linux/include/net/xfrm.h
<<
>>
Prefs
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15
  16#include <net/sock.h>
  17#include <net/dst.h>
  18#include <net/ip.h>
  19#include <net/route.h>
  20#include <net/ipv6.h>
  21#include <net/ip6_fib.h>
  22#ifdef CONFIG_XFRM_STATISTICS
  23#include <net/snmp.h>
  24#endif
  25
  26#define XFRM_PROTO_ESP          50
  27#define XFRM_PROTO_AH           51
  28#define XFRM_PROTO_COMP         108
  29#define XFRM_PROTO_IPIP         4
  30#define XFRM_PROTO_IPV6         41
  31#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  32#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  33
  34#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  35#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  36        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  37#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  38        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  39
  40#ifdef CONFIG_XFRM_STATISTICS
  41#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  42#define XFRM_INC_STATS_BH(net, field)   SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
  43#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
  44#else
  45#define XFRM_INC_STATS(net, field)      ((void)(net))
  46#define XFRM_INC_STATS_BH(net, field)   ((void)(net))
  47#define XFRM_INC_STATS_USER(net, field) ((void)(net))
  48#endif
  49
  50extern struct mutex xfrm_cfg_mutex;
  51
  52/* Organization of SPD aka "XFRM rules"
  53   ------------------------------------
  54
  55   Basic objects:
  56   - policy rule, struct xfrm_policy (=SPD entry)
  57   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  58   - instance of a transformer, struct xfrm_state (=SA)
  59   - template to clone xfrm_state, struct xfrm_tmpl
  60
  61   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  62   (To be compatible with existing pfkeyv2 implementations,
  63   many rules with priority of 0x7fffffff are allowed to exist and
  64   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  65
  66   Lookup is plain linear search until the first match with selector.
  67
  68   If "action" is "block", then we prohibit the flow, otherwise:
  69   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  70   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  71   described by templates xfrm_tmpl. Each template is resolved
  72   to a complete xfrm_state (see below) and we pack bundle of transformations
  73   to a dst_entry returned to requestor.
  74
  75   dst -. xfrm  .-> xfrm_state #1
  76    |---. child .-> dst -. xfrm .-> xfrm_state #2
  77                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  78                                      |---. child .-> NULL
  79
  80   Bundles are cached at xrfm_policy struct (field ->bundles).
  81
  82
  83   Resolution of xrfm_tmpl
  84   -----------------------
  85   Template contains:
  86   1. ->mode            Mode: transport or tunnel
  87   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  88   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  89      Q: allow to resolve security gateway?
  90   4. ->id.spi          If not zero, static SPI.
  91   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  92   6. ->algos           List of allowed algos. Plain bitmask now.
  93      Q: ealgos, aalgos, calgos. What a mess...
  94   7. ->share           Sharing mode.
  95      Q: how to implement private sharing mode? To add struct sock* to
  96      flow id?
  97
  98   Having this template we search through SAD searching for entries
  99   with appropriate mode/proto/algo, permitted by selector.
 100   If no appropriate entry found, it is requested from key manager.
 101
 102   PROBLEMS:
 103   Q: How to find all the bundles referring to a physical path for
 104      PMTU discovery? Seems, dst should contain list of all parents...
 105      and enter to infinite locking hierarchy disaster.
 106      No! It is easier, we will not search for them, let them find us.
 107      We add genid to each dst plus pointer to genid of raw IP route,
 108      pmtu disc will update pmtu on raw IP route and increase its genid.
 109      dst_check() will see this for top level and trigger resyncing
 110      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 111 */
 112
 113struct xfrm_state_walk {
 114        struct list_head        all;
 115        u8                      state;
 116        union {
 117                u8              dying;
 118                u8              proto;
 119        };
 120        u32                     seq;
 121};
 122
 123/* Full description of state of transformer. */
 124struct xfrm_state
 125{
 126#ifdef CONFIG_NET_NS
 127        struct net              *xs_net;
 128#endif
 129        union {
 130                struct hlist_node       gclist;
 131                struct hlist_node       bydst;
 132        };
 133        struct hlist_node       bysrc;
 134        struct hlist_node       byspi;
 135
 136        atomic_t                refcnt;
 137        spinlock_t              lock;
 138
 139        struct xfrm_id          id;
 140        struct xfrm_selector    sel;
 141
 142        u32                     genid;
 143
 144        /* Key manager bits */
 145        struct xfrm_state_walk  km;
 146
 147        /* Parameters of this state. */
 148        struct {
 149                u32             reqid;
 150                u8              mode;
 151                u8              replay_window;
 152                u8              aalgo, ealgo, calgo;
 153                u8              flags;
 154                u16             family;
 155                xfrm_address_t  saddr;
 156                int             header_len;
 157                int             trailer_len;
 158        } props;
 159
 160        struct xfrm_lifetime_cfg lft;
 161
 162        /* Data for transformer */
 163        struct xfrm_algo        *aalg;
 164        struct xfrm_algo        *ealg;
 165        struct xfrm_algo        *calg;
 166        struct xfrm_algo_aead   *aead;
 167
 168        /* Data for encapsulator */
 169        struct xfrm_encap_tmpl  *encap;
 170
 171        /* Data for care-of address */
 172        xfrm_address_t  *coaddr;
 173
 174        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 175        struct xfrm_state       *tunnel;
 176
 177        /* If a tunnel, number of users + 1 */
 178        atomic_t                tunnel_users;
 179
 180        /* State for replay detection */
 181        struct xfrm_replay_state replay;
 182
 183        /* Replay detection state at the time we sent the last notification */
 184        struct xfrm_replay_state preplay;
 185
 186        /* internal flag that only holds state for delayed aevent at the
 187         * moment
 188        */
 189        u32                     xflags;
 190
 191        /* Replay detection notification settings */
 192        u32                     replay_maxage;
