
 835extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 836                               unsigned short family);
 837
 838#ifdef CONFIG_SECURITY_NETWORK_XFRM
 839/*      If neither has a context --> match
 840 *      Otherwise, both must have a context and the sids, doi, alg must match
 841 */
 842static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 843{
 844        return ((!s1 && !s2) ||
 845                (s1 && s2 &&
 846                 (s1->ctx_sid == s2->ctx_sid) &&
 847                 (s1->ctx_doi == s2->ctx_doi) &&
 848                 (s1->ctx_alg == s2->ctx_alg)));
 849}
 850#else
 851static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 852{
 853        return 1;
 854}
 855#endif
 856
 857/* A struct encoding bundle of transformations to apply to some set of flow.
 858 *
 859 * dst->child points to the next element of bundle.
 860 * dst->xfrm  points to an instanse of transformer.
 861 *
 862 * Due to unfortunate limitations of current routing cache, which we
 863 * have no time to fix, it mirrors struct rtable and bound to the same
 864 * routing key, including saddr,daddr. However, we can have many of
 865 * bundles differing by session id. All the bundles grow from a parent
 866 * policy rule.
 867 */
 868struct xfrm_dst {
 869        union {
 870                struct dst_entry        dst;
 871                struct rtable           rt;
 872                struct rt6_info         rt6;
 873        } u;
 874        struct dst_entry *route;
 875        struct flow_cache_object flo;
 876        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
 877        int num_pols, num_xfrms;
 878#ifdef CONFIG_XFRM_SUB_POLICY
 879        struct flowi *origin;
 880        struct xfrm_selector *partner;
 881#endif
 882        u32 xfrm_genid;
 883        u32 policy_genid;
 884        u32 route_mtu_cached;
 885        u32 child_mtu_cached;
 886        u32 route_cookie;
 887        u32 path_cookie;
 888};
 889
 890#ifdef CONFIG_XFRM
 891static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 892{
 893        xfrm_pols_put(xdst->pols, xdst->num_pols);
 894        dst_release(xdst->route);
 895        if (likely(xdst->u.dst.xfrm))
 896                xfrm_state_put(xdst->u.dst.xfrm);
 897#ifdef CONFIG_XFRM_SUB_POLICY
 898        kfree(xdst->origin);
 899        xdst->origin = NULL;
 900        kfree(xdst->partner);
 901        xdst->partner = NULL;
 902#endif
 903}
 904#endif
 905
 906extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 907
 908struct sec_path {
 909        atomic_t                refcnt;
 910        int                     len;
 911        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 912};
 913
 914static inline struct sec_path *
 915secpath_get(struct sec_path *sp)
 916{
 917        if (sp)
 918                atomic_inc(&sp->refcnt);
 919        return sp;
 920}
 921
 922extern void __secpath_destroy(struct sec_path *sp);
 923
 924static inline void
 925secpath_put(struct sec_path *sp)
 926{
 927        if (sp && atomic_dec_and_test(&sp->refcnt))
 928                __secpath_destroy(sp);
 929}
 930
 931extern struct sec_path *secpath_dup(struct sec_path *src);
 932
 933static inline void
 934secpath_reset(struct sk_buff *skb)
 935{
 936#ifdef CONFIG_XFRM
 937        secpath_put(skb->sp);
 938        skb->sp = NULL;
 939#endif
 940}
 941
 942static inline int
 943xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
 944{
 945        switch (family) {
 946        case AF_INET:
 947                return addr->a4 == 0;
 948        case AF_INET6:
 949                return ipv6_addr_any((struct in6_addr *)&addr->a6);
 950        }
 951        return 0;
 952}
 953
 954static inline int
 955__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 956{
 957        return  (tmpl->saddr.a4 &&
 958                 tmpl->saddr.a4 != x->props.saddr.a4);
 959}
 960
 961static inline int
 962__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 963{
 964        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 965                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 966}
 967
 968static inline int
 969xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 970{
 971        switch (family) {
 972        case AF_INET:
 973                return __xfrm4_state_addr_cmp(tmpl, x);
 974        case AF_INET6:
 975                return __xfrm6_state_addr_cmp(tmpl, x);
 976        }
 977        return !0;
 978}
 979
 980#ifdef CONFIG_XFRM
 981extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 982
 983static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 984                                       struct sk_buff *skb,
 985                                       unsigned int family, int reverse)
 986{
 987        struct net *net = dev_net(skb->dev);
 988        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
 989
 990        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 991                return __xfrm_policy_check(sk, ndir, skb, family);
 992
 993        return  (!net->xfrm.policy_count[dir] && !skb->sp) ||
 994                (skb_dst(skb)->flags & DST_NOPOLICY) ||
 995                __xfrm_policy_check(sk, ndir, skb, family);
 996}
 997
 998static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 999{
1000        return __xfrm_policy_check2(sk, dir, skb, family, 0);

1001}
1002
1003static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1004{
1005        return xfrm_policy_check(sk, dir, skb, AF_INET);
1006}
1007
1008static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1009{
