LXR linux-bk/include/net/xfrm.h

   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/xfrm.h>
   5#include <linux/spinlock.h>
   6#include <linux/list.h>
   7#include <linux/skbuff.h>
   8#include <linux/netdevice.h>
   9#include <linux/crypto.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/in6.h>
  12
  13#include <net/sock.h>
  14#include <net/dst.h>
  15#include <net/route.h>
  16#include <net/ipv6.h>
  17#include <net/ip6_fib.h>
  18
  19#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  20
  21extern struct semaphore xfrm_cfg_sem;
  22
  23/* Organization of SPD aka "XFRM rules"
  24   ------------------------------------
  25
  26   Basic objects:
  27   - policy rule, struct xfrm_policy (=SPD entry)
  28   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  29   - instance of a transformer, struct xfrm_state (=SA)
  30   - template to clone xfrm_state, struct xfrm_tmpl
  31
  32   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  33   (To be compatible with existing pfkeyv2 implementations,
  34   many rules with priority of 0x7fffffff are allowed to exist and
  35   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  36
  37   Lookup is plain linear search until the first match with selector.
  38
  39   If "action" is "block", then we prohibit the flow, otherwise:
  40   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  41   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  42   described by templates xfrm_tmpl. Each template is resolved
  43   to a complete xfrm_state (see below) and we pack bundle of transformations
  44   to a dst_entry returned to requestor.
  45
  46   dst -. xfrm  .-> xfrm_state #1
  47    |---. child .-> dst -. xfrm .-> xfrm_state #2
  48                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  49                                      |---. child .-> NULL
  50
  51   Bundles are cached at xrfm_policy struct (field ->bundles).
  52
  53
  54   Resolution of xrfm_tmpl
  55   -----------------------
  56   Template contains:
  57   1. ->mode            Mode: transport or tunnel
  58   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  59   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  60      Q: allow to resolve security gateway?
  61   4. ->id.spi          If not zero, static SPI.
  62   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  63   6. ->algos           List of allowed algos. Plain bitmask now.
  64      Q: ealgos, aalgos, calgos. What a mess...
  65   7. ->share           Sharing mode.
  66      Q: how to implement private sharing mode? To add struct sock* to
  67      flow id?
  68
  69   Having this template we search through SAD searching for entries
  70   with appropriate mode/proto/algo, permitted by selector.
  71   If no appropriate entry found, it is requested from key manager.
  72
  73   PROBLEMS:
  74   Q: How to find all the bundles referring to a physical path for
  75      PMTU discovery? Seems, dst should contain list of all parents...
  76      and enter to infinite locking hierarchy disaster.
  77      No! It is easier, we will not search for them, let them find us.
  78      We add genid to each dst plus pointer to genid of raw IP route,
  79      pmtu disc will update pmtu on raw IP route and increase its genid.
  80      dst_check() will see this for top level and trigger resyncing
  81      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
  82 */
  83
  84/* Full description of state of transformer. */
  85struct xfrm_state
  86{
  87        /* Note: bydst is re-used during gc */
  88        struct list_head        bydst;
  89        struct list_head        byspi;
  90
  91        atomic_t                refcnt;
  92        spinlock_t              lock;
  93
  94        struct xfrm_id          id;
  95        struct xfrm_selector    sel;
  96
  97        /* Key manger bits */
  98        struct {
  99                u8              state;
 100                u8              dying;
 101                u32             seq;
 102        } km;
 103
 104        /* Parameters of this state. */
 105        struct {
 106                u32             reqid;
 107                u8              mode;
 108                u8              replay_window;
 109                u8              aalgo, ealgo, calgo;
 110                u8              flags;
 111                u16             family;
 112                xfrm_address_t  saddr;
 113                int             header_len;
 114                int             trailer_len;
 115        } props;
 116
 117        struct xfrm_lifetime_cfg lft;
 118
 119        /* Data for transformer */
 120        struct xfrm_algo        *aalg;
 121        struct xfrm_algo        *ealg;
 122        struct xfrm_algo        *calg;
 123
 124        /* Data for encapsulator */
 125        struct xfrm_encap_tmpl  *encap;
