linux/include/net/xfrm.h
<<
>>
Prefs
   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15#include <linux/slab.h>
  16
  17#include <net/sock.h>
  18#include <net/dst.h>
  19#include <net/ip.h>
  20#include <net/route.h>
  21#include <net/ipv6.h>
  22#include <net/ip6_fib.h>
  23#include <net/flow.h>
  24
  25#include <linux/interrupt.h>
  26
  27#ifdef CONFIG_XFRM_STATISTICS
  28#include <net/snmp.h>
  29#endif
  30
  31#define XFRM_PROTO_ESP          50
  32#define XFRM_PROTO_AH           51
  33#define XFRM_PROTO_COMP         108
  34#define XFRM_PROTO_IPIP         4
  35#define XFRM_PROTO_IPV6         41
  36#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  37#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  38
  39#define XFRM_ALIGN4(len)        (((len) + 3) & ~3)
  40#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  41#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  42        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  43#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  44        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  45
  46#ifdef CONFIG_XFRM_STATISTICS
  47#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  48#define XFRM_INC_STATS_BH(net, field)   SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
  49#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
  50#else
  51#define XFRM_INC_STATS(net, field)      ((void)(net))
  52#define XFRM_INC_STATS_BH(net, field)   ((void)(net))
  53#define XFRM_INC_STATS_USER(net, field) ((void)(net))
  54#endif
  55
  56extern struct mutex xfrm_cfg_mutex;
  57
  58/* Organization of SPD aka "XFRM rules"
  59   ------------------------------------
  60
  61   Basic objects:
  62   - policy rule, struct xfrm_policy (=SPD entry)
  63   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  64   - instance of a transformer, struct xfrm_state (=SA)
  65   - template to clone xfrm_state, struct xfrm_tmpl
  66
  67   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  68   (To be compatible with existing pfkeyv2 implementations,
  69   many rules with priority of 0x7fffffff are allowed to exist and
  70   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  71
  72   Lookup is plain linear search until the first match with selector.
  73
  74   If "action" is "block", then we prohibit the flow, otherwise:
  75   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  76   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  77   described by templates xfrm_tmpl. Each template is resolved
  78   to a complete xfrm_state (see below) and we pack bundle of transformations
  79   to a dst_entry returned to requestor.
  80
  81   dst -. xfrm  .-> xfrm_state #1
  82    |---. child .-> dst -. xfrm .-> xfrm_state #2
  83                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  84                                      |---. child .-> NULL
  85
  86   Bundles are cached at xrfm_policy struct (field ->bundles).
  87
  88
  89   Resolution of xrfm_tmpl
  90   -----------------------
  91   Template contains:
  92   1. ->mode            Mode: transport or tunnel
  93   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  94   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  95      Q: allow to resolve security gateway?
  96   4. ->id.spi          If not zero, static SPI.
  97   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  98   6. ->algos           List of allowed algos. Plain bitmask now.
  99      Q: ealgos, aalgos, calgos. What a mess...
 100   7. ->share           Sharing mode.
 101      Q: how to implement private sharing mode? To add struct sock* to
 102      flow id?
 103
 104   Having this template we search through SAD searching for entries
 105   with appropriate mode/proto/algo, permitted by selector.
 106   If no appropriate entry found, it is requested from key manager.
 107
 108   PROBLEMS:
 109   Q: How to find all the bundles referring to a physical path for
 110      PMTU discovery? Seems, dst should contain list of all parents...
 111      and enter to infinite locking hierarchy disaster.
 112      No! It is easier, we will not search for them, let them find us.
 113      We add genid to each dst plus pointer to genid of raw IP route,
 114      pmtu disc will update pmtu on raw IP route and increase its genid.
 115      dst_check() will see this for top level and trigger resyncing
 116      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 117 */
 118
 119struct xfrm_state_walk {
 120        struct list_head        all;
 121        u8                      state;
 122        union {
 123                u8              dying;
 124                u8              proto;
 125        };
 126        u32                     seq;
 127};
 128
 129/* Full description of state of transformer. */
 130struct xfrm_state {
 131#ifdef CONFIG_NET_NS
 132        struct net              *xs_net;
 133#endif
 134        union {
 135                struct hlist_node       gclist;
 136                struct hlist_node       bydst;
 137        };
 138        struct hlist_node       bysrc;
 139        struct hlist_node       byspi;
 140
 141        atomic_t                refcnt;
 142        spinlock_t              lock;
 143
 144        struct xfrm_id          id;
 145        struct xfrm_selector    sel;
 146        struct xfrm_mark        mark;
 147        u32                     tfcpad;
 148
 149        u32                     genid;
 150
 151        /* Key manager bits */
 152        struct xfrm_state_walk  km;
 153
 154        /* Parameters of this state. */
 155        struct {
 156                u32             reqid;
 157                u8              mode;
 158                u8              replay_window;
 159                u8              aalgo, ealgo, calgo;
 160                u8              flags;
 161                u16             family;
 162                xfrm_address_t  saddr;
 163                int             header_len;
 164                int             trailer_len;
 165        } props;
 166
 167        struct xfrm_lifetime_cfg lft;
 168
 169        /* Data for transformer */
 170        struct xfrm_algo_auth   *aalg;
 171        struct xfrm_algo        *ealg;
 172        struct xfrm_algo        *calg;
 173        struct xfrm_algo_aead   *aead;
 174
 175        /* Data for encapsulator */
 176        struct xfrm_encap_tmpl  *encap;
 177
 178        /* Data for care-of address */
 179        xfrm_address_t  *coaddr;
 180
 181        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 182        struct xfrm_state       *tunnel;
 183
 184        /* If a tunnel, number of users + 1 */
 185        atomic_t                tunnel_users;
 186
 187        /* State for replay detection */
 188        struct xfrm_replay_state replay;
 189        struct xfrm_replay_state_esn *replay_esn;
 190
 191        /* Replay detection state at the time we sent the last notification */
 192        struct xfrm_replay_state preplay;
 193        struct xfrm_replay_state_esn *preplay_esn;
 194
 195        /* The functions for replay detection. */
 196        struct xfrm_replay      *repl;
 197
 198        /* internal flag that only holds state for delayed aevent at the
 199         * moment
 200        */
 201        u32                     xflags;
 202
 203        /* Replay detection notification settings */
 204        u32                     replay_maxage;
 205        u32                     replay_maxdiff;
 206
 207        /* Replay detection notification timer */
