LXR linux/include/net/xfrm.h

   1#ifndef _NET_XFRM_H
   2#define _NET_XFRM_H
   3
   4#include <linux/compiler.h>
   5#include <linux/xfrm.h>
   6#include <linux/spinlock.h>
   7#include <linux/list.h>
   8#include <linux/skbuff.h>
   9#include <linux/socket.h>
  10#include <linux/pfkeyv2.h>
  11#include <linux/ipsec.h>
  12#include <linux/in6.h>
  13#include <linux/mutex.h>
  14#include <linux/audit.h>
  15#include <linux/slab.h>
  16
  17#include <net/sock.h>
  18#include <net/dst.h>
  19#include <net/ip.h>
  20#include <net/route.h>
  21#include <net/ipv6.h>
  22#include <net/ip6_fib.h>
  23#include <net/flow.h>
  24
  25#include <linux/interrupt.h>
  26
  27#ifdef CONFIG_XFRM_STATISTICS
  28#include <net/snmp.h>
  29#endif
  30
  31#define XFRM_PROTO_ESP          50
  32#define XFRM_PROTO_AH           51
  33#define XFRM_PROTO_COMP         108
  34#define XFRM_PROTO_IPIP         4
  35#define XFRM_PROTO_IPV6         41
  36#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  37#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  38
  39#define XFRM_ALIGN4(len)        (((len) + 3) & ~3)
  40#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  41#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  42        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  43#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  44        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  45
  46#ifdef CONFIG_XFRM_STATISTICS
  47#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  48#define XFRM_INC_STATS_BH(net, field)   SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
  49#define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
  50#else
  51#define XFRM_INC_STATS(net, field)      ((void)(net))
  52#define XFRM_INC_STATS_BH(net, field)   ((void)(net))
  53#define XFRM_INC_STATS_USER(net, field) ((void)(net))
  54#endif
  55
  56
  57/* Organization of SPD aka "XFRM rules"
  58   ------------------------------------
  59
  60   Basic objects:
  61   - policy rule, struct xfrm_policy (=SPD entry)
  62   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  63   - instance of a transformer, struct xfrm_state (=SA)
  64   - template to clone xfrm_state, struct xfrm_tmpl
  65
  66   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  67   (To be compatible with existing pfkeyv2 implementations,
  68   many rules with priority of 0x7fffffff are allowed to exist and
  69   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  70
  71   Lookup is plain linear search until the first match with selector.
  72
  73   If "action" is "block", then we prohibit the flow, otherwise:
  74   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  75   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  76   described by templates xfrm_tmpl. Each template is resolved
  77   to a complete xfrm_state (see below) and we pack bundle of transformations
  78   to a dst_entry returned to requestor.
  79
  80   dst -. xfrm  .-> xfrm_state #1
  81    |---. child .-> dst -. xfrm .-> xfrm_state #2
  82                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  83                                      |---. child .-> NULL
  84
  85   Bundles are cached at xrfm_policy struct (field ->bundles).
  86
  87
  88   Resolution of xrfm_tmpl
  89   -----------------------
  90   Template contains:
  91   1. ->mode            Mode: transport or tunnel
  92   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  93   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  94      Q: allow to resolve security gateway?
  95   4. ->id.spi          If not zero, static SPI.
  96   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  97   6. ->algos           List of allowed algos. Plain bitmask now.
  98      Q: ealgos, aalgos, calgos. What a mess...
  99   7. ->share           Sharing mode.
 100      Q: how to implement private sharing mode? To add struct sock* to
 101      flow id?
 102
 103   Having this template we search through SAD searching for entries
 104   with appropriate mode/proto/algo, permitted by selector.
 105   If no appropriate entry found, it is requested from key manager.
 106
 107   PROBLEMS:
 108   Q: How to find all the bundles referring to a physical path for
 109      PMTU discovery? Seems, dst should contain list of all parents...
 110      and enter to infinite locking hierarchy disaster.
 111      No! It is easier, we will not search for them, let them find us.
 112      We add genid to each dst plus pointer to genid of raw IP route,
 113      pmtu disc will update pmtu on raw IP route and increase its genid.