 126
 127        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 128        struct xfrm_state       *tunnel;
 129
 130        /* If a tunnel, number of users + 1 */
 131        atomic_t                tunnel_users;
 132
 133        /* State for replay detection */
 134        struct xfrm_replay_state replay;
 135
 136        /* Statistics */
 137        struct xfrm_stats       stats;
 138
 139        struct xfrm_lifetime_cur curlft;
 140        struct timer_list       timer;
 141
 142        /* Reference to data common to all the instances of this
 143         * transformer. */
 144        struct xfrm_type        *type;
 145
 146        /* Private data of this transformer, format is opaque,
 147         * interpreted by xfrm_type methods. */
 148        void                    *data;
 149};
 150
 151enum {
 152        XFRM_STATE_VOID,
 153        XFRM_STATE_ACQ,
 154        XFRM_STATE_VALID,
 155        XFRM_STATE_ERROR,
 156        XFRM_STATE_EXPIRED,
 157        XFRM_STATE_DEAD
 158};
 159
 160struct xfrm_type;
 161struct xfrm_dst;
 162struct xfrm_policy_afinfo {
 163        unsigned short          family;
 164        rwlock_t                lock;
 165        struct xfrm_type_map    *type_map;
 166        struct dst_ops          *dst_ops;
 167        void                    (*garbage_collect)(void);
 168        int                     (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
 169        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
 170        int                     (*bundle_create)(struct xfrm_policy *policy, 
 171                                                 struct xfrm_state **xfrm, 
 172                                                 int nx,
 173                                                 struct flowi *fl, 
 174                                                 struct dst_entry **dst_p);
 175        void                    (*decode_session)(struct sk_buff *skb,
 176                                                  struct flowi *fl);
 177};
 178
 179extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 180extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 181extern struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
 182extern void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
 183
 184#define XFRM_ACQ_EXPIRES        30
 185
 186struct xfrm_tmpl;
 187struct xfrm_state_afinfo {
 188        unsigned short          family;
 189        rwlock_t                lock;
 190        struct list_head        *state_bydst;
 191        struct list_head        *state_byspi;
 192        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 193                                                struct xfrm_tmpl *tmpl,
 194                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 195        struct xfrm_state       *(*state_lookup)(xfrm_address_t *daddr, u32 spi, u8 proto);
 196        struct xfrm_state       *(*find_acq)(u8 mode, u32 reqid, u8 proto, 
 197                                             xfrm_address_t *daddr, xfrm_address_t *saddr, 
 198                                             int create);
 199};
 200
 201extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 202extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 203extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
 204extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
 205
 206extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 207
 208struct xfrm_decap_state;
 209struct xfrm_type
 210{
 211        char                    *description;
 212        struct module           *owner;
 213        __u8                    proto;
 214
 215        int                     (*init_state)(struct xfrm_state *x, void *args);
 216        void                    (*destructor)(struct xfrm_state *);
 217        int                     (*input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
 218        int                     (*post_input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
 219        int                     (*output)(struct sk_buff **pskb);
 220        /* Estimate maximal size of result of transformation of a dgram */
 221        u32                     (*get_max_size)(struct xfrm_state *, int size);
 222};
 223
 224struct xfrm_type_map {
 225        rwlock_t                lock;
 226        struct xfrm_type        *map[256];
 227};
 228
 229extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
 230extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
 231extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family);
 232extern void xfrm_put_type(struct xfrm_type *type);
 233
 234struct xfrm_tmpl
 235{
 236/* id in template is interpreted as:
 237 * daddr - destination of tunnel, may be zero for transport mode.
 238 * spi   - zero to acquire spi. Not zero if spi is static, then
 239 *         daddr must be fixed too.