 208        struct timer_list       rtimer;
 209
 210        /* Statistics */
 211        struct xfrm_stats       stats;
 212
 213        struct xfrm_lifetime_cur curlft;
 214        struct tasklet_hrtimer  mtimer;
 215
 216        /* used to fix curlft->add_time when changing date */
 217        long            saved_tmo;
 218
 219        /* Last used time */
 220        unsigned long           lastused;
 221
 222        /* Reference to data common to all the instances of this
 223         * transformer. */
 224        const struct xfrm_type  *type;
 225        struct xfrm_mode        *inner_mode;
 226        struct xfrm_mode        *inner_mode_iaf;
 227        struct xfrm_mode        *outer_mode;
 228
 229        /* Security context */
 230        struct xfrm_sec_ctx     *security;
 231
 232        /* Private data of this transformer, format is opaque,
 233         * interpreted by xfrm_type methods. */
 234        void                    *data;
 235};
 236
 237static inline struct net *xs_net(struct xfrm_state *x)
 238{
 239        return read_pnet(&x->xs_net);
 240}
 241
 242/* xflags - make enum if more show up */
 243#define XFRM_TIME_DEFER 1
 244#define XFRM_SOFT_EXPIRE 2
 245
 246enum {
 247        XFRM_STATE_VOID,
 248        XFRM_STATE_ACQ,
 249        XFRM_STATE_VALID,
 250        XFRM_STATE_ERROR,
 251        XFRM_STATE_EXPIRED,
 252        XFRM_STATE_DEAD
 253};
 254
 255/* callback structure passed from either netlink or pfkey */
 256struct km_event {
 257        union {
 258                u32 hard;
 259                u32 proto;
 260                u32 byid;
 261                u32 aevent;
 262                u32 type;
 263        } data;
 264
 265        u32     seq;
 266        u32     portid;
 267        u32     event;
 268        struct net *net;
 269};
 270
 271struct xfrm_replay {
 272        void    (*advance)(struct xfrm_state *x, __be32 net_seq);
 273        int     (*check)(struct xfrm_state *x,
 274                         struct sk_buff *skb,
 275                         __be32 net_seq);
 276        int     (*recheck)(struct xfrm_state *x,
 277                           struct sk_buff *skb,
 278                           __be32 net_seq);
 279        void    (*notify)(struct xfrm_state *x, int event);
 280        int     (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
 281};
 282
 283struct net_device;
 284struct xfrm_type;
 285struct xfrm_dst;
 286struct xfrm_policy_afinfo {
 287        unsigned short          family;
 288        struct dst_ops          *dst_ops;
 289        void                    (*garbage_collect)(struct net *net);
 290        struct dst_entry        *(*dst_lookup)(struct net *net, int tos,
 291                                               const xfrm_address_t *saddr,
 292                                               const xfrm_address_t *daddr);
 293        int                     (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
 294        void                    (*decode_session)(struct sk_buff *skb,
 295                                                  struct flowi *fl,
 296                                                  int reverse);
 297        int                     (*get_tos)(const struct flowi *fl);
 298        void                    (*init_dst)(struct net *net,
 299                                            struct xfrm_dst *dst);
 300        int                     (*init_path)(struct xfrm_dst *path,
 301                                             struct dst_entry *dst,
 302                                             int nfheader_len);
 303        int                     (*fill_dst)(struct xfrm_dst *xdst,
 304                                            struct net_device *dev,
 305                                            const struct flowi *fl);
 306        struct dst_entry        *(*blackhole_route)(struct net *net, struct dst_entry *orig);
 307};
 308
 309extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 310extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 311extern void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c);
 312extern void km_state_notify(struct xfrm_state *x, const struct km_event *c);
 313
 314struct xfrm_tmpl;
 315extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 316extern void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
 317extern int __xfrm_state_delete(struct xfrm_state *x);
 318
 319struct xfrm_state_afinfo {
 320        unsigned int            family;
 321        unsigned int            proto;
 322        __be16                  eth_proto;
 323        struct module           *owner;
 324        const struct xfrm_type  *type_map[IPPROTO_MAX];
 325        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 326        int                     (*init_flags)(struct xfrm_state *x);
 327        void                    (*init_tempsel)(struct xfrm_selector *sel,
 328                                                const struct flowi *fl);
 329        void                    (*init_temprop)(struct xfrm_state *x,
 330                                                const struct xfrm_tmpl *tmpl,
 331                                                const xfrm_address_t *daddr,
 332                                                const xfrm_address_t *saddr);
 333        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 334        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 335        int                     (*output)(struct sk_buff *skb);
 336        int                     (*output_finish)(struct sk_buff *skb);
 337        int                     (*extract_input)(struct xfrm_state *x,
 338                                                 struct sk_buff *skb);
 339        int                     (*extract_output)(struct xfrm_state *x,
 340                                                  struct sk_buff *skb);
 341        int                     (*transport_finish)(struct sk_buff *skb,
 342                                                    int async);
 343};
 344
 345extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 346extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 347
 348extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
 349
 350struct xfrm_type {
 351        char                    *description;
 352        struct module           *owner;
 353        u8                      proto;
 354        u8                      flags;
 355#define XFRM_TYPE_NON_FRAGMENT  1
 356#define XFRM_TYPE_REPLAY_PROT   2
 357#define XFRM_TYPE_LOCAL_COADDR  4
 358#define XFRM_TYPE_REMOTE_COADDR 8
 359
 360        int                     (*init_state)(struct xfrm_state *x);
 361        void                    (*destructor)(struct xfrm_state *);
 362        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 363        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 364        int                     (*reject)(struct xfrm_state *, struct sk_buff *,
 365                                          const struct flowi *);
 366        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 367        /* Estimate maximal size of result of transformation of a dgram */
 368        u32                     (*get_mtu)(struct xfrm_state *, int size);
 369};
 370
 371extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 372extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 373
 374struct xfrm_mode {
 375        /*
 376         * Remove encapsulation header.
 377         *
 378         * The IP header will be moved over the top of the encapsulation
 379         * header.