 193        u32                     replay_maxdiff;
 194
 195        /* Replay detection notification timer */
 196        struct timer_list       rtimer;
 197
 198        /* Statistics */
 199        struct xfrm_stats       stats;
 200
 201        struct xfrm_lifetime_cur curlft;
 202        struct timer_list       timer;
 203
 204        /* Last used time */
 205        unsigned long           lastused;
 206
 207        /* Reference to data common to all the instances of this
 208         * transformer. */
 209        const struct xfrm_type  *type;
 210        struct xfrm_mode        *inner_mode;
 211        struct xfrm_mode        *inner_mode_iaf;
 212        struct xfrm_mode        *outer_mode;
 213
 214        /* Security context */
 215        struct xfrm_sec_ctx     *security;
 216
 217        /* Private data of this transformer, format is opaque,
 218         * interpreted by xfrm_type methods. */
 219        void                    *data;
 220};
 221
 222static inline struct net *xs_net(struct xfrm_state *x)
 223{
 224        return read_pnet(&x->xs_net);
 225}
 226
 227/* xflags - make enum if more show up */
 228#define XFRM_TIME_DEFER 1
 229
 230enum {
 231        XFRM_STATE_VOID,
 232        XFRM_STATE_ACQ,
 233        XFRM_STATE_VALID,
 234        XFRM_STATE_ERROR,
 235        XFRM_STATE_EXPIRED,
 236        XFRM_STATE_DEAD
 237};
 238
 239/* callback structure passed from either netlink or pfkey */
 240struct km_event
 241{
 242        union {
 243                u32 hard;
 244                u32 proto;
 245                u32 byid;
 246                u32 aevent;
 247                u32 type;
 248        } data;
 249
 250        u32     seq;
 251        u32     pid;
 252        u32     event;
 253        struct net *net;
 254};
 255
 256struct net_device;
 257struct xfrm_type;
 258struct xfrm_dst;
 259struct xfrm_policy_afinfo {
 260        unsigned short          family;
 261        struct dst_ops          *dst_ops;
 262        void                    (*garbage_collect)(struct net *net);
 263        struct dst_entry        *(*dst_lookup)(struct net *net, int tos,
 264                                               xfrm_address_t *saddr,
 265                                               xfrm_address_t *daddr);
 266        int                     (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
 267        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
 268        void                    (*decode_session)(struct sk_buff *skb,
 269                                                  struct flowi *fl,
 270                                                  int reverse);
 271        int                     (*get_tos)(struct flowi *fl);
 272        int                     (*init_path)(struct xfrm_dst *path,
 273                                             struct dst_entry *dst,
 274                                             int nfheader_len);
 275        int                     (*fill_dst)(struct xfrm_dst *xdst,
 276                                            struct net_device *dev);
 277};
 278
 279extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 280extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 281extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 282extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 283
 284struct xfrm_tmpl;
 285extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 286extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 287extern int __xfrm_state_delete(struct xfrm_state *x);
 288
 289struct xfrm_state_afinfo {
 290        unsigned int            family;
 291        unsigned int            proto;
 292        __be16                  eth_proto;
 293        struct module           *owner;
 294        const struct xfrm_type  *type_map[IPPROTO_MAX];
 295        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 296        int                     (*init_flags)(struct xfrm_state *x);
 297        void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
 298                                                struct xfrm_tmpl *tmpl,
 299                                                xfrm_address_t *daddr, xfrm_address_t *saddr);
 300        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 301        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 302        int                     (*output)(struct sk_buff *skb);
 303        int                     (*extract_input)(struct xfrm_state *x,
 304                                                 struct sk_buff *skb);
 305        int                     (*extract_output)(struct xfrm_state *x,
 306                                                  struct sk_buff *skb);
 307        int                     (*transport_finish)(struct sk_buff *skb,
 308                                                    int async);
 309};
 310
 311extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 312extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 313
 314extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 315
 316struct xfrm_type
 317{
 318        char                    *description;
 319        struct module           *owner;
 320        __u8                    proto;
 321        __u8                    flags;
 322#define XFRM_TYPE_NON_FRAGMENT  1
 323#define XFRM_TYPE_REPLAY_PROT   2
 324#define XFRM_TYPE_LOCAL_COADDR  4
 325#define XFRM_TYPE_REMOTE_COADDR 8
 326
 327        int                     (*init_state)(struct xfrm_state *x);
 328        void                    (*destructor)(struct xfrm_state *);
 329        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 330        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 331        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
 332        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 333        /* Estimate maximal size of result of transformation of a dgram */
 334        u32                     (*get_mtu)(struct xfrm_state *, int size);
 335};
 336
 337extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 338extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 339
 340struct xfrm_mode {
 341        /*
 342         * Remove encapsulation header.
 343         *
 344         * The IP header will be moved over the top of the encapsulation
 345         * header.
 346         *
 347         * On entry, the transport header shall point to where the IP header
 348         * should be and the network header shall be set to where the IP
 349         * header currently is.  skb->data shall point to the start of the
 350         * payload.
 351         */
 352        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 353
 354        /*
 355         * This is the actual input entry point.
 356         *
 357         * For transport mode and equivalent this would be identical to
 358         * input2 (which does not need to be set).  While tunnel mode
 359         * and equivalent would set this to the tunnel encapsulation function
 360         * xfrm4_prepare_input that would in turn call input2.