1010        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1011}
1012
1013static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1014                                             struct sk_buff *skb)
1015{
1016        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1017}
1018
1019static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1020                                             struct sk_buff *skb)
1021{
1022        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1023}
1024
1025extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1026                                 unsigned int family, int reverse);
1027
1028static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1029                                      unsigned int family)
1030{
1031        return __xfrm_decode_session(skb, fl, family, 0);
1032}
1033
1034static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1035                                              struct flowi *fl,
1036                                              unsigned int family)
1037{
1038        return __xfrm_decode_session(skb, fl, family, 1);
1039}
1040
1041extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1042
1043static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1044{
1045        struct net *net = dev_net(skb->dev);
1046
1047        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1048                (skb_dst(skb)->flags & DST_NOXFRM) ||
1049                __xfrm_route_forward(skb, family);
1050}
1051
1052static inline int xfrm4_route_forward(struct sk_buff *skb)
1053{
1054        return xfrm_route_forward(skb, AF_INET);
1055}
1056
1057static inline int xfrm6_route_forward(struct sk_buff *skb)
1058{
1059        return xfrm_route_forward(skb, AF_INET6);
1060}
1061
1062extern int __xfrm_sk_clone_policy(struct sock *sk);
1063
1064static inline int xfrm_sk_clone_policy(struct sock *sk)
1065{
1066        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1067                return __xfrm_sk_clone_policy(sk);
1068        return 0;
1069}
1070
1071extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1072
1073static inline void xfrm_sk_free_policy(struct sock *sk)
1074{
1075        if (unlikely(sk->sk_policy[0] != NULL)) {
1076                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1077                sk->sk_policy[0] = NULL;
1078        }
1079        if (unlikely(sk->sk_policy[1] != NULL)) {
1080                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1081                sk->sk_policy[1] = NULL;
1082        }
1083}
1084
1085#else
1086
1087static inline void xfrm_sk_free_policy(struct sock *sk) {}
1088static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1089static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1090static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1091static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1092{ 
1093        return 1; 
1094} 
1095static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1096{
1097        return 1;
1098}
1099static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1100{
1101        return 1;
1102}
1103static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1104                                              struct flowi *fl,
1105                                              unsigned int family)
1106{
1107        return -ENOSYS;
1108}
1109static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1110                                             struct sk_buff *skb)
1111{
1112        return 1;
1113}
1114static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1115                                             struct sk_buff *skb)
1116{
1117        return 1;
1118}
1119#endif
1120
1121static __inline__
1122xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
1123{
1124        switch (family){
1125        case AF_INET:
1126                return (xfrm_address_t *)&fl->fl4_dst;
1127        case AF_INET6:
1128                return (xfrm_address_t *)&fl->fl6_dst;
1129        }
1130        return NULL;
1131}
1132
1133static __inline__
1134xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1135{
1136        switch (family){
1137        case AF_INET:
1138                return (xfrm_address_t *)&fl->fl4_src;
1139        case AF_INET6:
1140                return (xfrm_address_t *)&fl->fl6_src;
1141        }
1142        return NULL;
1143}
1144
1145static __inline__
1146void xfrm_flowi_addr_get(struct flowi *fl,
1147                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1148                         unsigned short family)
1149{
1150        switch(family) {
1151        case AF_INET:
1152                memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4));
1153                memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4));
1154                break;
1155        case AF_INET6:
1156                ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src);
1157                ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst);
1158                break;
1159        }
1160}
1161
1162static __inline__ int
1163__xfrm4_state_addr_check(struct xfrm_state *x,
1164                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1165{
1166        if (daddr->a4 == x->id.daddr.a4 &&
1167            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1168                return 1;
1169        return 0;
1170}
1171
1172static __inline__ int
1173__xfrm6_state_addr_check(struct xfrm_state *x,
1174                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1175{
