1#ifndef _NET_XFRM_H
2#define _NET_XFRM_H
3
4#include <linux/compiler.h>
5#include <linux/xfrm.h>
6#include <linux/spinlock.h>
7#include <linux/list.h>
8#include <linux/skbuff.h>
9#include <linux/socket.h>
10#include <linux/pfkeyv2.h>
11#include <linux/ipsec.h>
12#include <linux/in6.h>
13#include <linux/mutex.h>
14#include <linux/audit.h>
15#include <linux/slab.h>
16
17#include <net/sock.h>
18#include <net/dst.h>
19#include <net/ip.h>
20#include <net/route.h>
21#include <net/ipv6.h>
22#include <net/ip6_fib.h>
23#include <net/flow.h>
24
25#include <linux/interrupt.h>
26
27#ifdef CONFIG_XFRM_STATISTICS
28#include <net/snmp.h>
29#endif
30
31#define XFRM_PROTO_ESP 50
32#define XFRM_PROTO_AH 51
33#define XFRM_PROTO_COMP 108
34#define XFRM_PROTO_IPIP 4
35#define XFRM_PROTO_IPV6 41
36#define XFRM_PROTO_ROUTING IPPROTO_ROUTING
37#define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
38
39#define XFRM_ALIGN4(len) (((len) + 3) & ~3)
40#define XFRM_ALIGN8(len) (((len) + 7) & ~7)
41#define MODULE_ALIAS_XFRM_MODE(family, encap) \
42 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
43#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
44 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
45
46#ifdef CONFIG_XFRM_STATISTICS
47#define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
48#define XFRM_INC_STATS_BH(net, field) SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
49#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
50#else
51#define XFRM_INC_STATS(net, field) ((void)(net))
52#define XFRM_INC_STATS_BH(net, field) ((void)(net))
53#define XFRM_INC_STATS_USER(net, field) ((void)(net))
54#endif
55
56extern struct mutex xfrm_cfg_mutex;
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119struct xfrm_state_walk {
120 struct list_head all;
121 u8 state;
122 union {
123 u8 dying;
124 u8 proto;
125 };
126 u32 seq;
127};
128
129
130struct xfrm_state {
131#ifdef CONFIG_NET_NS
132 struct net *xs_net;
133#endif
134 union {
135 struct hlist_node gclist;
136 struct hlist_node bydst;
137 };
138 struct hlist_node bysrc;
139 struct hlist_node byspi;
140
141 atomic_t refcnt;
142 spinlock_t lock;
143
144 struct xfrm_id id;
145 struct xfrm_selector sel;
146 struct xfrm_mark mark;
147 u32 tfcpad;
148
149 u32 genid;
150
151
152 struct xfrm_state_walk km;
153
154
155 struct {
156 u32 reqid;
157 u8 mode;
158 u8 replay_window;
159 u8 aalgo, ealgo, calgo;
160 u8 flags;
161 u16 family;
162 xfrm_address_t saddr;
163 int header_len;
164 int trailer_len;
165 u32 extra_flags;
166 } props;
167
168 struct xfrm_lifetime_cfg lft;
169
170
171 struct xfrm_algo_auth *aalg;
172 struct xfrm_algo *ealg;
173 struct xfrm_algo *calg;
174 struct xfrm_algo_aead *aead;
175
176
177 struct xfrm_encap_tmpl *encap;
178
179
180 xfrm_address_t *coaddr;
181
182
183 struct xfrm_state *tunnel;
184
185
186 atomic_t tunnel_users;
187
188
189 struct xfrm_replay_state replay;
190 struct xfrm_replay_state_esn *replay_esn;
191
192
193 struct xfrm_replay_state preplay;
194 struct xfrm_replay_state_esn *preplay_esn;
195
196
197 struct xfrm_replay *repl;
198
199
200
201
202 u32 xflags;
203
204
205 u32 replay_maxage;
206 u32 replay_maxdiff;
207
208
209 struct timer_list rtimer;
210
211
212 struct xfrm_stats stats;
213
214 struct xfrm_lifetime_cur curlft;
215 struct tasklet_hrtimer mtimer;
216
217
218 long saved_tmo;
219
220
221 unsigned long lastused;
222
223
224
225 const struct xfrm_type *type;
226 struct xfrm_mode *inner_mode;
227 struct xfrm_mode *inner_mode_iaf;
228 struct xfrm_mode *outer_mode;
229
230
231 struct xfrm_sec_ctx *security;
232
233
234
235 void *data;
236};
237
238static inline struct net *xs_net(struct xfrm_state *x)
239{
240 return read_pnet(&x->xs_net);
241}
242
243
244#define XFRM_TIME_DEFER 1
245#define XFRM_SOFT_EXPIRE 2
246
247enum {
248 XFRM_STATE_VOID,
249 XFRM_STATE_ACQ,
250 XFRM_STATE_VALID,
251 XFRM_STATE_ERROR,
252 XFRM_STATE_EXPIRED,
253 XFRM_STATE_DEAD
254};
255
256
257struct km_event {
258 union {
259 u32 hard;
260 u32 proto;
261 u32 byid;
262 u32 aevent;
263 u32 type;
264 } data;
265
266 u32 seq;
267 u32 portid;
268 u32 event;
269 struct net *net;
270};
271
272struct xfrm_replay {
273 void (*advance)(struct xfrm_state *x, __be32 net_seq);
274 int (*check)(struct xfrm_state *x,
275 struct sk_buff *skb,
276 __be32 net_seq);
277 int (*recheck)(struct xfrm_state *x,
278 struct sk_buff *skb,
279 __be32 net_seq);
280 void (*notify)(struct xfrm_state *x, int event);
281 int (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
282};
283
284struct net_device;
285struct xfrm_type;
286struct xfrm_dst;
287struct xfrm_policy_afinfo {
288 unsigned short family;
289 struct dst_ops *dst_ops;
290 void (*garbage_collect)(struct net *net);
291 struct dst_entry *(*dst_lookup)(struct net *net, int tos,
292 const xfrm_address_t *saddr,
293 const xfrm_address_t *daddr);
294 int (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
295 void (*decode_session)(struct sk_buff *skb,
296 struct flowi *fl,
297 int reverse);
298 int (*get_tos)(const struct flowi *fl);
299 void (*init_dst)(struct net *net,
300 struct xfrm_dst *dst);
301 int (*init_path)(struct xfrm_dst *path,
302 struct dst_entry *dst,
303 int nfheader_len);
304 int (*fill_dst)(struct xfrm_dst *xdst,
305 struct net_device *dev,
306 const struct flowi *fl);