 240 * proto - AH/ESP/IPCOMP
 241 */
 242        struct xfrm_id          id;
 243
 244/* Source address of tunnel. Ignored, if it is not a tunnel. */
 245        xfrm_address_t          saddr;
 246
 247        __u32                   reqid;
 248
 249/* Mode: transport/tunnel */
 250        __u8                    mode;
 251
 252/* Sharing mode: unique, this session only, this user only etc. */
 253        __u8                    share;
 254
 255/* May skip this transfomration if no SA is found */
 256        __u8                    optional;
 257
 258/* Bit mask of algos allowed for acquisition */
 259        __u32                   aalgos;
 260        __u32                   ealgos;
 261        __u32                   calgos;
 262};
 263
 264#define XFRM_MAX_DEPTH          4
 265
 266struct xfrm_policy
 267{
 268        struct xfrm_policy      *next;
 269        struct list_head        list;
 270
 271        /* This lock only affects elements except for entry. */
 272        rwlock_t                lock;
 273        atomic_t                refcnt;
 274        struct timer_list       timer;
 275
 276        u32                     priority;
 277        u32                     index;
 278        struct xfrm_selector    selector;
 279        struct xfrm_lifetime_cfg lft;
 280        struct xfrm_lifetime_cur curlft;
 281        struct dst_entry       *bundles;
 282        __u16                   family;
 283        __u8                    action;
 284        __u8                    flags;
 285        __u8                    dead;
 286        __u8                    xfrm_nr;
 287        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 288};
 289
 290#define XFRM_KM_TIMEOUT         30
 291
 292struct xfrm_mgr
 293{
 294        struct list_head        list;
 295        char                    *id;
 296        int                     (*notify)(struct xfrm_state *x, int event);
 297        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 298        struct xfrm_policy      *(*compile_policy)(u16 family, int opt, u8 *data, int len, int *dir);
 299        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
 300        int                     (*notify_policy)(struct xfrm_policy *x, int dir, int event);
 301};
 302
 303extern int xfrm_register_km(struct xfrm_mgr *km);
 304extern int xfrm_unregister_km(struct xfrm_mgr *km);
 305
 306
 307#define XFRM_FLOWCACHE_HASH_SIZE        1024
 308
 309static inline u32 __flow_hash4(struct flowi *fl)
 310{
 311        u32 hash = fl->fl4_src ^ fl->fl_ip_sport;
 312
 313        hash = ((hash & 0xF0F0F0F0) >> 4) | ((hash & 0x0F0F0F0F) << 4);
 314
 315        hash ^= fl->fl4_dst ^ fl->fl_ip_dport;
 316        hash ^= (hash >> 10);
 317        hash ^= (hash >> 20);
 318        return hash & (XFRM_FLOWCACHE_HASH_SIZE-1);
 319}
 320
 321static inline u32 __flow_hash6(struct flowi *fl)
 322{
 323        u32 hash = fl->fl6_src.s6_addr32[2] ^
 324                   fl->fl6_src.s6_addr32[3] ^ 
 325                   fl->fl_ip_sport;
 326
 327        hash = ((hash & 0xF0F0F0F0) >> 4) | ((hash & 0x0F0F0F0F) << 4);
 328
 329        hash ^= fl->fl6_dst.s6_addr32[2] ^
 330                fl->fl6_dst.s6_addr32[3] ^ 
 331                fl->fl_ip_dport;
 332        hash ^= (hash >> 10);
 333        hash ^= (hash >> 20);
 334        return hash & (XFRM_FLOWCACHE_HASH_SIZE-1);
 335}
 336
 337static inline u32 flow_hash(struct flowi *fl, unsigned short family)
 338{
 339        switch (family) {
 340        case AF_INET:
 341                return __flow_hash4(fl);
 342        case AF_INET6:
 343                return __flow_hash6(fl);
 344        }
 345        return 0;       /*XXX*/
 346}
 347
 348extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
 349
 350static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 351{
 352        if (likely(policy != NULL))
 353                atomic_inc(&policy->refcnt);
 354}
 355
 356extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
 357
 358static inline void xfrm_pol_put(struct xfrm_policy *policy)
 359{
 360        if (atomic_dec_and_test(&policy->refcnt))
 361                __xfrm_policy_destroy(policy);
 362}
 363
 364#define XFRM_DST_HSIZE          1024
 365
 366static __inline__
 367unsigned __xfrm4_dst_hash(xfrm_address_t *addr)