 361         */
 362        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 363
 364        /*
 365         * Add encapsulation header.
 366         *
 367         * On exit, the transport header will be set to the start of the
 368         * encapsulation header to be filled in by x->type->output and
 369         * the mac header will be set to the nextheader (protocol for
 370         * IPv4) field of the extension header directly preceding the
 371         * encapsulation header, or in its absence, that of the top IP
 372         * header.  The value of the network header will always point
 373         * to the top IP header while skb->data will point to the payload.
 374         */
 375        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 376
 377        /*
 378         * This is the actual output entry point.
 379         *
 380         * For transport mode and equivalent this would be identical to
 381         * output2 (which does not need to be set).  While tunnel mode
 382         * and equivalent would set this to a tunnel encapsulation function
 383         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 384         * call output2.
 385         */
 386        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 387
 388        struct xfrm_state_afinfo *afinfo;
 389        struct module *owner;
 390        unsigned int encap;
 391        int flags;
 392};
 393
 394/* Flags for xfrm_mode. */
 395enum {
 396        XFRM_MODE_FLAG_TUNNEL = 1,
 397};
 398
 399extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 400extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 401
 402static inline int xfrm_af2proto(unsigned int family)
 403{
 404        switch(family) {
 405        case AF_INET:
 406                return IPPROTO_IPIP;
 407        case AF_INET6:
 408                return IPPROTO_IPV6;
 409        default:
 410                return 0;
 411        }
 412}
 413
 414static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 415{
 416        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 417            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 418                return x->inner_mode;
 419        else
 420                return x->inner_mode_iaf;
 421}
 422
 423struct xfrm_tmpl
 424{
 425/* id in template is interpreted as:
 426 * daddr - destination of tunnel, may be zero for transport mode.
 427 * spi   - zero to acquire spi. Not zero if spi is static, then
 428 *         daddr must be fixed too.
 429 * proto - AH/ESP/IPCOMP
 430 */
 431        struct xfrm_id          id;
 432
 433/* Source address of tunnel. Ignored, if it is not a tunnel. */
 434        xfrm_address_t          saddr;
 435
 436        unsigned short          encap_family;
 437
 438        __u32                   reqid;
 439
 440/* Mode: transport, tunnel etc. */
 441        __u8                    mode;
 442
 443/* Sharing mode: unique, this session only, this user only etc. */
 444        __u8                    share;
 445
 446/* May skip this transfomration if no SA is found */
 447        __u8                    optional;
 448
 449/* Skip aalgos/ealgos/calgos checks. */
 450        __u8                    allalgs;
 451
 452/* Bit mask of algos allowed for acquisition */
 453        __u32                   aalgos;
 454        __u32                   ealgos;
 455        __u32                   calgos;
 456};
 457
 458#define XFRM_MAX_DEPTH          6
 459
 460struct xfrm_policy_walk_entry {
 461        struct list_head        all;
 462        u8                      dead;
 463};
 464
 465struct xfrm_policy_walk {
 466        struct xfrm_policy_walk_entry walk;
 467        u8 type;
 468        u32 seq;
 469};
 470
 471struct xfrm_policy
 472{
 473#ifdef CONFIG_NET_NS
 474        struct net              *xp_net;
 475#endif
 476        struct hlist_node       bydst;
 477        struct hlist_node       byidx;
 478
 479        /* This lock only affects elements except for entry. */
 480        rwlock_t                lock;
 481        atomic_t                refcnt;
 482        struct timer_list       timer;
 483
 484        u32                     priority;
 485        u32                     index;
 486        struct xfrm_selector    selector;
 487        struct xfrm_lifetime_cfg lft;
 488        struct xfrm_lifetime_cur curlft;
 489        struct dst_entry       *bundles;
 490        struct xfrm_policy_walk_entry walk;
 491        u8                      type;
 492        u8                      action;
 493        u8                      flags;
 494        u8                      xfrm_nr;
 495        u16                     family;
 496        struct xfrm_sec_ctx     *security;
 497        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 498};
 499
 500static inline struct net *xp_net(struct xfrm_policy *xp)
 501{
 502        return read_pnet(&xp->xp_net);
 503}
 504
 505struct xfrm_kmaddress {
 506        xfrm_address_t          local;
 507        xfrm_address_t          remote;
 508        u32                     reserved;
 509        u16                     family;
 510};
 511
 512struct xfrm_migrate {
 513        xfrm_address_t          old_daddr;
 514        xfrm_address_t          old_saddr;
 515        xfrm_address_t          new_daddr;
 516        xfrm_address_t          new_saddr;
 517        u8                      proto;
 518        u8                      mode;
 519        u16                     reserved;
 520        u32                     reqid;
 521        u16                     old_family;
 522        u16                     new_family;
 523};
 524
 525#define XFRM_KM_TIMEOUT                30
 526/* which seqno */
 527#define XFRM_REPLAY_SEQ         1
 528#define XFRM_REPLAY_OSEQ        2
 529#define XFRM_REPLAY_SEQ_MASK    3
 530/* what happened */
 531#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 532#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 533
 534/* default aevent timeout in units of 100ms */
 535#define XFRM_AE_ETIME                   10
 536/* Async Event timer multiplier */
 537#define XFRM_AE_ETH_M                   10
 538/* default seq threshold size */
 539#define XFRM_AE_SEQT_SIZE               2
 540
 541struct xfrm_mgr
 542{
 543        struct list_head        list;
 544        char                    *id;
 545        int                     (*notify)(struct xfrm_state *x, struct km_event *c);
 546        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 547        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 548        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 549        int                     (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
 550        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 551        int                     (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k);
 552};
 553
 554extern int xfrm_register_km(struct xfrm_mgr *km);
 555extern int xfrm_unregister_km(struct xfrm_mgr *km);
 556
 557/*
 558 * This structure is used for the duration where packets are being
 559 * transformed by IPsec.  As soon as the packet leaves IPsec the
 560 * area beyond the generic IP part may be overwritten.