 380         *
 381         * On entry, the transport header shall point to where the IP header
 382         * should be and the network header shall be set to where the IP
 383         * header currently is.  skb->data shall point to the start of the
 384         * payload.
 385         */
 386        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 387
 388        /*
 389         * This is the actual input entry point.
 390         *
 391         * For transport mode and equivalent this would be identical to
 392         * input2 (which does not need to be set).  While tunnel mode
 393         * and equivalent would set this to the tunnel encapsulation function
 394         * xfrm4_prepare_input that would in turn call input2.
 395         */
 396        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 397
 398        /*
 399         * Add encapsulation header.
 400         *
 401         * On exit, the transport header will be set to the start of the
 402         * encapsulation header to be filled in by x->type->output and
 403         * the mac header will be set to the nextheader (protocol for
 404         * IPv4) field of the extension header directly preceding the
 405         * encapsulation header, or in its absence, that of the top IP
 406         * header.  The value of the network header will always point
 407         * to the top IP header while skb->data will point to the payload.
 408         */
 409        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 410
 411        /*
 412         * This is the actual output entry point.
 413         *
 414         * For transport mode and equivalent this would be identical to
 415         * output2 (which does not need to be set).  While tunnel mode
 416         * and equivalent would set this to a tunnel encapsulation function
 417         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 418         * call output2.
 419         */
 420        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 421
 422        struct xfrm_state_afinfo *afinfo;
 423        struct module *owner;
 424        unsigned int encap;
 425        int flags;
 426};
 427
 428/* Flags for xfrm_mode. */
 429enum {
 430        XFRM_MODE_FLAG_TUNNEL = 1,
 431};
 432
 433extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
 434extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 435
 436static inline int xfrm_af2proto(unsigned int family)
 437{
 438        switch(family) {
 439        case AF_INET:
 440                return IPPROTO_IPIP;
 441        case AF_INET6:
 442                return IPPROTO_IPV6;
 443        default:
 444                return 0;
 445        }
 446}
 447
 448static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 449{
 450        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 451            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 452                return x->inner_mode;
 453        else
 454                return x->inner_mode_iaf;
 455}
 456
 457struct xfrm_tmpl {
 458/* id in template is interpreted as:
 459 * daddr - destination of tunnel, may be zero for transport mode.
 460 * spi   - zero to acquire spi. Not zero if spi is static, then
 461 *         daddr must be fixed too.
 462 * proto - AH/ESP/IPCOMP
 463 */
 464        struct xfrm_id          id;
 465
 466/* Source address of tunnel. Ignored, if it is not a tunnel. */
 467        xfrm_address_t          saddr;
 468
 469        unsigned short          encap_family;
 470
 471        u32                     reqid;
 472
 473/* Mode: transport, tunnel etc. */
 474        u8                      mode;
 475
 476/* Sharing mode: unique, this session only, this user only etc. */
 477        u8                      share;
 478
 479/* May skip this transfomration if no SA is found */
 480        u8                      optional;
 481
 482/* Skip aalgos/ealgos/calgos checks. */
 483        u8                      allalgs;
 484
 485/* Bit mask of algos allowed for acquisition */
 486        u32                     aalgos;
 487        u32                     ealgos;
 488        u32                     calgos;
 489};
 490
 491#define XFRM_MAX_DEPTH          6
 492
 493struct xfrm_policy_walk_entry {
 494        struct list_head        all;
 495        u8                      dead;
 496};
 497
 498struct xfrm_policy_walk {
 499        struct xfrm_policy_walk_entry walk;
 500        u8 type;
 501        u32 seq;
 502};
 503
 504struct xfrm_policy {
 505#ifdef CONFIG_NET_NS
 506        struct net              *xp_net;
 507#endif
 508        struct hlist_node       bydst;
 509        struct hlist_node       byidx;
 510
 511        /* This lock only affects elements except for entry. */
 512        rwlock_t                lock;
 513        atomic_t                refcnt;
 514        struct timer_list       timer;
 515
 516        struct flow_cache_object flo;
 517        atomic_t                genid;
 518        u32                     priority;
 519        u32                     index;
 520        struct xfrm_mark        mark;
 521        struct xfrm_selector    selector;
 522        struct xfrm_lifetime_cfg lft;
 523        struct xfrm_lifetime_cur curlft;
 524        struct xfrm_policy_walk_entry walk;
 525        u8                      type;
 526        u8                      action;
 527        u8                      flags;
 528        u8                      xfrm_nr;
 529        u16                     family;
 530        struct xfrm_sec_ctx     *security;
 531        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 532};
 533
 534static inline struct net *xp_net(const struct xfrm_policy *xp)
 535{
 536        return read_pnet(&xp->xp_net);
 537}
 538
 539struct xfrm_kmaddress {
 540        xfrm_address_t          local;
 541        xfrm_address_t          remote;
 542        u32                     reserved;
 543        u16                     family;
 544};
 545
 546struct xfrm_migrate {
 547        xfrm_address_t          old_daddr;
 548        xfrm_address_t          old_saddr;
 549        xfrm_address_t          new_daddr;
 550        xfrm_address_t          new_saddr;
 551        u8                      proto;
 552        u8                      mode;
 553        u16                     reserved;
 554        u32                     reqid;
 555        u16                     old_family;
 556        u16                     new_family;
 557};
 558
 559#define XFRM_KM_TIMEOUT                30
 560/* which seqno */
 561#define XFRM_REPLAY_SEQ         1
 562#define XFRM_REPLAY_OSEQ        2
 563#define XFRM_REPLAY_SEQ_MASK    3
 564/* what happened */
 565#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 566#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 567
 568/* default aevent timeout in units of 100ms */
 569#define XFRM_AE_ETIME                   10
 570/* Async Event timer multiplier */
 571#define XFRM_AE_ETH_M                   10
 572/* default seq threshold size */
 573#define XFRM_AE_SEQT_SIZE               2
 574
 575struct xfrm_mgr {
 576        struct list_head        list;
 577        char                    *id;
 578        int                     (*notify)(struct xfrm_state *x, const struct km_event *c);
 579        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
 580        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 581        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 582        int                     (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
 583        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 584        int                     (*migrate)(const struct xfrm_selector *sel,
 585                                           u8 dir, u8 type,
 586                                           const struct xfrm_migrate *m,
 587                                           int num_bundles,
 588                                           const struct xfrm_kmaddress *k);
 589};
 590
 591extern int xfrm_register_km(struct xfrm_mgr *km);
 592extern int xfrm_unregister_km(struct xfrm_mgr *km);
 593
 594/*
 595 * This structure is used for the duration where packets are being
 596 * transformed by IPsec.  As soon as the packet leaves IPsec the
 597 * area beyond the generic IP part may be overwritten.