307 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
308};
309
310extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
311extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
312extern void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c);
313extern void km_state_notify(struct xfrm_state *x, const struct km_event *c);
314
315struct xfrm_tmpl;
316extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
317extern void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
318extern int __xfrm_state_delete(struct xfrm_state *x);
319
320struct xfrm_state_afinfo {
321 unsigned int family;
322 unsigned int proto;
323 __be16 eth_proto;
324 struct module *owner;
325 const struct xfrm_type *type_map[IPPROTO_MAX];
326 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
327 int (*init_flags)(struct xfrm_state *x);
328 void (*init_tempsel)(struct xfrm_selector *sel,
329 const struct flowi *fl);
330 void (*init_temprop)(struct xfrm_state *x,
331 const struct xfrm_tmpl *tmpl,
332 const xfrm_address_t *daddr,
333 const xfrm_address_t *saddr);
334 int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
335 int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
336 int (*output)(struct sk_buff *skb);
337 int (*output_finish)(struct sk_buff *skb);
338 int (*extract_input)(struct xfrm_state *x,
339 struct sk_buff *skb);
340 int (*extract_output)(struct xfrm_state *x,
341 struct sk_buff *skb);
342 int (*transport_finish)(struct sk_buff *skb,
343 int async);
344 void (*local_error)(struct sk_buff *skb, u32 mtu);
345};
346
347extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
348extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
349extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
350extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
351
352extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
353
354struct xfrm_type {
355 char *description;
356 struct module *owner;
357 u8 proto;
358 u8 flags;
359#define XFRM_TYPE_NON_FRAGMENT 1
360#define XFRM_TYPE_REPLAY_PROT 2
361#define XFRM_TYPE_LOCAL_COADDR 4
362#define XFRM_TYPE_REMOTE_COADDR 8
363
364 int (*init_state)(struct xfrm_state *x);
365 void (*destructor)(struct xfrm_state *);
366 int (*input)(struct xfrm_state *, struct sk_buff *skb);
367 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
368 int (*reject)(struct xfrm_state *, struct sk_buff *,
369 const struct flowi *);
370 int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
371
372 u32 (*get_mtu)(struct xfrm_state *, int size);
373};
374
375extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
376extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
377
378struct xfrm_mode {
379
380
381
382
383
384
385
386
387
388
389
390 int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
391
392
393
394
395
396
397
398
399
400 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
401
402
403
404
405
406
407
408
409
410
411
412
413 int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
414
415
416
417
418
419
420
421
422
423
424 int (*output)(struct xfrm_state *x, struct sk_buff *skb);
425
426 struct xfrm_state_afinfo *afinfo;
427 struct module *owner;
428 unsigned int encap;
429 int flags;
430};
431
432
433enum {
434 XFRM_MODE_FLAG_TUNNEL = 1,
435};
436
437extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
438extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
439
440static inline int xfrm_af2proto(unsigned int family)
441{
442 switch(family) {
443 case AF_INET:
444 return IPPROTO_IPIP;
445 case AF_INET6:
446 return IPPROTO_IPV6;
447 default:
448 return 0;
449 }
450}
451
452static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
453{
454 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
455 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
456 return x->inner_mode;
457 else
458 return x->inner_mode_iaf;
459}
460
461struct xfrm_tmpl {
462
463
464
465
466
467
468 struct xfrm_id id;
469
470
471 xfrm_address_t saddr;
472
473 unsigned short encap_family;
474
475 u32 reqid;
476
477
478 u8 mode;
479
480
481 u8 share;
482
483
484 u8 optional;
485
486
487 u8 allalgs;
488
489
490 u32 aalgos;
491 u32 ealgos;
492 u32 calgos;
493};
494
495#define XFRM_MAX_DEPTH 6
496
497struct xfrm_policy_walk_entry {
498 struct list_head all;
499 u8 dead;
500};
501
502struct xfrm_policy_walk {
503 struct xfrm_policy_walk_entry walk;
504 u8 type;
505 u32 seq;
506};
507
508struct xfrm_policy_queue {
509 struct sk_buff_head hold_queue;
510 struct timer_list hold_timer;
511 unsigned long timeout;
512};
513
514struct xfrm_policy {
515#ifdef CONFIG_NET_NS
516 struct net *xp_net;
517#endif
518 struct hlist_node bydst;
519 struct hlist_node byidx;
520
521
522 rwlock_t lock;
523 atomic_t refcnt;
524 struct timer_list timer;
525
526 struct flow_cache_object flo;
527 atomic_t genid;
528 u32 priority;
529 u32 index;
530 struct xfrm_mark mark;
531 struct xfrm_selector selector;
532 struct xfrm_lifetime_cfg lft;
533 struct xfrm_lifetime_cur curlft;
534 struct xfrm_policy_walk_entry walk;
535 struct xfrm_policy_queue polq;
536 u8 type;
537 u8 action;
538 u8 flags;
539 u8 xfrm_nr;
540 u16 family;
541 struct xfrm_sec_ctx *security;
542 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
543};
544
545static inline struct net *xp_net(const struct xfrm_policy *xp)