 114      dst_check() will see this for top level and trigger resyncing
 115      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 116 */
 117
 118struct xfrm_state_walk {
 119        struct list_head        all;
 120        u8                      state;
 121        u8                      dying;
 122        u8                      proto;
 123        u32                     seq;
 124        struct xfrm_address_filter *filter;
 125};
 126
 127/* Full description of state of transformer. */
 128struct xfrm_state {
 129        possible_net_t          xs_net;
 130        union {
 131                struct hlist_node       gclist;
 132                struct hlist_node       bydst;
 133        };
 134        struct hlist_node       bysrc;
 135        struct hlist_node       byspi;
 136
 137        atomic_t                refcnt;
 138        spinlock_t              lock;
 139
 140        struct xfrm_id          id;
 141        struct xfrm_selector    sel;
 142        struct xfrm_mark        mark;
 143        u32                     tfcpad;
 144
 145        u32                     genid;
 146
 147        /* Key manager bits */
 148        struct xfrm_state_walk  km;
 149
 150        /* Parameters of this state. */
 151        struct {
 152                u32             reqid;
 153                u8              mode;
 154                u8              replay_window;
 155                u8              aalgo, ealgo, calgo;
 156                u8              flags;
 157                u16             family;
 158                xfrm_address_t  saddr;
 159                int             header_len;
 160                int             trailer_len;
 161                u32             extra_flags;
 162        } props;
 163
 164        struct xfrm_lifetime_cfg lft;
 165
 166        /* Data for transformer */
 167        struct xfrm_algo_auth   *aalg;
 168        struct xfrm_algo        *ealg;
 169        struct xfrm_algo        *calg;
 170        struct xfrm_algo_aead   *aead;
 171        const char              *geniv;
 172
 173        /* Data for encapsulator */
 174        struct xfrm_encap_tmpl  *encap;
 175
 176        /* Data for care-of address */
 177        xfrm_address_t  *coaddr;
 178
 179        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 180        struct xfrm_state       *tunnel;
 181
 182        /* If a tunnel, number of users + 1 */
 183        atomic_t                tunnel_users;
 184
 185        /* State for replay detection */
 186        struct xfrm_replay_state replay;
 187        struct xfrm_replay_state_esn *replay_esn;
 188
 189        /* Replay detection state at the time we sent the last notification */
 190        struct xfrm_replay_state preplay;
 191        struct xfrm_replay_state_esn *preplay_esn;
 192
 193        /* The functions for replay detection. */
 194        struct xfrm_replay      *repl;
 195
 196        /* internal flag that only holds state for delayed aevent at the
 197         * moment
 198        */
 199        u32                     xflags;
 200
 201        /* Replay detection notification settings */
 202        u32                     replay_maxage;
 203        u32                     replay_maxdiff;
 204
 205        /* Replay detection notification timer */
 206        struct timer_list       rtimer;
 207
 208        /* Statistics */
 209        struct xfrm_stats       stats;
 210
 211        struct xfrm_lifetime_cur curlft;
 212        struct tasklet_hrtimer  mtimer;
 213
 214        /* used to fix curlft->add_time when changing date */
 215        long            saved_tmo;
 216
 217        /* Last used time */
 218        unsigned long           lastused;
 219
 220        /* Reference to data common to all the instances of this
 221         * transformer. */
 222        const struct xfrm_type  *type;
 223        struct xfrm_mode        *inner_mode;
 224        struct xfrm_mode        *inner_mode_iaf;
 225        struct xfrm_mode        *outer_mode;
 226
 227        /* Security context */
 228        struct xfrm_sec_ctx     *security;
 229
 230        /* Private data of this transformer, format is opaque,
 231         * interpreted by xfrm_type methods. */
 232        void                    *data;
 233};
 234
 235static inline struct net *xs_net(struct xfrm_state *x)
 236{
 237        return read_pnet(&x->xs_net);
 238}
 239
 240/* xflags - make enum if more show up */
 241#define XFRM_TIME_DEFER 1
 242#define XFRM_SOFT_EXPIRE 2
 243
 244enum {
 245        XFRM_STATE_VOID,
 246        XFRM_STATE_ACQ,
 247        XFRM_STATE_VALID,
 248        XFRM_STATE_ERROR,
 249        XFRM_STATE_EXPIRED,
 250        XFRM_STATE_DEAD
 251};
 252
 253/* callback structure passed from either netlink or pfkey */
 254struct km_event {
 255        union {
 256                u32 hard;
 257                u32 proto;
 258                u32 byid;
 259                u32 aevent;
 260                u32 type;
 261        } data;
 262
 263        u32     seq;
 264        u32     portid;
 265        u32     event;
 266        struct net *net;
 267};
 268
 269struct xfrm_replay {
 270        void    (*advance)(struct xfrm_state *x, __be32 net_seq);
 271        int     (*check)(struct xfrm_state *x,
 272                         struct sk_buff *skb,
 273                         __be32 net_seq);
 274        int     (*recheck)(struct xfrm_state *x,
 275                           struct sk_buff *skb,
 276                           __be32 net_seq);
 277        void    (*notify)(struct xfrm_state *x, int event);
 278        int     (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
 279};
 280
 281struct net_device;
 282struct xfrm_type;
 283struct xfrm_dst;
 284struct xfrm_policy_afinfo {