 598 */
 599struct xfrm_skb_cb {
 600        union {
 601                struct inet_skb_parm h4;
 602                struct inet6_skb_parm h6;
 603        } header;
 604
 605        /* Sequence number for replay protection. */
 606        union {
 607                struct {
 608                        __u32 low;
 609                        __u32 hi;
 610                } output;
 611                struct {
 612                        __be32 low;
 613                        __be32 hi;
 614                } input;
 615        } seq;
 616};
 617
 618#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 619
 620/*
 621 * This structure is used by the afinfo prepare_input/prepare_output functions
 622 * to transmit header information to the mode input/output functions.
 623 */
 624struct xfrm_mode_skb_cb {
 625        union {
 626                struct inet_skb_parm h4;
 627                struct inet6_skb_parm h6;
 628        } header;
 629
 630        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 631        __be16 id;
 632        __be16 frag_off;
 633
 634        /* IP header length (excluding options or extension headers). */
 635        u8 ihl;
 636
 637        /* TOS for IPv4, class for IPv6. */
 638        u8 tos;
 639
 640        /* TTL for IPv4, hop limitfor IPv6. */
 641        u8 ttl;
 642
 643        /* Protocol for IPv4, NH for IPv6. */
 644        u8 protocol;
 645
 646        /* Option length for IPv4, zero for IPv6. */
 647        u8 optlen;
 648
 649        /* Used by IPv6 only, zero for IPv4. */
 650        u8 flow_lbl[3];
 651};
 652
 653#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 654
 655/*
 656 * This structure is used by the input processing to locate the SPI and
 657 * related information.
 658 */
 659struct xfrm_spi_skb_cb {
 660        union {
 661                struct inet_skb_parm h4;
 662                struct inet6_skb_parm h6;
 663        } header;
 664
 665        unsigned int daddroff;
 666        unsigned int family;
 667};
 668
 669#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 670
 671/* Audit Information */
 672struct xfrm_audit {
 673        u32     secid;
 674        kuid_t  loginuid;
 675        u32     sessionid;
 676};
 677
 678#ifdef CONFIG_AUDITSYSCALL
 679static inline struct audit_buffer *xfrm_audit_start(const char *op)
 680{
 681        struct audit_buffer *audit_buf = NULL;
 682
 683        if (audit_enabled == 0)
 684                return NULL;
 685        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 686                                    AUDIT_MAC_IPSEC_EVENT);
 687        if (audit_buf == NULL)
 688                return NULL;
 689        audit_log_format(audit_buf, "op=%s", op);
 690        return audit_buf;
 691}
 692
 693static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
 694                                             struct audit_buffer *audit_buf)
 695{
 696        char *secctx;
 697        u32 secctx_len;
 698
 699        audit_log_format(audit_buf, " auid=%u ses=%u",
 700                         from_kuid(&init_user_ns, auid), ses);
 701        if (secid != 0 &&
 702            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
 703                audit_log_format(audit_buf, " subj=%s", secctx);
 704                security_release_secctx(secctx, secctx_len);
 705        } else
 706                audit_log_task_context(audit_buf);
 707}
 708
 709extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 710                                  kuid_t auid, u32 ses, u32 secid);
 711extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 712                                  kuid_t auid, u32 ses, u32 secid);
 713extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
 714                                 kuid_t auid, u32 ses, u32 secid);
 715extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 716                                    kuid_t auid, u32 ses, u32 secid);
 717extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 718                                             struct sk_buff *skb);
 719extern void xfrm_audit_state_replay(struct xfrm_state *x,
 720                                    struct sk_buff *skb, __be32 net_seq);
 721extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 722extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 723                                      __be32 net_spi, __be32 net_seq);
 724extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
 725                                     struct sk_buff *skb, u8 proto);
 726#else
 727
 728static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 729                                  kuid_t auid, u32 ses, u32 secid)
 730{
 731}
 732
 733static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 734                                  kuid_t auid, u32 ses, u32 secid)
 735{
 736}
 737
 738static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 739                                 kuid_t auid, u32 ses, u32 secid)
 740{
 741}
 742
 743static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 744                                    kuid_t auid, u32 ses, u32 secid)
 745{
 746}
 747
 748static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 749                                             struct sk_buff *skb)
 750{
 751}
 752
 753static inline void xfrm_audit_state_replay(struct xfrm_state *x,
 754                                           struct sk_buff *skb, __be32 net_seq)
 755{
 756}
 757
 758static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 759                                      u16 family)
 760{
 761}
 762
 763static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 764                                      __be32 net_spi, __be32 net_seq)
 765{
 766}
 767
 768static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 769                                     struct sk_buff *skb, u8 proto)
 770{
 771}
 772#endif /* CONFIG_AUDITSYSCALL */
 773
 774static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 775{
 776        if (likely(policy != NULL))
 777                atomic_inc(&policy->refcnt);
 778}
 779
 780extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 781
 782static inline void xfrm_pol_put(struct xfrm_policy *policy)
 783{
 784        if (atomic_dec_and_test(&policy->refcnt))
 785                xfrm_policy_destroy(policy);
 786}
 787
 788static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 789{
 790        int i;
 791        for (i = npols - 1; i >= 0; --i)
 792                xfrm_pol_put(pols[i]);
 793}
 794
 795extern void __xfrm_state_destroy(struct xfrm_state *);
 796
 797static inline void __xfrm_state_put(struct xfrm_state *x)
 798{
 799        atomic_dec(&x->refcnt);
 800}
 801
 802static inline void xfrm_state_put(struct xfrm_state *x)
 803{
 804        if (atomic_dec_and_test(&x->refcnt))
 805                __xfrm_state_destroy(x);
 806}
 807
 808static inline void xfrm_state_hold(struct xfrm_state *x)
 809{
 810        atomic_inc(&x->refcnt);
 811}
 812
 813static inline bool addr_match(const void *token1, const void *token2,
 814                              int prefixlen)
 815{
 816        const __be32 *a1 = token1;
 817        const __be32 *a2 = token2;
 818        int pdw;
 819        int pbi;
 820
 821        pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
 822        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 823
 824        if (pdw)
 825                if (memcmp(a1, a2, pdw << 2))
 826                        return false;
 827
 828        if (pbi) {
 829                __be32 mask;
 830
 831                mask = htonl((0xffffffff) << (32 - pbi));
 832
 833                if ((a1[pdw] ^ a2[pdw]) & mask)
 834                        return false;