 561 */
 562struct xfrm_skb_cb {
 563        union {
 564                struct inet_skb_parm h4;
 565                struct inet6_skb_parm h6;
 566        } header;
 567
 568        /* Sequence number for replay protection. */
 569        union {
 570                u64 output;
 571                __be32 input;
 572        } seq;
 573};
 574
 575#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 576
 577/*
 578 * This structure is used by the afinfo prepare_input/prepare_output functions
 579 * to transmit header information to the mode input/output functions.
 580 */
 581struct xfrm_mode_skb_cb {
 582        union {
 583                struct inet_skb_parm h4;
 584                struct inet6_skb_parm h6;
 585        } header;
 586
 587        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 588        __be16 id;
 589        __be16 frag_off;
 590
 591        /* IP header length (excluding options or extension headers). */
 592        u8 ihl;
 593
 594        /* TOS for IPv4, class for IPv6. */
 595        u8 tos;
 596
 597        /* TTL for IPv4, hop limitfor IPv6. */
 598        u8 ttl;
 599
 600        /* Protocol for IPv4, NH for IPv6. */
 601        u8 protocol;
 602
 603        /* Option length for IPv4, zero for IPv6. */
 604        u8 optlen;
 605
 606        /* Used by IPv6 only, zero for IPv4. */
 607        u8 flow_lbl[3];
 608};
 609
 610#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 611
 612/*
 613 * This structure is used by the input processing to locate the SPI and
 614 * related information.
 615 */
 616struct xfrm_spi_skb_cb {
 617        union {
 618                struct inet_skb_parm h4;
 619                struct inet6_skb_parm h6;
 620        } header;
 621
 622        unsigned int daddroff;
 623        unsigned int family;
 624};
 625
 626#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 627
 628/* Audit Information */
 629struct xfrm_audit
 630{
 631        u32     secid;
 632        uid_t   loginuid;
 633        u32     sessionid;
 634};
 635
 636#ifdef CONFIG_AUDITSYSCALL
 637static inline struct audit_buffer *xfrm_audit_start(const char *op)
 638{
 639        struct audit_buffer *audit_buf = NULL;
 640
 641        if (audit_enabled == 0)
 642                return NULL;
 643        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 644                                    AUDIT_MAC_IPSEC_EVENT);
 645        if (audit_buf == NULL)
 646                return NULL;
 647        audit_log_format(audit_buf, "op=%s", op);
 648        return audit_buf;
 649}
 650
 651static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
 652                                             struct audit_buffer *audit_buf)
 653{
 654        char *secctx;
 655        u32 secctx_len;
 656
 657        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 658        if (secid != 0 &&
 659            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 660                audit_log_format(audit_buf, " subj=%s", secctx);
 661                security_release_secctx(secctx, secctx_len);
 662        } else
 663                audit_log_task_context(audit_buf);
 664}
 665
 666extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 667                                  u32 auid, u32 ses, u32 secid);
 668extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 669                                  u32 auid, u32 ses, u32 secid);
 670extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 671                                 u32 auid, u32 ses, u32 secid);
 672extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 673                                    u32 auid, u32 ses, u32 secid);
 674extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 675                                             struct sk_buff *skb);
 676extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 677extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 678                                      __be32 net_spi, __be32 net_seq);
 679extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 680                                     struct sk_buff *skb, u8 proto);
 681#else
 682
 683static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 684                                  u32 auid, u32 ses, u32 secid)
 685{
 686}
 687
 688static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 689                                  u32 auid, u32 ses, u32 secid)
 690{
 691}
 692
 693static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 694                                 u32 auid, u32 ses, u32 secid)
 695{
 696}
 697
 698static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 699                                    u32 auid, u32 ses, u32 secid)
 700{
 701}
 702
 703static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 704                                             struct sk_buff *skb)
 705{
 706}
 707
 708static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 709                                      u16 family)
 710{
 711}
 712
 713static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 714                                      __be32 net_spi, __be32 net_seq)
 715{
 716}
 717
 718static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 719                                     struct sk_buff *skb, u8 proto)
 720{
 721}
 722#endif /* CONFIG_AUDITSYSCALL */
 723
 724static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 725{
 726        if (likely(policy != NULL))
 727                atomic_inc(&policy->refcnt);
 728}
 729
 730extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 731
 732static inline void xfrm_pol_put(struct xfrm_policy *policy)
 733{
 734        if (atomic_dec_and_test(&policy->refcnt))
 735                xfrm_policy_destroy(policy);
 736}
 737
 738#ifdef CONFIG_XFRM_SUB_POLICY
 739static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 740{
 741        int i;
 742        for (i = npols - 1; i >= 0; --i)
 743                xfrm_pol_put(pols[i]);
 744}
 745#else
 746static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 747{
 748        xfrm_pol_put(pols[0]);
 749}
 750#endif
 751
 752extern void __xfrm_state_destroy(struct xfrm_state *);
 753
 754static inline void __xfrm_state_put(struct xfrm_state *x)
 755{
 756        atomic_dec(&x->refcnt);
 757}
 758
 759static inline void xfrm_state_put(struct xfrm_state *x)
 760{
 761        if (atomic_dec_and_test(&x->refcnt))
 762                __xfrm_state_destroy(x);
 763}
 764
 765static inline void xfrm_state_hold(struct xfrm_state *x)
 766{
 767        atomic_inc(&x->refcnt);
 768}
 769
 770static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
 771{
 772        __be32 *a1 = token1;
 773        __be32 *a2 = token2;
 774        int pdw;
 775        int pbi;
 776
 777        pdw = prefixlen >> 5;     /* num of whole __u32 in prefix */
 778        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 779