 368{
 369        unsigned h;
 370        h = ntohl(addr->a4);
 371        h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
 372        return h;
 373}
 374
 375static __inline__
 376unsigned __xfrm6_dst_hash(xfrm_address_t *addr)
 377{
 378        unsigned h;
 379        h = ntohl(addr->a6[2]^addr->a6[3]);
 380        h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
 381        return h;
 382}
 383
 384static __inline__
 385unsigned xfrm_dst_hash(xfrm_address_t *addr, unsigned short family)
 386{
 387        switch (family) {
 388        case AF_INET:
 389                return __xfrm4_dst_hash(addr);
 390        case AF_INET6:
 391                return __xfrm6_dst_hash(addr);
 392        }
 393        return 0;
 394}
 395
 396static __inline__
 397unsigned __xfrm4_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
 398{
 399        unsigned h;
 400        h = ntohl(addr->a4^spi^proto);
 401        h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
 402        return h;
 403}
 404
 405static __inline__
 406unsigned __xfrm6_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
 407{
 408        unsigned h;
 409        h = ntohl(addr->a6[2]^addr->a6[3]^spi^proto);
 410        h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
 411        return h;
 412}
 413
 414static __inline__
 415unsigned xfrm_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto, unsigned short family)
 416{
 417        switch (family) {
 418        case AF_INET:
 419                return __xfrm4_spi_hash(addr, spi, proto);
 420        case AF_INET6:
 421                return __xfrm6_spi_hash(addr, spi, proto);
 422        }
 423        return 0;       /*XXX*/
 424}
 425
 426extern void __xfrm_state_destroy(struct xfrm_state *);
 427
 428static inline void xfrm_state_put(struct xfrm_state *x)
 429{
 430        if (atomic_dec_and_test(&x->refcnt))
 431                __xfrm_state_destroy(x);
 432}
 433
 434static inline void xfrm_state_hold(struct xfrm_state *x)
 435{
 436        atomic_inc(&x->refcnt);
 437}
 438
 439static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 440{
 441        __u32 *a1 = token1;
 442        __u32 *a2 = token2;
 443        int pdw;
 444        int pbi;
 445
 446        pdw = prefixlen >> 5;     /* num of whole __u32 in prefix */
 447        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 448
 449        if (pdw)
 450                if (memcmp(a1, a2, pdw << 2))
 451                        return 0;
 452
 453        if (pbi) {
 454                __u32 mask;
 455
 456                mask = htonl((0xffffffff) << (32 - pbi));
 457
 458                if ((a1[pdw] ^ a2[pdw]) & mask)
 459                        return 0;
 460        }
 461
 462        return 1;
 463}
 464
 465static inline int
 466__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
 467{
 468        return  addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
 469                addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
 470                !((fl->fl_ip_dport^sel->dport)&sel->dport_mask) &&
 471                !((fl->fl_ip_sport^sel->sport)&sel->sport_mask) &&
 472                (fl->proto == sel->proto || !sel->proto) &&
 473                (fl->oif == sel->ifindex || !sel->ifindex);
 474}
 475
 476static inline int
 477__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
 478{
 479        return  addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
 480                addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
 481                !((fl->fl_ip_dport^sel->dport)&sel->dport_mask) &&
 482                !((fl->fl_ip_sport^sel->sport)&sel->sport_mask) &&
 483                (fl->proto == sel->proto || !sel->proto) &&
 484                (fl->oif == sel->ifindex || !sel->ifindex);
 485}
 486
 487static inline int
 488xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 489                    unsigned short family)
 490{
 491        switch (family) {
 492        case AF_INET:
 493                return __xfrm4_selector_match(sel, fl);
 494        case AF_INET6:
 495                return __xfrm6_selector_match(sel, fl);
 496        }
 497        return 0;
 498}
 499
 500/* A struct encoding bundle of transformations to apply to some set of flow.