 835        }
 836
 837        return true;
 838}
 839
 840static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
 841{
 842        /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
 843        if (prefixlen == 0)
 844                return true;
 845        return !((a1 ^ a2) & htonl(0xFFFFFFFFu << (32 - prefixlen)));
 846}
 847
 848static __inline__
 849__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
 850{
 851        __be16 port;
 852        switch(fl->flowi_proto) {
 853        case IPPROTO_TCP:
 854        case IPPROTO_UDP:
 855        case IPPROTO_UDPLITE:
 856        case IPPROTO_SCTP:
 857                port = uli->ports.sport;
 858                break;
 859        case IPPROTO_ICMP:
 860        case IPPROTO_ICMPV6:
 861                port = htons(uli->icmpt.type);
 862                break;
 863        case IPPROTO_MH:
 864                port = htons(uli->mht.type);
 865                break;
 866        case IPPROTO_GRE:
 867                port = htons(ntohl(uli->gre_key) >> 16);
 868                break;
 869        default:
 870                port = 0;       /*XXX*/
 871        }
 872        return port;
 873}
 874
 875static __inline__
 876__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
 877{
 878        __be16 port;
 879        switch(fl->flowi_proto) {
 880        case IPPROTO_TCP:
 881        case IPPROTO_UDP:
 882        case IPPROTO_UDPLITE:
 883        case IPPROTO_SCTP:
 884                port = uli->ports.dport;
 885                break;
 886        case IPPROTO_ICMP:
 887        case IPPROTO_ICMPV6:
 888                port = htons(uli->icmpt.code);
 889                break;
 890        case IPPROTO_GRE:
 891                port = htons(ntohl(uli->gre_key) & 0xffff);
 892                break;
 893        default:
 894                port = 0;       /*XXX*/
 895        }
 896        return port;
 897}
 898
 899extern bool xfrm_selector_match(const struct xfrm_selector *sel,
 900                                const struct flowi *fl,
 901                                unsigned short family);
 902
 903#ifdef CONFIG_SECURITY_NETWORK_XFRM
 904/*      If neither has a context --> match
 905 *      Otherwise, both must have a context and the sids, doi, alg must match
 906 */
 907static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 908{
 909        return ((!s1 && !s2) ||
 910                (s1 && s2 &&
 911                 (s1->ctx_sid == s2->ctx_sid) &&
 912                 (s1->ctx_doi == s2->ctx_doi) &&
 913                 (s1->ctx_alg == s2->ctx_alg)));
 914}
 915#else
 916static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 917{
 918        return true;
 919}
 920#endif
 921
 922/* A struct encoding bundle of transformations to apply to some set of flow.
 923 *
 924 * dst->child points to the next element of bundle.
 925 * dst->xfrm  points to an instanse of transformer.
 926 *
 927 * Due to unfortunate limitations of current routing cache, which we
 928 * have no time to fix, it mirrors struct rtable and bound to the same
 929 * routing key, including saddr,daddr. However, we can have many of
 930 * bundles differing by session id. All the bundles grow from a parent
 931 * policy rule.
 932 */
 933struct xfrm_dst {
 934        union {
 935                struct dst_entry        dst;
 936                struct rtable           rt;
 937                struct rt6_info         rt6;
 938        } u;
 939        struct dst_entry *route;
 940        struct flow_cache_object flo;
 941        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
 942        int num_pols, num_xfrms;
 943#ifdef CONFIG_XFRM_SUB_POLICY
 944        struct flowi *origin;
 945        struct xfrm_selector *partner;
 946#endif
 947        u32 xfrm_genid;
 948        u32 policy_genid;
 949        u32 route_mtu_cached;
 950        u32 child_mtu_cached;
 951        u32 route_cookie;
 952        u32 path_cookie;
 953};
 954
 955#ifdef CONFIG_XFRM
 956static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 957{
 958        xfrm_pols_put(xdst->pols, xdst->num_pols);
 959        dst_release(xdst->route);
 960        if (likely(xdst->u.dst.xfrm))
 961                xfrm_state_put(xdst->u.dst.xfrm);
 962#ifdef CONFIG_XFRM_SUB_POLICY
 963        kfree(xdst->origin);
 964        xdst->origin = NULL;
 965        kfree(xdst->partner);
 966        xdst->partner = NULL;
 967#endif
 968}
 969#endif
 970
 971extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 972
 973struct sec_path {
 974        atomic_t                refcnt;
 975        int                     len;
 976        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 977};
 978
 979static inline int secpath_exists(struct sk_buff *skb)
 980{
 981#ifdef CONFIG_XFRM
 982        return skb->sp != NULL;
 983#else
 984        return 0;
 985#endif
 986}
 987
 988static inline struct sec_path *
 989secpath_get(struct sec_path *sp)
 990{
 991        if (sp)
 992                atomic_inc(&sp->refcnt);
 993        return sp;
 994}
 995
 996extern void __secpath_destroy(struct sec_path *sp);
 997
 998static inline void
 999secpath_put(struct sec_path *sp)
1000{
1001        if (sp && atomic_dec_and_test(&sp->refcnt))
1002                __secpath_destroy(sp);
1003}
1004
1005extern struct sec_path *secpath_dup(struct sec_path *src);
1006
1007static inline void
1008secpath_reset(struct sk_buff *skb)
1009{
1010#ifdef CONFIG_XFRM
1011        secpath_put(skb->sp);
1012        skb->sp = NULL;
1013#endif
1014}
1015
1016static inline int
1017xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1018{
1019        switch (family) {
1020        case AF_INET:
1021                return addr->a4 == 0;
1022        case AF_INET6:
1023                return ipv6_addr_any((struct in6_addr *)&addr->a6);
1024        }
1025        return 0;
1026}
1027
1028static inline int
1029__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1030{
1031        return  (tmpl->saddr.a4 &&
1032                 tmpl->saddr.a4 != x->props.saddr.a4);
1033}
1034
1035static inline int
1036__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1037{
1038        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1039                 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1040}
1041
1042static inline int
1043xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1044{
1045        switch (family) {
1046        case AF_INET:
1047                return __xfrm4_state_addr_cmp(tmpl, x);
1048        case AF_INET6:
1049                return __xfrm6_state_addr_cmp(tmpl, x);
1050        }
1051        return !0;
1052}
1053
1054#ifdef CONFIG_XFRM
1055extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
1056
1057static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1058                                       struct sk_buff *skb,
1059                                       unsigned int family, int reverse)
1060{
1061        struct net *net = dev_net(skb->dev);
1062        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1063
1064        if (sk && sk->sk_policy[XFRM_POLICY_IN])
1065                return __xfrm_policy_check(sk, ndir, skb, family);
1066
1067        return  (!net->xfrm.policy_count[dir] && !skb->sp) ||
1068                (skb_dst(skb)->flags & DST_NOPOLICY) ||
1069                __xfrm_policy_check(sk, ndir, skb, family);
1070}
1071
1072static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1073{
1074        return __xfrm_policy_check2(sk, dir, skb, family, 0);
1075}
1076
1077static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1078{
1079        return xfrm_policy_check(sk, dir, skb, AF_INET);
1080}
1081
1082static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1083{