 780        if (pdw)
 781                if (memcmp(a1, a2, pdw << 2))
 782                        return 0;
 783
 784        if (pbi) {
 785                __be32 mask;
 786
 787                mask = htonl((0xffffffff) << (32 - pbi));
 788
 789                if ((a1[pdw] ^ a2[pdw]) & mask)
 790                        return 0;
 791        }
 792
 793        return 1;
 794}
 795
 796static __inline__
 797__be16 xfrm_flowi_sport(struct flowi *fl)
 798{
 799        __be16 port;
 800        switch(fl->proto) {
 801        case IPPROTO_TCP:
 802        case IPPROTO_UDP:
 803        case IPPROTO_UDPLITE:
 804        case IPPROTO_SCTP:
 805                port = fl->fl_ip_sport;
 806                break;
 807        case IPPROTO_ICMP:
 808        case IPPROTO_ICMPV6:
 809                port = htons(fl->fl_icmp_type);
 810                break;
 811        case IPPROTO_MH:
 812                port = htons(fl->fl_mh_type);
 813                break;
 814        default:
 815                port = 0;       /*XXX*/
 816        }
 817        return port;
 818}
 819
 820static __inline__
 821__be16 xfrm_flowi_dport(struct flowi *fl)
 822{
 823        __be16 port;
 824        switch(fl->proto) {
 825        case IPPROTO_TCP:
 826        case IPPROTO_UDP:
 827        case IPPROTO_UDPLITE:
 828        case IPPROTO_SCTP:
 829                port = fl->fl_ip_dport;
 830                break;
 831        case IPPROTO_ICMP:
 832        case IPPROTO_ICMPV6:
 833                port = htons(fl->fl_icmp_code);
 834                break;
 835        default:
 836                port = 0;       /*XXX*/
 837        }
 838        return port;
 839}
 840
 841extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 842                               unsigned short family);
 843
 844#ifdef CONFIG_SECURITY_NETWORK_XFRM
 845/*      If neither has a context --> match
 846 *      Otherwise, both must have a context and the sids, doi, alg must match
 847 */
 848static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 849{
 850        return ((!s1 && !s2) ||
 851                (s1 && s2 &&
 852                 (s1->ctx_sid == s2->ctx_sid) &&
 853                 (s1->ctx_doi == s2->ctx_doi) &&
 854                 (s1->ctx_alg == s2->ctx_alg)));
 855}
 856#else
 857static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 858{
 859        return 1;
 860}
 861#endif
 862
 863/* A struct encoding bundle of transformations to apply to some set of flow.
 864 *
 865 * dst->child points to the next element of bundle.
 866 * dst->xfrm  points to an instanse of transformer.
 867 *
 868 * Due to unfortunate limitations of current routing cache, which we
 869 * have no time to fix, it mirrors struct rtable and bound to the same
 870 * routing key, including saddr,daddr. However, we can have many of
 871 * bundles differing by session id. All the bundles grow from a parent
 872 * policy rule.
 873 */
 874struct xfrm_dst
 875{
 876        union {
 877                struct dst_entry        dst;
 878                struct rtable           rt;
 879                struct rt6_info         rt6;
 880        } u;
 881        struct dst_entry *route;
 882#ifdef CONFIG_XFRM_SUB_POLICY
 883        struct flowi *origin;
 884        struct xfrm_selector *partner;
 885#endif
 886        u32 genid;
 887        u32 route_mtu_cached;
 888        u32 child_mtu_cached;
 889        u32 route_cookie;
 890        u32 path_cookie;
 891};
 892
 893#ifdef CONFIG_XFRM
 894static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 895{
 896        dst_release(xdst->route);
 897        if (likely(xdst->u.dst.xfrm))
 898                xfrm_state_put(xdst->u.dst.xfrm);
 899#ifdef CONFIG_XFRM_SUB_POLICY
 900        kfree(xdst->origin);
 901        xdst->origin = NULL;
 902        kfree(xdst->partner);
 903        xdst->partner = NULL;
 904#endif
 905}
 906#endif
 907
 908extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 909
 910struct sec_path
 911{
 912        atomic_t                refcnt;
 913        int                     len;
 914        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 915};
 916
 917static inline struct sec_path *
 918secpath_get(struct sec_path *sp)
 919{
 920        if (sp)
 921                atomic_inc(&sp->refcnt);
 922        return sp;
 923}
 924
 925extern void __secpath_destroy(struct sec_path *sp);
 926
 927static inline void
 928secpath_put(struct sec_path *sp)
 929{
 930        if (sp && atomic_dec_and_test(&sp->refcnt))
 931                __secpath_destroy(sp);
 932}
 933
 934extern struct sec_path *secpath_dup(struct sec_path *src);
 935
 936static inline void
 937secpath_reset(struct sk_buff *skb)
 938{
 939#ifdef CONFIG_XFRM
 940        secpath_put(skb->sp);
 941        skb->sp = NULL;
 942#endif
 943}
 944
 945static inline int
 946xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
 947{
 948        switch (family) {
 949        case AF_INET:
 950                return addr->a4 == 0;
 951        case AF_INET6:
 952                return ipv6_addr_any((struct in6_addr *)&addr->a6);
 953        }
 954        return 0;
 955}
 956
 957static inline int
 958__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 959{
 960        return  (tmpl->saddr.a4 &&
 961                 tmpl->saddr.a4 != x->props.saddr.a4);
 962}
 963
 964static inline int
 965__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
 966{
 967        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
 968                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
 969}
 970
 971static inline int
 972xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
 973{
 974        switch (family) {
 975        case AF_INET:
 976                return __xfrm4_state_addr_cmp(tmpl, x);
 977        case AF_INET6:
 978                return __xfrm6_state_addr_cmp(tmpl, x);
 979        }
 980        return !0;
 981}
 982
 983#ifdef CONFIG_XFRM
 984extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
 985
 986static inline int __xfrm_policy_check2(struct sock *sk, int dir,
 987                                       struct sk_buff *skb,
 988                                       unsigned int family, int reverse)
 989{
 990        struct net *net = dev_net(skb->dev);
 991        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
 992
 993        if (sk && sk->sk_policy[XFRM_POLICY_IN])
 994                return __xfrm_policy_check(sk, ndir, skb, family);
 995
 996        return  (!net->xfrm.policy_count[dir] && !skb->sp) ||
 997                (skb_dst(skb)->flags & DST_NOPOLICY) ||
 998                __xfrm_policy_check(sk, ndir, skb, family);
 999}
1000
1001static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1002{
1003        return __xfrm_policy_check2(sk, dir, skb, family, 0);
1004}
1005
1006static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1007{
1008        return xfrm_policy_check(sk, dir, skb, AF_INET);
1009}
1010