546{
547 return read_pnet(&xp->xp_net);
548}
549
550struct xfrm_kmaddress {
551 xfrm_address_t local;
552 xfrm_address_t remote;
553 u32 reserved;
554 u16 family;
555};
556
557struct xfrm_migrate {
558 xfrm_address_t old_daddr;
559 xfrm_address_t old_saddr;
560 xfrm_address_t new_daddr;
561 xfrm_address_t new_saddr;
562 u8 proto;
563 u8 mode;
564 u16 reserved;
565 u32 reqid;
566 u16 old_family;
567 u16 new_family;
568};
569
570#define XFRM_KM_TIMEOUT 30
571
572#define XFRM_REPLAY_UPDATE XFRM_AE_CR
573#define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
574
575
576#define XFRM_AE_ETIME 10
577
578#define XFRM_AE_ETH_M 10
579
580#define XFRM_AE_SEQT_SIZE 2
581
582struct xfrm_mgr {
583 struct list_head list;
584 char *id;
585 int (*notify)(struct xfrm_state *x, const struct km_event *c);
586 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
587 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
588 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
589 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
590 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
591 int (*migrate)(const struct xfrm_selector *sel,
592 u8 dir, u8 type,
593 const struct xfrm_migrate *m,
594 int num_bundles,
595 const struct xfrm_kmaddress *k);
596};
597
598extern int xfrm_register_km(struct xfrm_mgr *km);
599extern int xfrm_unregister_km(struct xfrm_mgr *km);
600
601
602
603
604
605
606struct xfrm_skb_cb {
607 union {
608 struct inet_skb_parm h4;
609 struct inet6_skb_parm h6;
610 } header;
611
612
613 union {
614 struct {
615 __u32 low;
616 __u32 hi;
617 } output;
618 struct {
619 __be32 low;
620 __be32 hi;
621 } input;
622 } seq;
623};
624
625#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
626
627
628
629
630
631struct xfrm_mode_skb_cb {
632 union {
633 struct inet_skb_parm h4;
634 struct inet6_skb_parm h6;
635 } header;
636
637
638 __be16 id;
639 __be16 frag_off;
640
641
642 u8 ihl;
643
644
645 u8 tos;
646
647
648 u8 ttl;
649
650
651 u8 protocol;
652
653
654 u8 optlen;
655
656
657 u8 flow_lbl[3];
658};
659
660#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
661
662
663
664
665
666struct xfrm_spi_skb_cb {
667 union {
668 struct inet_skb_parm h4;
669 struct inet6_skb_parm h6;
670 } header;
671
672 unsigned int daddroff;
673 unsigned int family;
674};
675
676#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
677
678
679struct xfrm_audit {
680 u32 secid;
681 kuid_t loginuid;
682 u32 sessionid;
683};
684
685#ifdef CONFIG_AUDITSYSCALL
686static inline struct audit_buffer *xfrm_audit_start(const char *op)
687{
688 struct audit_buffer *audit_buf = NULL;
689
690 if (audit_enabled == 0)
691 return NULL;
692 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
693 AUDIT_MAC_IPSEC_EVENT);
694 if (audit_buf == NULL)
695 return NULL;
696 audit_log_format(audit_buf, "op=%s", op);
697 return audit_buf;
698}
699
700static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
701 struct audit_buffer *audit_buf)
702{
703 char *secctx;
704 u32 secctx_len;
705
706 audit_log_format(audit_buf, " auid=%u ses=%u",
707 from_kuid(&init_user_ns, auid), ses);
708 if (secid != 0 &&
709 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
710 audit_log_format(audit_buf, " subj=%s", secctx);
711 security_release_secctx(secctx, secctx_len);
712 } else
713 audit_log_task_context(audit_buf);
714}
715
716extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
717 kuid_t auid, u32 ses, u32 secid);
718extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
719 kuid_t auid, u32 ses, u32 secid);
720extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
721 kuid_t auid, u32 ses, u32 secid);
722extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
723 kuid_t auid, u32 ses, u32 secid);
724extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
725 struct sk_buff *skb);
726extern void xfrm_audit_state_replay(struct xfrm_state *x,
727 struct sk_buff *skb, __be32 net_seq);
728extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
729extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
730 __be32 net_spi, __be32 net_seq);
731extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
732 struct sk_buff *skb, u8 proto);
733#else
734
735static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
736 kuid_t auid, u32 ses, u32 secid)
737{
738}
739
740static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
741 kuid_t auid, u32 ses, u32 secid)
742{
743}
744
745static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
746 kuid_t auid, u32 ses, u32 secid)
747{
748}
749
750static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
751 kuid_t auid, u32 ses, u32 secid)
752{
753}
754
755static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
756 struct sk_buff *skb)
757{
758}
759
760static inline void xfrm_audit_state_replay(struct xfrm_state *x,
761 struct sk_buff *skb, __be32 net_seq)
762{
763}
764
765static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
766 u16 family)
767{
768}
769
770static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
771 __be32 net_spi, __be32 net_seq)
772{
773}
774
775static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
776 struct sk_buff *skb, u8 proto)
777{
778}
779#endif
780
781static inline void xfrm_pol_hold(struct xfrm_policy *policy)