1084        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1085}
1086
1087static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1088                                             struct sk_buff *skb)
1089{
1090        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1091}
1092
1093static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1094                                             struct sk_buff *skb)
1095{
1096        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1097}
1098
1099extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1100                                 unsigned int family, int reverse);
1101
1102static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1103                                      unsigned int family)
1104{
1105        return __xfrm_decode_session(skb, fl, family, 0);
1106}
1107
1108static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1109                                              struct flowi *fl,
1110                                              unsigned int family)
1111{
1112        return __xfrm_decode_session(skb, fl, family, 1);
1113}
1114
1115extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1116
1117static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1118{
1119        struct net *net = dev_net(skb->dev);
1120
1121        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1122                (skb_dst(skb)->flags & DST_NOXFRM) ||
1123                __xfrm_route_forward(skb, family);
1124}
1125
1126static inline int xfrm4_route_forward(struct sk_buff *skb)
1127{
1128        return xfrm_route_forward(skb, AF_INET);
1129}
1130
1131static inline int xfrm6_route_forward(struct sk_buff *skb)
1132{
1133        return xfrm_route_forward(skb, AF_INET6);
1134}
1135
1136extern int __xfrm_sk_clone_policy(struct sock *sk);
1137
1138static inline int xfrm_sk_clone_policy(struct sock *sk)
1139{
1140        if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1141                return __xfrm_sk_clone_policy(sk);
1142        return 0;
1143}
1144
1145extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1146
1147static inline void xfrm_sk_free_policy(struct sock *sk)
1148{
1149        if (unlikely(sk->sk_policy[0] != NULL)) {
1150                xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1151                sk->sk_policy[0] = NULL;
1152        }
1153        if (unlikely(sk->sk_policy[1] != NULL)) {
1154                xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1155                sk->sk_policy[1] = NULL;
1156        }
1157}
1158
1159#else
1160
1161static inline void xfrm_sk_free_policy(struct sock *sk) {}
1162static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1163static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1164static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1165static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1166{ 
1167        return 1; 
1168} 
1169static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1170{
1171        return 1;
1172}
1173static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1174{
1175        return 1;
1176}
1177static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1178                                              struct flowi *fl,
1179                                              unsigned int family)
1180{
1181        return -ENOSYS;
1182}
1183static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1184                                             struct sk_buff *skb)
1185{
1186        return 1;
1187}
1188static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1189                                             struct sk_buff *skb)
1190{
1191        return 1;
1192}
1193#endif
1194
1195static __inline__
1196xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1197{
1198        switch (family){
1199        case AF_INET:
1200                return (xfrm_address_t *)&fl->u.ip4.daddr;
1201        case AF_INET6:
1202                return (xfrm_address_t *)&fl->u.ip6.daddr;
1203        }
1204        return NULL;
1205}
1206
1207static __inline__
1208xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1209{
1210        switch (family){
1211        case AF_INET:
1212                return (xfrm_address_t *)&fl->u.ip4.saddr;
1213        case AF_INET6:
1214                return (xfrm_address_t *)&fl->u.ip6.saddr;
1215        }
1216        return NULL;
1217}
1218
1219static __inline__
1220void xfrm_flowi_addr_get(const struct flowi *fl,
1221                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1222                         unsigned short family)
1223{
1224        switch(family) {
1225        case AF_INET:
1226                memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1227                memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1228                break;
1229        case AF_INET6:
1230                *(struct in6_addr *)saddr->a6 = fl->u.ip6.saddr;
1231                *(struct in6_addr *)daddr->a6 = fl->u.ip6.daddr;
1232                break;
1233        }
1234}
1235
1236static __inline__ int
1237__xfrm4_state_addr_check(const struct xfrm_state *x,
1238                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1239{
1240        if (daddr->a4 == x->id.daddr.a4 &&
1241            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1242                return 1;
1243        return 0;
1244}
1245
1246static __inline__ int
1247__xfrm6_state_addr_check(const struct xfrm_state *x,
1248                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1249{
1250        if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1251            (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| 
1252             ipv6_addr_any((struct in6_addr *)saddr) || 
1253             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1254                return 1;
1255        return 0;
1256}
1257
1258static __inline__ int
1259xfrm_state_addr_check(const struct xfrm_state *x,
1260                      const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1261                      unsigned short family)
1262{
1263        switch (family) {
1264        case AF_INET:
1265                return __xfrm4_state_addr_check(x, daddr, saddr);
1266        case AF_INET6:
1267                return __xfrm6_state_addr_check(x, daddr, saddr);
1268        }
1269        return 0;
1270}
1271
1272static __inline__ int
1273xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1274                           unsigned short family)
1275{
1276        switch (family) {
1277        case AF_INET:
1278                return __xfrm4_state_addr_check(x,
1279                                                (const xfrm_address_t *)&fl->u.ip4.daddr,
1280                                                (const xfrm_address_t *)&fl->u.ip4.saddr);
1281        case AF_INET6:
1282                return __xfrm6_state_addr_check(x,
1283                                                (const xfrm_address_t *)&fl->u.ip6.daddr,
1284                                                (const xfrm_address_t *)&fl->u.ip6.saddr);
1285        }
1286        return 0;
1287}
1288
1289static inline int xfrm_state_kern(const struct xfrm_state *x)
1290{
1291        return atomic_read(&x->tunnel_users);
1292}
1293
1294static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1295{
1296        return (!userproto || proto == userproto ||
1297                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1298                                                  proto == IPPROTO_ESP ||
1299                                                  proto == IPPROTO_COMP)));
1300}
1301
1302/*
1303 * xfrm algorithm information
1304 */
1305struct xfrm_algo_aead_info {
1306        u16 icv_truncbits;
1307};