 285        unsigned short          family;
 286        struct dst_ops          *dst_ops;
 287        void                    (*garbage_collect)(struct net *net);
 288        struct dst_entry        *(*dst_lookup)(struct net *net,
 289                                               int tos, int oif,
 290                                               const xfrm_address_t *saddr,
 291                                               const xfrm_address_t *daddr);
 292        int                     (*get_saddr)(struct net *net, int oif,
 293                                             xfrm_address_t *saddr,
 294                                             xfrm_address_t *daddr);
 295        void                    (*decode_session)(struct sk_buff *skb,
 296                                                  struct flowi *fl,
 297                                                  int reverse);
 298        int                     (*get_tos)(const struct flowi *fl);
 299        int                     (*init_path)(struct xfrm_dst *path,
 300                                             struct dst_entry *dst,
 301                                             int nfheader_len);
 302        int                     (*fill_dst)(struct xfrm_dst *xdst,
 303                                            struct net_device *dev,
 304                                            const struct flowi *fl);
 305        struct dst_entry        *(*blackhole_route)(struct net *net, struct dst_entry *orig);
 306};
 307
 308int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
 309int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
 310void km_policy_notify(struct xfrm_policy *xp, int dir,
 311                      const struct km_event *c);
 312void km_state_notify(struct xfrm_state *x, const struct km_event *c);
 313
 314struct xfrm_tmpl;
 315int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
 316             struct xfrm_policy *pol);
 317void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
 318int __xfrm_state_delete(struct xfrm_state *x);
 319
 320struct xfrm_state_afinfo {
 321        unsigned int            family;
 322        unsigned int            proto;
 323        __be16                  eth_proto;
 324        struct module           *owner;
 325        const struct xfrm_type  *type_map[IPPROTO_MAX];
 326        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
 327        int                     (*init_flags)(struct xfrm_state *x);
 328        void                    (*init_tempsel)(struct xfrm_selector *sel,
 329                                                const struct flowi *fl);
 330        void                    (*init_temprop)(struct xfrm_state *x,
 331                                                const struct xfrm_tmpl *tmpl,
 332                                                const xfrm_address_t *daddr,
 333                                                const xfrm_address_t *saddr);
 334        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
 335        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
 336        int                     (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
 337        int                     (*output_finish)(struct sock *sk, struct sk_buff *skb);
 338        int                     (*extract_input)(struct xfrm_state *x,
 339                                                 struct sk_buff *skb);
 340        int                     (*extract_output)(struct xfrm_state *x,
 341                                                  struct sk_buff *skb);
 342        int                     (*transport_finish)(struct sk_buff *skb,
 343                                                    int async);
 344        void                    (*local_error)(struct sk_buff *skb, u32 mtu);
 345};
 346
 347int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 348int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 349struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
 350void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
 351
 352struct xfrm_input_afinfo {
 353        unsigned int            family;
 354        struct module           *owner;
 355        int                     (*callback)(struct sk_buff *skb, u8 protocol,
 356                                            int err);
 357};
 358
 359int xfrm_input_register_afinfo(struct xfrm_input_afinfo *afinfo);
 360int xfrm_input_unregister_afinfo(struct xfrm_input_afinfo *afinfo);
 361
 362void xfrm_state_delete_tunnel(struct xfrm_state *x);
 363
 364struct xfrm_type {
 365        char                    *description;
 366        struct module           *owner;
 367        u8                      proto;
 368        u8                      flags;
 369#define XFRM_TYPE_NON_FRAGMENT  1
 370#define XFRM_TYPE_REPLAY_PROT   2
 371#define XFRM_TYPE_LOCAL_COADDR  4
 372#define XFRM_TYPE_REMOTE_COADDR 8
 373
 374        int                     (*init_state)(struct xfrm_state *x);
 375        void                    (*destructor)(struct xfrm_state *);
 376        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 377        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 378        int                     (*reject)(struct xfrm_state *, struct sk_buff *,
 379                                          const struct flowi *);
 380        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 381        /* Estimate maximal size of result of transformation of a dgram */
 382        u32                     (*get_mtu)(struct xfrm_state *, int size);
 383};
 384
 385int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 386int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 387
 388struct xfrm_mode {
 389        /*
 390         * Remove encapsulation header.