1011static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1012{
1013        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1014}
1015
1016static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1017                                             struct sk_buff *skb)
1018{
1019        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1020}
1021
1022static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1023                                             struct sk_buff *skb)
1024{
1025        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1026}
1027
1028extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1029                                 unsigned int family, int reverse);
1030
1031static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1032                                      unsigned int family)
1033{
1034        return __xfrm_decode_session(skb, fl, family, 0);
1035}
1036
1037static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1038                                              struct flowi *fl,
1039                                              unsigned int family)
1040{
1041        return __xfrm_decode_session(skb, fl, family, 1);
1042}
1043
1044extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1045
1046static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1047{
1048        struct net *net = dev_net(skb->dev);
1049
1050        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1051                (skb_dst(skb)->flags & DST_NOXFRM) ||
1052                __xfrm_route_forward(skb, family);
1053}
1054
1055static inline int xfrm4_route_forward(struct sk_buff *skb)
1056{
1057        return xfrm_route_forward(skb, AF_INET);
1058}
1059
1060static inline int xfrm6_route_forward(struct sk_buff *skb)
1061{
1062        return xfrm_route_forward(skb, AF_INET6);
1063}
1064
1065extern int __xfrm_sk_clone_policy(struct sock *sk);
1066
1067static inline int xfrm_sk_clone_policy(struct sock *sk)
1068{
1069        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1070                return __xfrm_sk_clone_policy(sk);
1071        return 0;
1072}
1073
1074extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1075
1076static inline void xfrm_sk_free_policy(struct sock *sk)
1077{
1078        if (unlikely(sk->sk_policy[0] != NULL)) {
1079                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1080                sk->sk_policy[0] = NULL;
1081        }
1082        if (unlikely(sk->sk_policy[1] != NULL)) {
1083                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1084                sk->sk_policy[1] = NULL;
1085        }
1086}
1087
1088#else
1089
1090static inline void xfrm_sk_free_policy(struct sock *sk) {}
1091static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1092static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1093static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1094static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1095{ 
1096        return 1; 
1097} 
1098static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1099{
1100        return 1;
1101}
1102static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1103{
1104        return 1;
1105}
1106static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1107                                              struct flowi *fl,
1108                                              unsigned int family)
1109{
1110        return -ENOSYS;
1111}
1112static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1113                                             struct sk_buff *skb)
1114{
1115        return 1;
1116}
1117static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1118                                             struct sk_buff *skb)
1119{
1120        return 1;
1121}
1122#endif
1123
1124static __inline__
1125xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
1126{
1127        switch (family){
1128        case AF_INET:
1129                return (xfrm_address_t *)&fl->fl4_dst;
1130        case AF_INET6:
1131                return (xfrm_address_t *)&fl->fl6_dst;
1132        }
1133        return NULL;
1134}
1135
1136static __inline__
1137xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
1138{
1139        switch (family){
1140        case AF_INET:
1141                return (xfrm_address_t *)&fl->fl4_src;
1142        case AF_INET6:
1143                return (xfrm_address_t *)&fl->fl6_src;
1144        }
1145        return NULL;
1146}
1147
1148static __inline__
1149void xfrm_flowi_addr_get(struct flowi *fl,
1150                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1151                         unsigned short family)
1152{
1153        switch(family) {
1154        case AF_INET:
1155                memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4));
1156                memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4));
1157                break;
1158        case AF_INET6:
1159                ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src);
1160                ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst);
1161                break;
1162        }
1163}
1164
1165static __inline__ int
1166__xfrm4_state_addr_check(struct xfrm_state *x,
1167                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1168{
1169        if (daddr->a4 == x->id.daddr.a4 &&
1170            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1171                return 1;
1172        return 0;
1173}
1174
1175static __inline__ int
1176__xfrm6_state_addr_check(struct xfrm_state *x,
1177                         xfrm_address_t *daddr, xfrm_address_t *saddr)
1178{
1179        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1180            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1181             ipv6_addr_any((struct in6_addr *)saddr) || 
1182             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1183                return 1;
1184        return 0;
1185}
1186
1187static __inline__ int
1188xfrm_state_addr_check(struct xfrm_state *x,
1189                      xfrm_address_t *daddr, xfrm_address_t *saddr,
1190                      unsigned short family)
1191{
1192        switch (family) {
1193        case AF_INET:
1194                return __xfrm4_state_addr_check(x, daddr, saddr);
1195        case AF_INET6:
1196                return __xfrm6_state_addr_check(x, daddr, saddr);
1197        }
1198        return 0;
1199}
1200
1201static __inline__ int
1202xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
1203                           unsigned short family)
1204{
1205        switch (family) {
1206        case AF_INET:
1207                return __xfrm4_state_addr_check(x,
1208                                                (xfrm_address_t *)&fl->fl4_dst,
1209                                                (xfrm_address_t *)&fl->fl4_src);
1210        case AF_INET6:
1211                return __xfrm6_state_addr_check(x,