1308
1309struct xfrm_algo_auth_info {
1310        u16 icv_truncbits;
1311        u16 icv_fullbits;
1312};
1313
1314struct xfrm_algo_encr_info {
1315        u16 blockbits;
1316        u16 defkeybits;
1317};
1318
1319struct xfrm_algo_comp_info {
1320        u16 threshold;
1321};
1322
1323struct xfrm_algo_desc {
1324        char *name;
1325        char *compat;
1326        u8 available:1;
1327        union {
1328                struct xfrm_algo_aead_info aead;
1329                struct xfrm_algo_auth_info auth;
1330                struct xfrm_algo_encr_info encr;
1331                struct xfrm_algo_comp_info comp;
1332        } uinfo;
1333        struct sadb_alg desc;
1334};
1335
1336/* XFRM tunnel handlers.  */
1337struct xfrm_tunnel {
1338        int (*handler)(struct sk_buff *skb);
1339        int (*err_handler)(struct sk_buff *skb, u32 info);
1340
1341        struct xfrm_tunnel __rcu *next;
1342        int priority;
1343};
1344
1345struct xfrm6_tunnel {
1346        int (*handler)(struct sk_buff *skb);
1347        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1348                           u8 type, u8 code, int offset, __be32 info);
1349        struct xfrm6_tunnel __rcu *next;
1350        int priority;
1351};
1352
1353extern void xfrm_init(void);
1354extern void xfrm4_init(void);
1355extern int xfrm_state_init(struct net *net);
1356extern void xfrm_state_fini(struct net *net);
1357extern void xfrm4_state_init(void);
1358#ifdef CONFIG_XFRM
1359extern int xfrm6_init(void);
1360extern void xfrm6_fini(void);
1361extern int xfrm6_state_init(void);
1362extern void xfrm6_state_fini(void);
1363#else
1364static inline int xfrm6_init(void)
1365{
1366        return 0;
1367}
1368static inline void xfrm6_fini(void)
1369{
1370        ;
1371}
1372#endif
1373
1374#ifdef CONFIG_XFRM_STATISTICS
1375extern int xfrm_proc_init(struct net *net);
1376extern void xfrm_proc_fini(struct net *net);
1377#endif
1378
1379extern int xfrm_sysctl_init(struct net *net);
1380#ifdef CONFIG_SYSCTL
1381extern void xfrm_sysctl_fini(struct net *net);
1382#else
1383static inline void xfrm_sysctl_fini(struct net *net)
1384{
1385}
1386#endif
1387
1388extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1389extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1390                           int (*func)(struct xfrm_state *, int, void*), void *);
1391extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1392extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1393extern struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1394                                          const xfrm_address_t *saddr,
1395                                          const struct flowi *fl,
1396                                          struct xfrm_tmpl *tmpl,
1397                                          struct xfrm_policy *pol, int *err,
1398                                          unsigned short family);
1399extern struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1400                                               xfrm_address_t *daddr,
1401                                               xfrm_address_t *saddr,
1402                                               unsigned short family,
1403                                               u8 mode, u8 proto, u32 reqid);
1404extern int xfrm_state_check_expire(struct xfrm_state *x);
1405extern void xfrm_state_insert(struct xfrm_state *x);
1406extern int xfrm_state_add(struct xfrm_state *x);
1407extern int xfrm_state_update(struct xfrm_state *x);
1408extern struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1409                                            const xfrm_address_t *daddr, __be32 spi,
1410                                            u8 proto, unsigned short family);
1411extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1412                                                   const xfrm_address_t *daddr,
1413                                                   const xfrm_address_t *saddr,
1414                                                   u8 proto,
1415                                                   unsigned short family);
1416#ifdef CONFIG_XFRM_SUB_POLICY
1417extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1418                          int n, unsigned short family);
1419extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1420                           int n, unsigned short family);
1421#else
1422static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1423                                 int n, unsigned short family)
1424{
1425        return -ENOSYS;
1426}
1427
1428static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1429                                  int n, unsigned short family)
1430{
1431        return -ENOSYS;
1432}
1433#endif
1434
1435struct xfrmk_sadinfo {
1436        u32 sadhcnt; /* current hash bkts */
1437        u32 sadhmcnt; /* max allowed hash bkts */
1438        u32 sadcnt; /* current running count */
1439};
1440
1441struct xfrmk_spdinfo {
1442        u32 incnt;
1443        u32 outcnt;
1444        u32 fwdcnt;
1445        u32 inscnt;
1446        u32 outscnt;
1447        u32 fwdscnt;
1448        u32 spdhcnt;
1449        u32 spdhmcnt;
1450};
1451
1452extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark,
1453                                              u32 seq);
1454extern int xfrm_state_delete(struct xfrm_state *x);
1455extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1456extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1457extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1458extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1459extern int xfrm_init_replay(struct xfrm_state *x);
1460extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1461extern int __xfrm_init_state(struct xfrm_state *x, bool init_replay);
1462extern int xfrm_init_state(struct xfrm_state *x);
1463extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1464extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1465                      int encap_type);
1466extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1467extern int xfrm_output_resume(struct sk_buff *skb, int err);
1468extern int xfrm_output(struct sk_buff *skb);
1469extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1470extern int xfrm4_extract_header(struct sk_buff *skb);
1471extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1472extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1473                           int encap_type);
1474extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1475extern int xfrm4_rcv(struct sk_buff *skb);
1476
1477static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1478{
1479        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1480}
1481
1482extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1483extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1484extern int xfrm4_output(struct sk_buff *skb);
1485extern int xfrm4_output_finish(struct sk_buff *skb);
1486extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1487extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1488extern int xfrm4_mode_tunnel_input_register(struct xfrm_tunnel *handler);
1489extern int xfrm4_mode_tunnel_input_deregister(struct xfrm_tunnel *handler);
1490extern int xfrm6_extract_header(struct sk_buff *skb);
1491extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1492extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1493extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1494extern int xfrm6_rcv(struct sk_buff *skb);
1495extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1496                            xfrm_address_t *saddr, u8 proto);