 391         *
 392         * The IP header will be moved over the top of the encapsulation
 393         * header.
 394         *
 395         * On entry, the transport header shall point to where the IP header
 396         * should be and the network header shall be set to where the IP
 397         * header currently is.  skb->data shall point to the start of the
 398         * payload.
 399         */
 400        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
 401
 402        /*
 403         * This is the actual input entry point.
 404         *
 405         * For transport mode and equivalent this would be identical to
 406         * input2 (which does not need to be set).  While tunnel mode
 407         * and equivalent would set this to the tunnel encapsulation function
 408         * xfrm4_prepare_input that would in turn call input2.
 409         */
 410        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
 411
 412        /*
 413         * Add encapsulation header.
 414         *
 415         * On exit, the transport header will be set to the start of the
 416         * encapsulation header to be filled in by x->type->output and
 417         * the mac header will be set to the nextheader (protocol for
 418         * IPv4) field of the extension header directly preceding the
 419         * encapsulation header, or in its absence, that of the top IP
 420         * header.  The value of the network header will always point
 421         * to the top IP header while skb->data will point to the payload.
 422         */
 423        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
 424
 425        /*
 426         * This is the actual output entry point.
 427         *
 428         * For transport mode and equivalent this would be identical to
 429         * output2 (which does not need to be set).  While tunnel mode
 430         * and equivalent would set this to a tunnel encapsulation function
 431         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
 432         * call output2.
 433         */
 434        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
 435
 436        struct xfrm_state_afinfo *afinfo;
 437        struct module *owner;
 438        unsigned int encap;
 439        int flags;
 440};
 441
 442/* Flags for xfrm_mode. */
 443enum {
 444        XFRM_MODE_FLAG_TUNNEL = 1,
 445};
 446
 447int xfrm_register_mode(struct xfrm_mode *mode, int family);
 448int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
 449
 450static inline int xfrm_af2proto(unsigned int family)
 451{
 452        switch(family) {
 453        case AF_INET:
 454                return IPPROTO_IPIP;
 455        case AF_INET6:
 456                return IPPROTO_IPV6;
 457        default:
 458                return 0;
 459        }
 460}
 461
 462static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 463{
 464        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 465            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 466                return x->inner_mode;
 467        else
 468                return x->inner_mode_iaf;
 469}
 470
 471struct xfrm_tmpl {
 472/* id in template is interpreted as:
 473 * daddr - destination of tunnel, may be zero for transport mode.
 474 * spi   - zero to acquire spi. Not zero if spi is static, then
 475 *         daddr must be fixed too.
 476 * proto - AH/ESP/IPCOMP
 477 */
 478        struct xfrm_id          id;
 479
 480/* Source address of tunnel. Ignored, if it is not a tunnel. */
 481        xfrm_address_t          saddr;
 482
 483        unsigned short          encap_family;
 484
 485        u32                     reqid;
 486
 487/* Mode: transport, tunnel etc. */
 488        u8                      mode;
 489
 490/* Sharing mode: unique, this session only, this user only etc. */
 491        u8                      share;
 492
 493/* May skip this transfomration if no SA is found */
 494        u8                      optional;
 495
 496/* Skip aalgos/ealgos/calgos checks. */
 497        u8                      allalgs;
 498
 499/* Bit mask of algos allowed for acquisition */
 500        u32                     aalgos;
 501        u32                     ealgos;
 502        u32                     calgos;
 503};
 504
 505#define XFRM_MAX_DEPTH          6
 506
 507struct xfrm_policy_walk_entry {
 508        struct list_head        all;
 509        u8                      dead;
 510};
 511
 512struct xfrm_policy_walk {
 513        struct xfrm_policy_walk_entry walk;
 514        u8 type;
 515        u32 seq;
 516};
 517
 518struct xfrm_policy_queue {
 519        struct sk_buff_head     hold_queue;
 520        struct timer_list       hold_timer;
 521        unsigned long           timeout;
 522};
 523
 524struct xfrm_policy {
 525        possible_net_t          xp_net;
 526        struct hlist_node       bydst;
 527        struct hlist_node       byidx;
 528
 529        /* This lock only affects elements except for entry. */
 530        rwlock_t                lock;
 531        atomic_t                refcnt;
 532        struct timer_list       timer;
 533