 501 *
 502 * dst->child points to the next element of bundle.
 503 * dst->xfrm  points to an instanse of transformer.
 504 *
 505 * Due to unfortunate limitations of current routing cache, which we
 506 * have no time to fix, it mirrors struct rtable and bound to the same
 507 * routing key, including saddr,daddr. However, we can have many of
 508 * bundles differing by session id. All the bundles grow from a parent
 509 * policy rule.
 510 */
 511struct xfrm_dst
 512{
 513        union {
 514                struct xfrm_dst         *next;
 515                struct dst_entry        dst;
 516                struct rtable           rt;
 517                struct rt6_info         rt6;
 518        } u;
 519};
 520
 521/* Decapsulation state, used by the input to store data during
 522 * decapsulation procedure, to be used later (during the policy
 523 * check
 524 */
 525struct xfrm_decap_state {
 526        char    decap_data[20];
 527        __u16   decap_type;
 528};   
 529
 530struct sec_decap_state {
 531        struct xfrm_state       *xvec;
 532        struct xfrm_decap_state decap;
 533};
 534
 535struct sec_path
 536{
 537        atomic_t                refcnt;
 538        int                     len;
 539        struct sec_decap_state  x[XFRM_MAX_DEPTH];
 540};
 541
 542static inline struct sec_path *
 543secpath_get(struct sec_path *sp)
 544{
 545        if (sp)
 546                atomic_inc(&sp->refcnt);
 547        return sp;
 548}
 549
 550extern void __secpath_destroy(struct sec_path *sp);
 551
 552static inline void
 553secpath_put(struct sec_path *sp)
 554{
 555        if (sp && atomic_dec_and_test(&sp->refcnt))
 556                __secpath_destroy(sp);
 557}
 558
 559extern struct sec_path *secpath_dup(struct sec_path *src);
 560
 561static inline void
 562secpath_reset(struct sk_buff *skb)
 563{
 564#ifdef CONFIG_XFRM
 565        secpath_put(skb->sp);
 566        skb->sp = NULL;
 567#endif
 568}
 569
 570static inline int
 571__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 572{
 573        return  (tmpl->saddr.a4 &&
 574                 tmpl->saddr.a4 != x->props.saddr.a4);
 575}
 576
 577static inline int
 578__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 579{
 580        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 581                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 582}
 583
 584static inline int
 585xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 586{
 587        switch (family) {
 588        case AF_INET:
 589                return __xfrm4_state_addr_cmp(tmpl, x);
 590        case AF_INET6:
 591                return __xfrm6_state_addr_cmp(tmpl, x);
 592        }
 593        return !0;
 594}
 595
 596#ifdef CONFIG_XFRM
 597
 598extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 599
 600static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 601{
 602        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 603                return __xfrm_policy_check(sk, dir, skb, family);
 604                
 605        return  !xfrm_policy_list[dir] ||
 606                (skb->dst->flags & DST_NOPOLICY) ||
 607                __xfrm_policy_check(sk, dir, skb, family);
 608}
 609
 610static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 611{
 612        return xfrm_policy_check(sk, dir, skb, AF_INET);
 613}
 614
 615static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 616{
 617        return xfrm_policy_check(sk, dir, skb, AF_INET6);
 618}
 619
 620
 621extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
 622
 623static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
 624{
 625        return  !xfrm_policy_list[XFRM_POLICY_OUT] ||
 626                (skb->dst->flags & DST_NOXFRM) ||
 627                __xfrm_route_forward(skb, family);
 628}
 629
 630static inline int xfrm4_route_forward(struct sk_buff *skb)
 631{
 632        return xfrm_route_forward(skb, AF_INET);
 633}
 634
 635static inline int xfrm6_route_forward(struct sk_buff *skb)
 636{
 637        return xfrm_route_forward(skb, AF_INET6);
 638}
 639
 640extern int __xfrm_sk_clone_policy(struct sock *sk);
 641
 642static inline int xfrm_sk_clone_policy(struct sock *sk)
 643{
 644        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
 645                return __xfrm_sk_clone_policy(sk);
 646        return 0;
 647}
 648
 649extern void xfrm_policy_delete(struct xfrm_policy *pol, int dir);
 650
 651static inline void xfrm_sk_free_policy(struct sock *sk)
 652{
 653        if (unlikely(sk->sk_policy[0] != NULL)) {
 654                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
 655                sk->sk_policy[0] = NULL;
 656        }