782{
783 if (likely(policy != NULL))
784 atomic_inc(&policy->refcnt);
785}
786
787extern void xfrm_policy_destroy(struct xfrm_policy *policy);
788
789static inline void xfrm_pol_put(struct xfrm_policy *policy)
790{
791 if (atomic_dec_and_test(&policy->refcnt))
792 xfrm_policy_destroy(policy);
793}
794
795static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
796{
797 int i;
798 for (i = npols - 1; i >= 0; --i)
799 xfrm_pol_put(pols[i]);
800}
801
802extern void __xfrm_state_destroy(struct xfrm_state *);
803
804static inline void __xfrm_state_put(struct xfrm_state *x)
805{
806 atomic_dec(&x->refcnt);
807}
808
809static inline void xfrm_state_put(struct xfrm_state *x)
810{
811 if (atomic_dec_and_test(&x->refcnt))
812 __xfrm_state_destroy(x);
813}
814
815static inline void xfrm_state_hold(struct xfrm_state *x)
816{
817 atomic_inc(&x->refcnt);
818}
819
820static inline bool addr_match(const void *token1, const void *token2,
821 int prefixlen)
822{
823 const __be32 *a1 = token1;
824 const __be32 *a2 = token2;
825 int pdw;
826 int pbi;
827
828 pdw = prefixlen >> 5;
829 pbi = prefixlen & 0x1f;
830
831 if (pdw)
832 if (memcmp(a1, a2, pdw << 2))
833 return false;
834
835 if (pbi) {
836 __be32 mask;
837
838 mask = htonl((0xffffffff) << (32 - pbi));
839
840 if ((a1[pdw] ^ a2[pdw]) & mask)
841 return false;
842 }
843
844 return true;
845}
846
847static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
848{
849
850 if (prefixlen == 0)
851 return true;
852 return !((a1 ^ a2) & htonl(0xFFFFFFFFu << (32 - prefixlen)));
853}
854
855static __inline__
856__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
857{
858 __be16 port;
859 switch(fl->flowi_proto) {
860 case IPPROTO_TCP:
861 case IPPROTO_UDP:
862 case IPPROTO_UDPLITE:
863 case IPPROTO_SCTP:
864 port = uli->ports.sport;
865 break;
866 case IPPROTO_ICMP:
867 case IPPROTO_ICMPV6:
868 port = htons(uli->icmpt.type);
869 break;
870 case IPPROTO_MH:
871 port = htons(uli->mht.type);
872 break;
873 case IPPROTO_GRE:
874 port = htons(ntohl(uli->gre_key) >> 16);
875 break;
876 default:
877 port = 0;
878 }
879 return port;
880}
881
882static __inline__
883__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
884{
885 __be16 port;
886 switch(fl->flowi_proto) {
887 case IPPROTO_TCP:
888 case IPPROTO_UDP:
889 case IPPROTO_UDPLITE:
890 case IPPROTO_SCTP:
891 port = uli->ports.dport;
892 break;
893 case IPPROTO_ICMP:
894 case IPPROTO_ICMPV6:
895 port = htons(uli->icmpt.code);
896 break;
897 case IPPROTO_GRE:
898 port = htons(ntohl(uli->gre_key) & 0xffff);
899 break;
900 default:
901 port = 0;
902 }
903 return port;
904}
905
906extern bool xfrm_selector_match(const struct xfrm_selector *sel,
907 const struct flowi *fl,
908 unsigned short family);
909
910#ifdef CONFIG_SECURITY_NETWORK_XFRM
911
912
913
914static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
915{
916 return ((!s1 && !s2) ||
917 (s1 && s2 &&
918 (s1->ctx_sid == s2->ctx_sid) &&
919 (s1->ctx_doi == s2->ctx_doi) &&
920 (s1->ctx_alg == s2->ctx_alg)));
921}
922#else
923static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
924{
925 return true;
926}
927#endif
928
929
930
931
932
933
934
935
936
937
938
939
940struct xfrm_dst {
941 union {
942 struct dst_entry dst;
943 struct rtable rt;
944 struct rt6_info rt6;
945 } u;
946 struct dst_entry *route;
947 struct flow_cache_object flo;
948 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
949 int num_pols, num_xfrms;
950#ifdef CONFIG_XFRM_SUB_POLICY
951 struct flowi *origin;
952 struct xfrm_selector *partner;
953#endif
954 u32 xfrm_genid;
955 u32 policy_genid;
956 u32 route_mtu_cached;
957 u32 child_mtu_cached;
958 u32 route_cookie;
959 u32 path_cookie;
960};
961
962#ifdef CONFIG_XFRM
963static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
964{
965 xfrm_pols_put(xdst->pols, xdst->num_pols);
966 dst_release(xdst->route);
967 if (likely(xdst->u.dst.xfrm))
968 xfrm_state_put(xdst->u.dst.xfrm);
969#ifdef CONFIG_XFRM_SUB_POLICY
970 kfree(xdst->origin);
971 xdst->origin = NULL;
972 kfree(xdst->partner);
973 xdst->partner = NULL;
974#endif
975}
976#endif
977
978extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
979
980struct sec_path {
981 atomic_t refcnt;
982 int len;
983 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
984};
985
986static inline int secpath_exists(struct sk_buff *skb)
987{
988#ifdef CONFIG_XFRM
989 return skb->sp != NULL;
990#else
991 return 0;
992#endif
993}
994
995static inline struct sec_path *
996secpath_get(struct sec_path *sp)
997{
998 if (sp)
999 atomic_inc(&sp->refcnt);
1000 return sp;
1001}
1002
1003extern void __secpath_destroy(struct sec_path *sp);
1004
1005static inline void
1006secpath_put(struct sec_path *sp)
1007{
1008 if (sp && atomic_dec_and_test(&sp->refcnt))
1009 __secpath_destroy(sp);
1010}
1011
1012extern struct sec_path *secpath_dup(struct sec_path *src);
1013
1014static inline void
1015secpath_reset(struct sk_buff *skb)
1016{
1017#ifdef CONFIG_XFRM
1018 secpath_put(skb->sp);
1019 skb->sp = NULL;
1020#endif
1021}
1022
1023static inline int
1024xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1025{
1026 switch (family) {
1027 case AF_INET:
1028 return addr->a4 == 0;
1029 case AF_INET6:
1030 return ipv6_addr_any((struct in6_addr *)&addr->a6);
1031 }
1032 return 0;
1033}