1212                                                (xfrm_address_t *)&fl->fl6_dst,
1213                                                (xfrm_address_t *)&fl->fl6_src);
1214        }
1215        return 0;
1216}
1217
1218static inline int xfrm_state_kern(struct xfrm_state *x)
1219{
1220        return atomic_read(&x->tunnel_users);
1221}
1222
1223static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1224{
1225        return (!userproto || proto == userproto ||
1226                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1227                                                  proto == IPPROTO_ESP ||
1228                                                  proto == IPPROTO_COMP)));
1229}
1230
1231/*
1232 * xfrm algorithm information
1233 */
1234struct xfrm_algo_aead_info {
1235        u16 icv_truncbits;
1236};
1237
1238struct xfrm_algo_auth_info {
1239        u16 icv_truncbits;
1240        u16 icv_fullbits;
1241};
1242
1243struct xfrm_algo_encr_info {
1244        u16 blockbits;
1245        u16 defkeybits;
1246};
1247
1248struct xfrm_algo_comp_info {
1249        u16 threshold;
1250};
1251
1252struct xfrm_algo_desc {
1253        char *name;
1254        char *compat;
1255        u8 available:1;
1256        union {
1257                struct xfrm_algo_aead_info aead;
1258                struct xfrm_algo_auth_info auth;
1259                struct xfrm_algo_encr_info encr;
1260                struct xfrm_algo_comp_info comp;
1261        } uinfo;
1262        struct sadb_alg desc;
1263};
1264
1265/* XFRM tunnel handlers.  */
1266struct xfrm_tunnel {
1267        int (*handler)(struct sk_buff *skb);
1268        int (*err_handler)(struct sk_buff *skb, __u32 info);
1269
1270        struct xfrm_tunnel *next;
1271        int priority;
1272};
1273
1274struct xfrm6_tunnel {
1275        int (*handler)(struct sk_buff *skb);
1276        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1277                           u8 type, u8 code, int offset, __be32 info);
1278        struct xfrm6_tunnel *next;
1279        int priority;
1280};
1281
1282extern void xfrm_init(void);
1283extern void xfrm4_init(int rt_hash_size);
1284extern int xfrm_state_init(struct net *net);
1285extern void xfrm_state_fini(struct net *net);
1286extern void xfrm4_state_init(void);
1287#ifdef CONFIG_XFRM
1288extern int xfrm6_init(void);
1289extern void xfrm6_fini(void);
1290extern int xfrm6_state_init(void);
1291extern void xfrm6_state_fini(void);
1292#else
1293static inline int xfrm6_init(void)
1294{
1295        return 0;
1296}
1297static inline void xfrm6_fini(void)
1298{
1299        ;
1300}
1301#endif
1302
1303#ifdef CONFIG_XFRM_STATISTICS
1304extern int xfrm_proc_init(struct net *net);
1305extern void xfrm_proc_fini(struct net *net);
1306#endif
1307
1308extern int xfrm_sysctl_init(struct net *net);
1309#ifdef CONFIG_SYSCTL
1310extern void xfrm_sysctl_fini(struct net *net);
1311#else
1312static inline void xfrm_sysctl_fini(struct net *net)
1313{
1314}
1315#endif
1316
1317extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1318extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1319                           int (*func)(struct xfrm_state *, int, void*), void *);
1320extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1321extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1322extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
1323                                          struct flowi *fl, struct xfrm_tmpl *tmpl,
1324                                          struct xfrm_policy *pol, int *err,
1325                                          unsigned short family);
1326extern struct xfrm_state * xfrm_stateonly_find(struct net *net,
1327                                               xfrm_address_t *daddr,
1328                                               xfrm_address_t *saddr,
1329                                               unsigned short family,
1330                                               u8 mode, u8 proto, u32 reqid);
1331extern int xfrm_state_check_expire(struct xfrm_state *x);
1332extern void xfrm_state_insert(struct xfrm_state *x);
1333extern int xfrm_state_add(struct xfrm_state *x);
1334extern int xfrm_state_update(struct xfrm_state *x);
1335extern struct xfrm_state *xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
1336extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1337#ifdef CONFIG_XFRM_SUB_POLICY
1338extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1339                          int n, unsigned short family);
1340extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1341                           int n, unsigned short family);
1342#else
1343static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1344                                 int n, unsigned short family)
1345{
1346        return -ENOSYS;
1347}
1348
1349static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1350                                  int n, unsigned short family)
1351{
1352        return -ENOSYS;
1353}
1354#endif
1355
1356struct xfrmk_sadinfo {
1357        u32 sadhcnt; /* current hash bkts */
1358        u32 sadhmcnt; /* max allowed hash bkts */
1359        u32 sadcnt; /* current running count */
1360};
1361
1362struct xfrmk_spdinfo {
1363        u32 incnt;
1364        u32 outcnt;
1365        u32 fwdcnt;
1366        u32 inscnt;
1367        u32 outscnt;
1368        u32 fwdscnt;
1369        u32 spdhcnt;
1370        u32 spdhmcnt;
1371};
1372
1373extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 seq);
1374extern int xfrm_state_delete(struct xfrm_state *x);
1375extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1376extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1377extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1378extern int xfrm_replay_check(struct xfrm_state *x,
1379                             struct sk_buff *skb, __be32 seq);
1380extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1381extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1382extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1383extern int xfrm_init_state(struct xfrm_state *x);
1384extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1385extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1386                      int encap_type);
1387extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1388extern int xfrm_output_resume(struct sk_buff *skb, int err);
1389extern int xfrm_output(struct sk_buff *skb);
1390extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1391extern int xfrm4_extract_header(struct sk_buff *skb);
1392extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1393extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1394                           int encap_type);
1395extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1396extern int xfrm4_rcv(struct sk_buff *skb);
1397
1398static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1399{