 657        if (unlikely(sk->sk_policy[1] != NULL)) {
 658                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
 659                sk->sk_policy[1] = NULL;
 660        }
 661}
 662
 663#else
 664
 665static inline void xfrm_sk_free_policy(struct sock *sk) {}
 666static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
 667static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
 668static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
 669static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 670{ 
 671        return 1; 
 672} 
 673static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
 674{
 675        return 1;
 676}
 677static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
 678{
 679        return 1;
 680}
 681#endif
 682
 683static __inline__
 684xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
 685{
 686        switch (family){
 687        case AF_INET:
 688                return (xfrm_address_t *)&fl->fl4_dst;
 689        case AF_INET6:
 690                return (xfrm_address_t *)&fl->fl6_dst;
 691        }
 692        return NULL;
 693}
 694
 695static __inline__
 696xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
 697{
 698        switch (family){
 699        case AF_INET:
 700                return (xfrm_address_t *)&fl->fl4_src;
 701        case AF_INET6:
 702                return (xfrm_address_t *)&fl->fl6_src;
 703        }
 704        return NULL;
 705}
 706
 707static __inline__ int
 708__xfrm4_state_addr_check(struct xfrm_state *x,
 709                         xfrm_address_t *daddr, xfrm_address_t *saddr)
 710{
 711        if (daddr->a4 == x->id.daddr.a4 &&
 712            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
 713                return 1;
 714        return 0;
 715}
 716
 717static __inline__ int
 718__xfrm6_state_addr_check(struct xfrm_state *x,
 719                         xfrm_address_t *daddr, xfrm_address_t *saddr)
 720{
 721        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
 722            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
 723             ipv6_addr_any((struct in6_addr *)saddr) || 
 724             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
 725                return 1;
 726        return 0;
 727}
 728
 729static __inline__ int
 730xfrm_state_addr_check(struct xfrm_state *x,
 731                      xfrm_address_t *daddr, xfrm_address_t *saddr,
 732                      unsigned short family)
 733{
 734        switch (family) {
 735        case AF_INET:
 736                return __xfrm4_state_addr_check(x, daddr, saddr);
 737        case AF_INET6:
 738                return __xfrm6_state_addr_check(x, daddr, saddr);
 739        }
 740        return 0;
 741}
 742
 743static inline int xfrm_state_kern(struct xfrm_state *x)
 744{
 745        return atomic_read(&x->tunnel_users);
 746}
 747
 748/*
 749 * xfrm algorithm information
 750 */
 751struct xfrm_algo_auth_info {
 752        u16 icv_truncbits;
 753        u16 icv_fullbits;
 754};
 755
 756struct xfrm_algo_encr_info {
 757        u16 blockbits;
 758        u16 defkeybits;
 759};
 760
 761struct xfrm_algo_comp_info {
 762        u16 threshold;
 763};
 764
 765struct xfrm_algo_desc {
 766        char *name;
 767        u8 available:1;
 768        union {
 769                struct xfrm_algo_auth_info auth;
 770                struct xfrm_algo_encr_info encr;
 771                struct xfrm_algo_comp_info comp;
 772        } uinfo;
 773        struct sadb_alg desc;
 774};
 775
 776/* XFRM tunnel handlers.  */
 777struct xfrm_tunnel {
 778        int (*handler)(struct sk_buff *skb);
 779        void (*err_handler)(struct sk_buff *skb, void *info);
 780};
 781
 782struct xfrm6_tunnel {
 783        int (*handler)(struct sk_buff **pskb, unsigned int *nhoffp);
 784        void (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
 785                            int type, int code, int offset, __u32 info);
 786};
 787
 788extern void xfrm_init(void);
 789extern void xfrm4_init(void);
 790extern void xfrm4_fini(void);
 791extern void xfrm6_init(void);
 792extern void xfrm6_fini(void);
 793extern void xfrm_state_init(void);
 794extern void xfrm4_state_init(void);
 795extern void xfrm4_state_fini(void);
 796extern void xfrm6_state_init(void);
 797extern void xfrm6_state_fini(void);
 798extern void xfrm6_tunnel_init(void);
 799extern void xfrm6_tunnel_fini(void);
 800
 801extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
 802extern struct xfrm_state *xfrm_state_alloc(void);
 803extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
 804                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
 805                                          struct xfrm_policy *pol, int *err,