1176        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1177            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1178             ipv6_addr_any((struct in6_addr *)saddr) || 
1179             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1180                return 1;
1181        return 0;
1182}
1183
1184static __inline__ int
1185xfrm_state_addr_check(struct xfrm_state *x,
1186                      xfrm_address_t *daddr, xfrm_address_t *saddr,
1187                      unsigned short family)
1188{
1189        switch (family) {
1190        case AF_INET:
1191                return __xfrm4_state_addr_check(x, daddr, saddr);
1192        case AF_INET6:
1193                return __xfrm6_state_addr_check(x, daddr, saddr);
1194        }
1195        return 0;
1196}
1197
1198static __inline__ int
1199xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1200                           unsigned short family)
1201{
1202        switch (family) {
1203        case AF_INET:
1204                return __xfrm4_state_addr_check(x,
1205                                                (xfrm_address_t *)&fl->fl4_dst,
1206                                                (xfrm_address_t *)&fl->fl4_src);
1207        case AF_INET6:
1208                return __xfrm6_state_addr_check(x,
1209                                                (xfrm_address_t *)&fl->fl6_dst,
1210                                                (xfrm_address_t *)&fl->fl6_src);
1211        }
1212        return 0;
1213}
1214
1215static inline int xfrm_state_kern(struct xfrm_state *x)
1216{
1217        return atomic_read(&x->tunnel_users);
1218}
1219
1220static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1221{
1222        return (!userproto || proto == userproto ||
1223                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1224                                                  proto == IPPROTO_ESP ||
1225                                                  proto == IPPROTO_COMP)));
1226}
1227
1228/*
1229 * xfrm algorithm information
1230 */
1231struct xfrm_algo_aead_info {
1232        u16 icv_truncbits;
1233};
1234
1235struct xfrm_algo_auth_info {
1236        u16 icv_truncbits;
1237        u16 icv_fullbits;
1238};
1239
1240struct xfrm_algo_encr_info {
1241        u16 blockbits;
1242        u16 defkeybits;
1243};
1244
1245struct xfrm_algo_comp_info {
1246        u16 threshold;
1247};
1248
1249struct xfrm_algo_desc {
1250        char *name;
1251        char *compat;
1252        u8 available:1;
1253        union {
1254                struct xfrm_algo_aead_info aead;
1255                struct xfrm_algo_auth_info auth;
1256                struct xfrm_algo_encr_info encr;
1257                struct xfrm_algo_comp_info comp;
1258        } uinfo;
1259        struct sadb_alg desc;
1260};
1261
1262/* XFRM tunnel handlers.  */
1263struct xfrm_tunnel {
1264        int (*handler)(struct sk_buff *skb);
1265        int (*err_handler)(struct sk_buff *skb, u32 info);
1266
1267        struct xfrm_tunnel *next;
1268        int priority;
1269};
1270
1271struct xfrm6_tunnel {
1272        int (*handler)(struct sk_buff *skb);
1273        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1274                           u8 type, u8 code, int offset, __be32 info);
1275        struct xfrm6_tunnel *next;
1276        int priority;
1277};
1278
1279extern void xfrm_init(void);
1280extern void xfrm4_init(int rt_hash_size);
1281extern int xfrm_state_init(struct net *net);
1282extern void xfrm_state_fini(struct net *net);
1283extern void xfrm4_state_init(void);
1284#ifdef CONFIG_XFRM
1285extern int xfrm6_init(void);
1286extern void xfrm6_fini(void);
1287extern int xfrm6_state_init(void);
1288extern void xfrm6_state_fini(void);
1289#else
1290static inline int xfrm6_init(void)
1291{
1292        return 0;
1293}
1294static inline void xfrm6_fini(void)
1295{
1296        ;
1297}
1298#endif
1299
1300#ifdef CONFIG_XFRM_STATISTICS
1301extern int xfrm_proc_init(struct net *net);
1302extern void xfrm_proc_fini(struct net *net);
1303#endif
1304
1305extern int xfrm_sysctl_init(struct net *net);
1306#ifdef CONFIG_SYSCTL
1307extern void xfrm_sysctl_fini(struct net *net);
1308#else
1309static inline void xfrm_sysctl_fini(struct net *net)
1310{
1311}
1312#endif
1313
1314extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1315extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1316                           int (*func)(struct xfrm_state *, int, void*), void *);
1317extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1318extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1319extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
1320                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
1321                                          struct xfrm_policy *pol, int *err,
1322                                          unsigned short family);
1323extern struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1324                                               xfrm_address_t *daddr,
1325                                               xfrm_address_t *saddr,
1326                                               unsigned short family,
1327                                               u8 mode, u8 proto, u32 reqid);
1328extern int xfrm_state_check_expire(struct xfrm_state *x);
1329extern void xfrm_state_insert(struct xfrm_state *x);
1330extern int xfrm_state_add(struct xfrm_state *x);
1331extern int xfrm_state_update(struct xfrm_state *x);