1034
1035static inline int
1036__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1037{
1038 return (tmpl->saddr.a4 &&
1039 tmpl->saddr.a4 != x->props.saddr.a4);
1040}
1041
1042static inline int
1043__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1044{
1045 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1046 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1047}
1048
1049static inline int
1050xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1051{
1052 switch (family) {
1053 case AF_INET:
1054 return __xfrm4_state_addr_cmp(tmpl, x);
1055 case AF_INET6:
1056 return __xfrm6_state_addr_cmp(tmpl, x);
1057 }
1058 return !0;
1059}
1060
1061#ifdef CONFIG_XFRM
1062extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
1063
1064static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1065 struct sk_buff *skb,
1066 unsigned int family, int reverse)
1067{
1068 struct net *net = dev_net(skb->dev);
1069 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1070
1071 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1072 return __xfrm_policy_check(sk, ndir, skb, family);
1073
1074 return (!net->xfrm.policy_count[dir] && !skb->sp) ||
1075 (skb_dst(skb)->flags & DST_NOPOLICY) ||
1076 __xfrm_policy_check(sk, ndir, skb, family);
1077}
1078
1079static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1080{
1081 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1082}
1083
1084static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1085{
1086 return xfrm_policy_check(sk, dir, skb, AF_INET);
1087}
1088
1089static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1090{
1091 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1092}
1093
1094static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1095 struct sk_buff *skb)
1096{
1097 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1098}
1099
1100static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1101 struct sk_buff *skb)
1102{
1103 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1104}
1105
1106extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1107 unsigned int family, int reverse);
1108
1109static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1110 unsigned int family)
1111{
1112 return __xfrm_decode_session(skb, fl, family, 0);
1113}
1114
1115static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1116 struct flowi *fl,
1117 unsigned int family)
1118{
1119 return __xfrm_decode_session(skb, fl, family, 1);
1120}
1121
1122extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1123
1124static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1125{
1126 struct net *net = dev_net(skb->dev);
1127
1128 return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1129 (skb_dst(skb)->flags & DST_NOXFRM) ||
1130 __xfrm_route_forward(skb, family);
1131}
1132
1133static inline int xfrm4_route_forward(struct sk_buff *skb)
1134{
1135 return xfrm_route_forward(skb, AF_INET);
1136}
1137
1138static inline int xfrm6_route_forward(struct sk_buff *skb)
1139{
1140 return xfrm_route_forward(skb, AF_INET6);
1141}
1142
1143extern int __xfrm_sk_clone_policy(struct sock *sk);
1144
1145static inline int xfrm_sk_clone_policy(struct sock *sk)
1146{
1147 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1148 return __xfrm_sk_clone_policy(sk);
1149 return 0;
1150}
1151
1152extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1153
1154static inline void xfrm_sk_free_policy(struct sock *sk)
1155{
1156 if (unlikely(sk->sk_policy[0] != NULL)) {
1157 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1158 sk->sk_policy[0] = NULL;
1159 }
1160 if (unlikely(sk->sk_policy[1] != NULL)) {
1161 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1162 sk->sk_policy[1] = NULL;
1163 }
1164}
1165
1166extern void xfrm_garbage_collect(struct net *net);
1167
1168#else
1169
1170static inline void xfrm_sk_free_policy(struct sock *sk) {}
1171static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1172static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1173static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1174static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1175{
1176 return 1;
1177}
1178static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1179{
1180 return 1;
1181}
1182static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1183{
1184 return 1;
1185}
1186static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1187 struct flowi *fl,
1188 unsigned int family)
1189{
1190 return -ENOSYS;
1191}
1192static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1193 struct sk_buff *skb)
1194{
1195 return 1;
1196}
1197static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1198 struct sk_buff *skb)
1199{
1200 return 1;
1201}
1202static inline void xfrm_garbage_collect(struct net *net)
1203{
1204}
1205#endif
1206
1207static __inline__
1208xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1209{
1210 switch (family){
1211 case AF_INET:
1212 return (xfrm_address_t *)&fl->u.ip4.daddr;
1213 case AF_INET6:
1214 return (xfrm_address_t *)&fl->u.ip6.daddr;
1215 }
1216 return NULL;
1217}
1218
1219static __inline__
1220xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1221{
1222 switch (family){
1223 case AF_INET:
1224 return (xfrm_address_t *)&fl->u.ip4.saddr;
1225 case AF_INET6:
1226 return (xfrm_address_t *)&fl->u.ip6.saddr;
1227 }
1228 return NULL;
1229}
1230
1231static __inline__
1232void xfrm_flowi_addr_get(const struct flowi *fl,
1233 xfrm_address_t *saddr, xfrm_address_t *daddr,
1234 unsigned short family)
1235{
1236 switch(family) {
1237 case AF_INET:
1238 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1239 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1240 break;
1241 case AF_INET6:
1242 *(struct in6_addr *)saddr->a6 = fl->u.ip6.saddr;
1243 *(struct in6_addr *)daddr->a6 = fl->u.ip6.daddr;
1244 break;
1245 }
1246}
1247
1248static __inline__ int
1249__xfrm4_state_addr_check(const struct xfrm_state *x,
1250 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1251{
1252 if (daddr->a4 == x->id.daddr.a4 &&
1253 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1254 return 1;
1255 return 0;
1256}
1257
1258static __inline__ int
1259__xfrm6_state_addr_check(const struct xfrm_state *x,
1260 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1261{
1262 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1263 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1264 ipv6_addr_any((struct in6_addr *)saddr) ||
1265 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1266 return 1;
1267 return 0;
1268}
1269
1270static __inline__ int
1271xfrm_state_addr_check(const struct xfrm_state *x,
1272 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1273 unsigned short family)
1274{
1275 switch (family) {
1276 case AF_INET:
1277 return __xfrm4_state_addr_check(x, daddr, saddr);
1278 case AF_INET6:
1279 return __xfrm6_state_addr_check(x, daddr, saddr);
1280 }
1281 return 0;
1282}
1283
1284static __inline__ int
1285xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1286 unsigned short family)
1287{
1288 switch (family) {
1289 case AF_INET:
1290 return __xfrm4_state_addr_check(x,
1291 (const xfrm_address_t *)&fl->u.ip4.daddr,
1292 (const xfrm_address_t *)&fl->u.ip4.saddr);
1293 case AF_INET6:
1294 return __xfrm6_state_addr_check(x,
1295 (const xfrm_address_t *)&fl->u.ip6.daddr,
1296 (const xfrm_address_t *)&fl->u.ip6.saddr);
1297 }
1298 return 0;
1299}
1300
1301static inline int xfrm_state_kern(const struct xfrm_state *x)
1302{
1303 return atomic_read(&x->tunnel_users);
1304}
1305
1306static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1307{
1308 return (!userproto || proto == userproto ||
1309 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1310 proto == IPPROTO_ESP ||
1311 proto == IPPROTO_COMP)));
1312}
1313
1314
1315
1316
1317struct xfrm_algo_aead_info {
1318 u16 icv_truncbits;
1319};
1320
1321struct xfrm_algo_auth_info {
1322 u16 icv_truncbits;
1323 u16 icv_fullbits;
1324};
1325
1326struct xfrm_algo_encr_info {
1327 u16 blockbits;
1328 u16 defkeybits;
1329};
1330
1331struct xfrm_algo_comp_info {
1332 u16 threshold;
1333};
1334
1335struct xfrm_algo_desc {
1336 char *name;
1337 char *compat;
1338 u8 available:1;
1339 u8 pfkey_supported:1;
1340 union {
1341 struct xfrm_algo_aead_info aead;
1342 struct xfrm_algo_auth_info auth;
1343 struct xfrm_algo_encr_info encr;
1344 struct xfrm_algo_comp_info comp;
1345 } uinfo;
1346 struct sadb_alg desc;
1347};
1348
1349
1350struct xfrm_tunnel {
1351 int (*handler)(struct sk_buff *skb);
1352 int (*err_handler)(struct sk_buff *skb, u32 info);
1353
1354 struct xfrm_tunnel __rcu *next;
1355 int priority;
1356};
1357
1358struct xfrm6_tunnel {
1359 int (*handler)(struct sk_buff *skb);
1360 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1361 u8 type, u8 code, int offset, __be32 info);
1362 struct xfrm6_tunnel __rcu *next;
1363 int priority;
1364};
1365
1366extern void xfrm_init(void);
1367extern void xfrm4_init(void);
1368extern int xfrm_state_init(struct net *net);
1369extern void xfrm_state_fini(struct net *net);
1370extern void xfrm4_state_init(void);
1371#ifdef CONFIG_XFRM
1372extern int xfrm6_init(void);
1373extern void xfrm6_fini(void);
1374extern int xfrm6_state_init(void);
1375extern void xfrm6_state_fini(void);
1376#else
1377static inline int xfrm6_init(void)
1378{
1379 return 0;
1380}
1381static inline void xfrm6_fini(void)
1382{
1383 ;
1384}
1385#endif
1386
1387#ifdef CONFIG_XFRM_STATISTICS
1388extern int xfrm_proc_init(struct net *net);
1389extern void xfrm_proc_fini(struct net *net);
1390#endif
1391
1392extern int xfrm_sysctl_init(struct net *net);
1393#ifdef CONFIG_SYSCTL
1394extern void xfrm_sysctl_fini(struct net *net);
1395#else
1396static inline void xfrm_sysctl_fini(struct net *net)
1397{
1398}
1399#endif
1400
1401extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1402extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1403 int (*func)(struct xfrm_state *, int, void*), void *);
1404extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1405extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1406extern struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1407 const xfrm_address_t *saddr,
1408 const struct flowi *fl,
1409 struct xfrm_tmpl *tmpl,
1410 struct xfrm_policy *pol, int *err,
1411 unsigned short family);
1412extern struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1413 xfrm_address_t *daddr,
1414 xfrm_address_t *saddr,
1415 unsigned short family,
1416 u8 mode, u8 proto, u32 reqid);
1417extern int xfrm_state_check_expire(struct xfrm_state *x);