 806                                          unsigned short family);
 807extern int xfrm_state_check_expire(struct xfrm_state *x);
 808extern void xfrm_state_insert(struct xfrm_state *x);
 809extern int xfrm_state_add(struct xfrm_state *x);
 810extern int xfrm_state_update(struct xfrm_state *x);
 811extern int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb);
 812extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family);
 813extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
 814extern void xfrm_state_delete(struct xfrm_state *x);
 815extern void xfrm_state_flush(u8 proto);
 816extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
 817extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
 818extern int xfrm_check_selectors(struct xfrm_state **x, int n, struct flowi *fl);
 819extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
 820extern int xfrm4_rcv(struct sk_buff *skb);
 821extern int xfrm4_output(struct sk_buff **pskb);
 822extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
 823extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
 824extern int xfrm6_rcv(struct sk_buff **pskb, unsigned int *nhoffp);
 825extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);
 826extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);
 827extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
 828extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
 829extern u32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
 830extern int xfrm6_output(struct sk_buff **pskb);
 831
 832#ifdef CONFIG_XFRM
 833extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type);
 834extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
 835extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
 836#else
 837static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
 838{
 839        return -ENOPROTOOPT;
 840} 
 841
 842static inline int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
 843{
 844        /* should not happen */
 845        kfree_skb(skb);
 846        return 0;
 847}
 848static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
 849{
 850        return -EINVAL;
 851} 
 852#endif
 853
 854void xfrm_policy_init(void);
 855void xfrm4_policy_init(void);
 856void xfrm6_policy_init(void);
 857struct xfrm_policy *xfrm_policy_alloc(int gfp);
 858extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
 859int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
 860struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
 861                                      int delete);
 862struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
 863void xfrm_policy_flush(void);
 864u32 xfrm_get_acqseq(void);
 865void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
 866struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 
 867                                  xfrm_address_t *daddr, xfrm_address_t *saddr, 
 868                                  int create, unsigned short family);
 869extern void xfrm_policy_flush(void);
 870extern void xfrm_policy_kill(struct xfrm_policy *);
 871extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
 872extern struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl);
 873extern int xfrm_flush_bundles(void);
 874
 875extern wait_queue_head_t km_waitq;
 876extern void km_state_expired(struct xfrm_state *x, int hard);
 877extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *pol);
 878extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
 879extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard);
 880
 881extern void xfrm_input_init(void);
 882extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq);
 883
 884extern void xfrm_probe_algs(void);
 885extern int xfrm_count_auth_supported(void);
 886extern int xfrm_count_enc_supported(void);
 887extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
 888extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
 889extern struct xfrm_algo_desc *xfrm_calg_get_byidx(unsigned int idx);
 890extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
 891extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
 892extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
 893extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name);
 894extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name);
 895extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name);
 896
 897struct crypto_tfm;
 898typedef void (icv_update_fn_t)(struct crypto_tfm *, struct scatterlist *, unsigned int);
 899
 900extern void skb_icv_walk(const struct sk_buff *skb, struct crypto_tfm *tfm,
 901                         int offset, int len, icv_update_fn_t icv_update);
 902
 903#endif  /* _NET_XFRM_H */
 904