1332extern struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1333                                            xfrm_address_t *daddr, __be32 spi,
1334                                            u8 proto, unsigned short family);
1335extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1336                                                   xfrm_address_t *daddr,
1337                                                   xfrm_address_t *saddr,
1338                                                   u8 proto,
1339                                                   unsigned short family);
1340#ifdef CONFIG_XFRM_SUB_POLICY
1341extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1342                          int n, unsigned short family);
1343extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1344                           int n, unsigned short family);
1345#else
1346static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1347                                 int n, unsigned short family)
1348{
1349        return -ENOSYS;
1350}
1351
1352static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1353                                  int n, unsigned short family)
1354{
1355        return -ENOSYS;
1356}
1357#endif
1358
1359struct xfrmk_sadinfo {
1360        u32 sadhcnt; /* current hash bkts */
1361        u32 sadhmcnt; /* max allowed hash bkts */
1362        u32 sadcnt; /* current running count */
1363};
1364
1365struct xfrmk_spdinfo {
1366        u32 incnt;
1367        u32 outcnt;
1368        u32 fwdcnt;
1369        u32 inscnt;
1370        u32 outscnt;
1371        u32 fwdscnt;
1372        u32 spdhcnt;
1373        u32 spdhmcnt;
1374};
1375
1376extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark,
1377                                              u32 seq);
1378extern int xfrm_state_delete(struct xfrm_state *x);
1379extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1380extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1381extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1382extern int xfrm_replay_check(struct xfrm_state *x,
1383                             struct sk_buff *skb, __be32 seq);
1384extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1385extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1386extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1387extern int xfrm_init_state(struct xfrm_state *x);
1388extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1389extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1390                      int encap_type);
1391extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1392extern int xfrm_output_resume(struct sk_buff *skb, int err);
1393extern int xfrm_output(struct sk_buff *skb);
1394extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1395extern int xfrm4_extract_header(struct sk_buff *skb);
1396extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1397extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1398                           int encap_type);
1399extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1400extern int xfrm4_rcv(struct sk_buff *skb);
1401
1402static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1403{
1404        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1405}
1406
1407extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1408extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1409extern int xfrm4_output(struct sk_buff *skb);
1410extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1411extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1412extern int xfrm6_extract_header(struct sk_buff *skb);
1413extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1414extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1415extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1416extern int xfrm6_rcv(struct sk_buff *skb);
1417extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1418                            xfrm_address_t *saddr, u8 proto);
1419extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1420extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1421extern __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1422extern void xfrm6_tunnel_free_spi(struct net *net, xfrm_address_t *saddr);
1423extern __be32 xfrm6_tunnel_spi_lookup(struct net *net, xfrm_address_t *saddr);
1424extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1425extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1426extern int xfrm6_output(struct sk_buff *skb);
1427extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1428                                 u8 **prevhdr);
1429
1430#ifdef CONFIG_XFRM
1431extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1432extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1433#else
1434static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1435{
1436        return -ENOPROTOOPT;
1437} 
1438
1439static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1440{
1441        /* should not happen */
1442        kfree_skb(skb);
1443        return 0;
1444}
1445#endif
1446
1447struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1448
1449extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1450extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1451        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1452extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1453int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1454struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1455                                          u8 type, int dir,
1456                                          struct xfrm_selector *sel,