1418extern void xfrm_state_insert(struct xfrm_state *x);
1419extern int xfrm_state_add(struct xfrm_state *x);
1420extern int xfrm_state_update(struct xfrm_state *x);
1421extern struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1422 const xfrm_address_t *daddr, __be32 spi,
1423 u8 proto, unsigned short family);
1424extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1425 const xfrm_address_t *daddr,
1426 const xfrm_address_t *saddr,
1427 u8 proto,
1428 unsigned short family);
1429#ifdef CONFIG_XFRM_SUB_POLICY
1430extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1431 int n, unsigned short family);
1432extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1433 int n, unsigned short family);
1434#else
1435static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1436 int n, unsigned short family)
1437{
1438 return -ENOSYS;
1439}
1440
1441static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1442 int n, unsigned short family)
1443{
1444 return -ENOSYS;
1445}
1446#endif
1447
1448struct xfrmk_sadinfo {
1449 u32 sadhcnt;
1450 u32 sadhmcnt;
1451 u32 sadcnt;
1452};
1453
1454struct xfrmk_spdinfo {
1455 u32 incnt;
1456 u32 outcnt;
1457 u32 fwdcnt;
1458 u32 inscnt;
1459 u32 outscnt;
1460 u32 fwdscnt;
1461 u32 spdhcnt;
1462 u32 spdhmcnt;
1463};
1464
1465extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark,
1466 u32 seq);
1467extern int xfrm_state_delete(struct xfrm_state *x);
1468extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1469extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1470extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1471extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1472extern int xfrm_init_replay(struct xfrm_state *x);
1473extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1474extern int __xfrm_init_state(struct xfrm_state *x, bool init_replay);
1475extern int xfrm_init_state(struct xfrm_state *x);
1476extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1477extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1478 int encap_type);
1479extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1480extern int xfrm_output_resume(struct sk_buff *skb, int err);
1481extern int xfrm_output(struct sk_buff *skb);
1482extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1483extern void xfrm_local_error(struct sk_buff *skb, int mtu);
1484extern int xfrm4_extract_header(struct sk_buff *skb);
1485extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1486extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1487 int encap_type);
1488extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1489extern int xfrm4_rcv(struct sk_buff *skb);
1490
1491static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1492{
1493 return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1494}
1495
1496extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1497extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1498extern int xfrm4_output(struct sk_buff *skb);
1499extern int xfrm4_output_finish(struct sk_buff *skb);
1500extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1501extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1502extern int xfrm4_mode_tunnel_input_register(struct xfrm_tunnel *handler);
1503extern int xfrm4_mode_tunnel_input_deregister(struct xfrm_tunnel *handler);
1504extern void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1505extern int xfrm6_extract_header(struct sk_buff *skb);
1506extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1507extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1508extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1509extern int xfrm6_rcv(struct sk_buff *skb);
1510extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1511 xfrm_address_t *saddr, u8 proto);
1512extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1513extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1514extern __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1515extern __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1516extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1517extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1518extern int xfrm6_output(struct sk_buff *skb);
1519extern int xfrm6_output_finish(struct sk_buff *skb);
1520extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1521 u8 **prevhdr);
1522extern void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1523
1524#ifdef CONFIG_XFRM
1525extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1526extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1527#else
1528static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1529{
1530 return -ENOPROTOOPT;
1531}
1532
1533static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1534{
1535
1536 kfree_skb(skb);
1537 return 0;
1538}
1539#endif
1540
1541struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1542
1543extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1544extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1545 int (*func)(struct xfrm_policy *, int, int, void*), void *);
1546extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1547int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1548struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1549 u8 type, int dir,
1550 struct xfrm_selector *sel,