1400        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1401}
1402
1403extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1404extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1405extern int xfrm4_output(struct sk_buff *skb);
1406extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1407extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1408extern int xfrm6_extract_header(struct sk_buff *skb);
1409extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1410extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1411extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1412extern int xfrm6_rcv(struct sk_buff *skb);
1413extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1414                            xfrm_address_t *saddr, u8 proto);
1415extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1416extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1417extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
1418extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
1419extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
1420extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1421extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1422extern int xfrm6_output(struct sk_buff *skb);
1423extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1424                                 u8 **prevhdr);
1425
1426#ifdef CONFIG_XFRM
1427extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1428extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1429#else
1430static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1431{
1432        return -ENOPROTOOPT;
1433} 
1434
1435static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1436{
1437        /* should not happen */
1438        kfree_skb(skb);
1439        return 0;
1440}
1441#endif
1442
1443struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1444
1445extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1446extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1447        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1448extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1449int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1450struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir,
1451                                          struct xfrm_selector *sel,
1452                                          struct xfrm_sec_ctx *ctx, int delete,
1453                                          int *err);
1454struct xfrm_policy *xfrm_policy_byid(struct net *net, u8, int dir, u32 id, int delete, int *err);
1455int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1456u32 xfrm_get_acqseq(void);
1457extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1458struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
1459                                  xfrm_address_t *daddr, xfrm_address_t *saddr,
1460                                  int create, unsigned short family);
1461extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1462extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
1463                          struct flowi *fl, int family, int strict);
1464
1465#ifdef CONFIG_XFRM_MIGRATE
1466extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1467                      struct xfrm_migrate *m, int num_bundles,
1468                      struct xfrm_kmaddress *k);
1469extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1470extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1471                                              struct xfrm_migrate *m);
1472extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1473                        struct xfrm_migrate *m, int num_bundles,
1474                        struct xfrm_kmaddress *k);
1475#endif
1476
1477extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1478extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1479extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1480
1481extern void xfrm_input_init(void);
1482extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1483
1484extern void xfrm_probe_algs(void);
1485extern int xfrm_count_auth_supported(void);
1486extern int xfrm_count_enc_supported(void);
1487extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1488extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1489extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1490extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1491extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1492extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1493extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1494extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1495extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
1496                                                   int probe);
1497
1498struct hash_desc;
1499struct scatterlist;
1500typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1501                              unsigned int);
1502
1503extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1504                        int offset, int len, icv_update_fn_t icv_update);
1505
1506static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1507                                int family)
1508{
1509        switch (family) {
1510        default:
1511        case AF_INET:
1512                return (__force __u32)a->a4 - (__force __u32)b->a4;
1513        case AF_INET6:
1514                return ipv6_addr_cmp((struct in6_addr *)a,
1515                                     (struct in6_addr *)b);
1516        }
1517}
1518
1519static inline int xfrm_policy_id2dir(u32 index)
1520{
1521        return index & 7;
1522}
1523
1524#ifdef CONFIG_XFRM
1525static inline int xfrm_aevent_is_on(struct net *net)
1526{
1527        struct sock *nlsk;
1528        int ret = 0;
1529
1530        rcu_read_lock();
1531        nlsk = rcu_dereference(net->xfrm.nlsk);
1532        if (nlsk)
1533                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1534        rcu_read_unlock();
1535        return ret;
1536}
1537#endif
1538
1539static inline int xfrm_alg_len(struct xfrm_algo *alg)
1540{
1541        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1542}
1543
1544#ifdef CONFIG_XFRM_MIGRATE
1545static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1546{
1547        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1548}
1549
1550static inline void xfrm_states_put(struct xfrm_state **states, int n)
1551{
1552        int i;
1553        for (i = 0; i < n; i++)
1554                xfrm_state_put(*(states + i));
1555}
1556
1557static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1558{
1559        int i;
1560        for (i = 0; i < n; i++)
1561                xfrm_state_delete(*(states + i));
1562}
1563#endif
1564
1565#ifdef CONFIG_XFRM
1566static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1567{
1568        return skb->sp->xvec[skb->sp->len - 1];
1569}
1570#endif
1571
1572#endif  /* _NET_XFRM_H */
1573