1457                                          struct xfrm_sec_ctx *ctx, int delete,
1458                                          int *err);
1459struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir, u32 id, int delete, int *err);
1460int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1461u32 xfrm_get_acqseq(void);
1462extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1463struct xfrm_state *xfrm_find_acq(struct net *net, struct xfrm_mark *mark,
1464                                 u8 mode, u32 reqid, u8 proto,
1465                                 xfrm_address_t *daddr,
1466                                 xfrm_address_t *saddr, int create,
1467                                 unsigned short family);
1468extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1469extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1470                          struct flowi *fl, int family, int strict);
1471
1472#ifdef CONFIG_XFRM_MIGRATE
1473extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1474                      struct xfrm_migrate *m, int num_bundles,
1475                      struct xfrm_kmaddress *k);
1476extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1477extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1478                                              struct xfrm_migrate *m);
1479extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1480                        struct xfrm_migrate *m, int num_bundles,
1481                        struct xfrm_kmaddress *k);
1482#endif
1483
1484extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1485extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1486extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1487
1488extern void xfrm_input_init(void);
1489extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1490
1491extern void xfrm_probe_algs(void);
1492extern int xfrm_count_auth_supported(void);
1493extern int xfrm_count_enc_supported(void);
1494extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1495extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1496extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1497extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1498extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1499extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1500extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1501extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1502extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
1503                                                   int probe);
1504
1505struct hash_desc;
1506struct scatterlist;
1507typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1508                              unsigned int);
1509
1510static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1511                                int family)
1512{
1513        switch (family) {
1514        default:
1515        case AF_INET:
1516                return (__force u32)a->a4 - (__force u32)b->a4;
1517        case AF_INET6:
1518                return ipv6_addr_cmp((struct in6_addr *)a,
1519                                     (struct in6_addr *)b);
1520        }
1521}
1522
1523static inline int xfrm_policy_id2dir(u32 index)
1524{
1525        return index & 7;
1526}
1527
1528#ifdef CONFIG_XFRM
1529static inline int xfrm_aevent_is_on(struct net *net)
1530{
1531        struct sock *nlsk;
1532        int ret = 0;
1533
1534        rcu_read_lock();
1535        nlsk = rcu_dereference(net->xfrm.nlsk);
1536        if (nlsk)
1537                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1538        rcu_read_unlock();
1539        return ret;
1540}
1541#endif
1542
1543static inline int xfrm_alg_len(struct xfrm_algo *alg)
1544{
1545        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1546}
1547
1548static inline int xfrm_alg_auth_len(struct xfrm_algo_auth *alg)
1549{
1550        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1551}
1552
1553#ifdef CONFIG_XFRM_MIGRATE
1554static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1555{
1556        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1557}
1558
1559static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1560{
1561        return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1562}
1563
1564static inline void xfrm_states_put(struct xfrm_state **states, int n)
1565{
1566        int i;
1567        for (i = 0; i < n; i++)
1568                xfrm_state_put(*(states + i));
1569}
1570
1571static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1572{
1573        int i;
1574        for (i = 0; i < n; i++)
1575                xfrm_state_delete(*(states + i));
1576}
1577#endif
1578
1579#ifdef CONFIG_XFRM
1580static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1581{
1582        return skb->sp->xvec[skb->sp->len - 1];
1583}
1584#endif
1585
1586static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1587{
1588        if (attrs[XFRMA_MARK])
1589                memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1590        else
1591                m->v = m->m = 0;
1592
1593        return m->v & m->m;
1594}
1595
1596static inline int xfrm_mark_put(struct sk_buff *skb, struct xfrm_mark *m)
1597{
1598        if (m->m | m->v)
1599                NLA_PUT(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1600        return 0;
1601
1602nla_put_failure:
1603        return -1;
1604}
1605
1606#endif  /* _NET_XFRM_H */
1607
The original LXR software by the LXR community, this experimental version by lxr@linux.no.
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.