1551 struct xfrm_sec_ctx *ctx, int delete,
1552 int *err);
1553struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir, u32 id, int delete, int *err);
1554int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1555u32 xfrm_get_acqseq(void);
1556extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1557struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1558 u8 mode, u32 reqid, u8 proto,
1559 const xfrm_address_t *daddr,
1560 const xfrm_address_t *saddr, int create,
1561 unsigned short family);
1562extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1563
1564#ifdef CONFIG_XFRM_MIGRATE
1565extern int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1566 const struct xfrm_migrate *m, int num_bundles,
1567 const struct xfrm_kmaddress *k);
1568extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1569extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1570 struct xfrm_migrate *m);
1571extern int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1572 struct xfrm_migrate *m, int num_bundles,
1573 struct xfrm_kmaddress *k);
1574#endif
1575
1576extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1577extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1578extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1579
1580extern void xfrm_input_init(void);
1581extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1582
1583extern void xfrm_probe_algs(void);
1584extern int xfrm_count_pfkey_auth_supported(void);
1585extern int xfrm_count_pfkey_enc_supported(void);
1586extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1587extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1588extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1589extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1590extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1591extern struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1592extern struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1593extern struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1594extern struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1595 int probe);
1596
1597static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1598 const xfrm_address_t *b)
1599{
1600 return ipv6_addr_equal((const struct in6_addr *)a,
1601 (const struct in6_addr *)b);
1602}
1603
1604static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1605 const xfrm_address_t *b,
1606 sa_family_t family)
1607{
1608 switch (family) {
1609 default:
1610 case AF_INET:
1611 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1612 case AF_INET6:
1613 return xfrm6_addr_equal(a, b);
1614 }
1615}
1616
1617static inline int xfrm_policy_id2dir(u32 index)
1618{
1619 return index & 7;
1620}
1621
1622#ifdef CONFIG_XFRM
1623static inline int xfrm_aevent_is_on(struct net *net)
1624{
1625 struct sock *nlsk;
1626 int ret = 0;
1627
1628 rcu_read_lock();
1629 nlsk = rcu_dereference(net->xfrm.nlsk);
1630 if (nlsk)
1631 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1632 rcu_read_unlock();
1633 return ret;
1634}
1635#endif
1636
1637static inline int xfrm_alg_len(const struct xfrm_algo *alg)
1638{
1639 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1640}
1641
1642static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1643{
1644 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1645}
1646
1647static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1648{
1649 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1650}
1651
1652#ifdef CONFIG_XFRM_MIGRATE
1653static inline int xfrm_replay_clone(struct xfrm_state *x,
1654 struct xfrm_state *orig)
1655{
1656 x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1657 GFP_KERNEL);
1658 if (!x->replay_esn)
1659 return -ENOMEM;
1660
1661 x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1662 x->replay_esn->replay_window = orig->replay_esn->replay_window;
1663
1664 x->preplay_esn = kmemdup(x->replay_esn,
1665 xfrm_replay_state_esn_len(x->replay_esn),
1666 GFP_KERNEL);
1667 if (!x->preplay_esn) {
1668 kfree(x->replay_esn);
1669 return -ENOMEM;
1670 }
1671
1672 return 0;
1673}
1674
1675static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1676{
1677 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1678}
1679
1680static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1681{
1682 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1683}
1684
1685static inline void xfrm_states_put(struct xfrm_state **states, int n)
1686{
1687 int i;
1688 for (i = 0; i < n; i++)
1689 xfrm_state_put(*(states + i));
1690}
1691
1692static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1693{
1694 int i;
1695 for (i = 0; i < n; i++)
1696 xfrm_state_delete(*(states + i));
1697}
1698#endif
1699
1700#ifdef CONFIG_XFRM
1701static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1702{
1703 return skb->sp->xvec[skb->sp->len - 1];
1704}
1705#endif
1706
1707static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1708{
1709 if (attrs[XFRMA_MARK])
1710 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1711 else
1712 m->v = m->m = 0;
1713
1714 return m->v & m->m;
1715}
1716
1717static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1718{
1719 int ret = 0;
1720
1721 if (m->m | m->v)
1722 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1723 return ret;
1724}
1725
1726#endif
1727