1497extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1498extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1499extern __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1500extern __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1501extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1502extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1503extern int xfrm6_output(struct sk_buff *skb);
1504extern int xfrm6_output_finish(struct sk_buff *skb);
1505extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1506                                 u8 **prevhdr);
1507
1508#ifdef CONFIG_XFRM
1509extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1510extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1511#else
1512static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1513{
1514        return -ENOPROTOOPT;
1515} 
1516
1517static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1518{
1519        /* should not happen */
1520        kfree_skb(skb);
1521        return 0;
1522}
1523#endif
1524
1525struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1526
1527extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1528extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1529        int (*func)(struct xfrm_policy *, int, int, void*), void *);
1530extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1531int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1532struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1533                                          u8 type, int dir,
1534                                          struct xfrm_selector *sel,
1535                                          struct xfrm_sec_ctx *ctx, int delete,
1536                                          int *err);
1537struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir, u32 id, int delete, int *err);
1538int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1539u32 xfrm_get_acqseq(void);
1540extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1541struct xfrm_state *xfrm_find_acq(struct net *net, struct xfrm_mark *mark,
1542                                 u8 mode, u32 reqid, u8 proto,
1543                                 const xfrm_address_t *daddr,
1544                                 const xfrm_address_t *saddr, int create,
1545                                 unsigned short family);
1546extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1547
1548#ifdef CONFIG_XFRM_MIGRATE
1549extern int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1550                      const struct xfrm_migrate *m, int num_bundles,
1551                      const struct xfrm_kmaddress *k);
1552extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1553extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1554                                              struct xfrm_migrate *m);
1555extern int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1556                        struct xfrm_migrate *m, int num_bundles,
1557                        struct xfrm_kmaddress *k);
1558#endif
1559
1560extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1561extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1562extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1563
1564extern void xfrm_input_init(void);
1565extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1566
1567extern void xfrm_probe_algs(void);
1568extern int xfrm_count_auth_supported(void);
1569extern int xfrm_count_enc_supported(void);
1570extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1571extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1572extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1573extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1574extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1575extern struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1576extern struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1577extern struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1578extern struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1579                                                   int probe);
1580
1581static inline int xfrm_addr_cmp(const xfrm_address_t *a,
1582                                const xfrm_address_t *b,
1583                                int family)
1584{
1585        switch (family) {
1586        default:
1587        case AF_INET:
1588                return (__force u32)a->a4 - (__force u32)b->a4;
1589        case AF_INET6:
1590                return ipv6_addr_cmp((const struct in6_addr *)a,
1591                                     (const struct in6_addr *)b);
1592        }
1593}
1594
1595static inline int xfrm_policy_id2dir(u32 index)
1596{
1597        return index & 7;
1598}
1599
1600#ifdef CONFIG_XFRM
1601static inline int xfrm_aevent_is_on(struct net *net)
1602{
1603        struct sock *nlsk;
1604        int ret = 0;
1605
1606        rcu_read_lock();
1607        nlsk = rcu_dereference(net->xfrm.nlsk);
1608        if (nlsk)
1609                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1610        rcu_read_unlock();
1611        return ret;
1612}
1613#endif
1614
1615static inline int xfrm_alg_len(const struct xfrm_algo *alg)
1616{
1617        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1618}
1619
1620static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1621{
1622        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1623}
1624
1625static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1626{
1627        return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1628}
1629
1630#ifdef CONFIG_XFRM_MIGRATE
1631static inline int xfrm_replay_clone(struct xfrm_state *x,
1632                                     struct xfrm_state *orig)
1633{
1634        x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1635                                GFP_KERNEL);
1636        if (!x->replay_esn)
1637                return -ENOMEM;
1638
1639        x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1640        x->replay_esn->replay_window = orig->replay_esn->replay_window;
1641
1642        x->preplay_esn = kmemdup(x->replay_esn,
1643                                 xfrm_replay_state_esn_len(x->replay_esn),
1644                                 GFP_KERNEL);
1645        if (!x->preplay_esn) {
1646                kfree(x->replay_esn);
1647                return -ENOMEM;
1648        }
1649
1650        return 0;
1651}
1652
1653static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1654{
1655        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1656}
1657
1658static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1659{
1660        return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1661}
1662
1663static inline void xfrm_states_put(struct xfrm_state **states, int n)
1664{
1665        int i;
1666        for (i = 0; i < n; i++)
1667                xfrm_state_put(*(states + i));
1668}
1669
1670static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1671{
1672        int i;
1673        for (i = 0; i < n; i++)
1674                xfrm_state_delete(*(states + i));
1675}
1676#endif
1677
1678#ifdef CONFIG_XFRM
1679static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1680{
1681        return skb->sp->xvec[skb->sp->len - 1];
1682}
1683#endif
1684
1685static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1686{
1687        if (attrs[XFRMA_MARK])
1688                memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1689        else
1690                m->v = m->m = 0;
1691
1692        return m->v & m->m;
1693}
1694
1695static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1696{
1697        int ret = 0;
1698
1699        if (m->m | m->v)
1700                ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1701        return ret;
1702}
1703
1704#endif  /* _NET_XFRM_H */
1705