 534        struct flow_cache_object flo;
 535        atomic_t                genid;
 536        u32                     priority;
 537        u32                     index;
 538        struct xfrm_mark        mark;
 539        struct xfrm_selector    selector;
 540        struct xfrm_lifetime_cfg lft;
 541        struct xfrm_lifetime_cur curlft;
 542        struct xfrm_policy_walk_entry walk;
 543        struct xfrm_policy_queue polq;
 544        u8                      type;
 545        u8                      action;
 546        u8                      flags;
 547        u8                      xfrm_nr;
 548        u16                     family;
 549        struct xfrm_sec_ctx     *security;
 550        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 551        struct rcu_head         rcu;
 552};
 553
 554static inline struct net *xp_net(const struct xfrm_policy *xp)
 555{
 556        return read_pnet(&xp->xp_net);
 557}
 558
 559struct xfrm_kmaddress {
 560        xfrm_address_t          local;
 561        xfrm_address_t          remote;
 562        u32                     reserved;
 563        u16                     family;
 564};
 565
 566struct xfrm_migrate {
 567        xfrm_address_t          old_daddr;
 568        xfrm_address_t          old_saddr;
 569        xfrm_address_t          new_daddr;
 570        xfrm_address_t          new_saddr;
 571        u8                      proto;
 572        u8                      mode;
 573        u16                     reserved;
 574        u32                     reqid;
 575        u16                     old_family;
 576        u16                     new_family;
 577};
 578
 579#define XFRM_KM_TIMEOUT                30
 580/* what happened */
 581#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 582#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 583
 584/* default aevent timeout in units of 100ms */
 585#define XFRM_AE_ETIME                   10
 586/* Async Event timer multiplier */
 587#define XFRM_AE_ETH_M                   10
 588/* default seq threshold size */
 589#define XFRM_AE_SEQT_SIZE               2
 590
 591struct xfrm_mgr {
 592        struct list_head        list;
 593        char                    *id;
 594        int                     (*notify)(struct xfrm_state *x, const struct km_event *c);
 595        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
 596        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 597        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 598        int                     (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
 599        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 600        int                     (*migrate)(const struct xfrm_selector *sel,
 601                                           u8 dir, u8 type,
 602                                           const struct xfrm_migrate *m,
 603                                           int num_bundles,
 604                                           const struct xfrm_kmaddress *k);
 605        bool                    (*is_alive)(const struct km_event *c);
 606};
 607
 608int xfrm_register_km(struct xfrm_mgr *km);
 609int xfrm_unregister_km(struct xfrm_mgr *km);
 610
 611struct xfrm_tunnel_skb_cb {
 612        union {
 613                struct inet_skb_parm h4;
 614                struct inet6_skb_parm h6;
 615        } header;
 616
 617        union {
 618                struct ip_tunnel *ip4;
 619                struct ip6_tnl *ip6;
 620        } tunnel;
 621};
 622
 623#define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
 624
 625/*
 626 * This structure is used for the duration where packets are being
 627 * transformed by IPsec.  As soon as the packet leaves IPsec the
 628 * area beyond the generic IP part may be overwritten.
 629 */
 630struct xfrm_skb_cb {
 631        struct xfrm_tunnel_skb_cb header;
 632
 633        /* Sequence number for replay protection. */
 634        union {
 635                struct {
 636                        __u32 low;
 637                        __u32 hi;
 638                } output;
 639                struct {
 640                        __be32 low;
 641                        __be32 hi;
 642                } input;
 643        } seq;
 644};
 645
 646#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 647
 648/*
 649 * This structure is used by the afinfo prepare_input/prepare_output functions
 650 * to transmit header information to the mode input/output functions.
 651 */
 652struct xfrm_mode_skb_cb {
 653        struct xfrm_tunnel_skb_cb header;
 654
 655        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 656        __be16 id;
 657        __be16 frag_off;
 658
 659        /* IP header length (excluding options or extension headers). */
 660        u8 ihl;
 661
 662        /* TOS for IPv4, class for IPv6. */
 663        u8 tos;
 664
 665        /* TTL for IPv4, hop limitfor IPv6. */
 666        u8 ttl;
 667
 668        /* Protocol for IPv4, NH for IPv6. */
 669        u8 protocol;
 670
 671        /* Option length for IPv4, zero for IPv6. */
 672        u8 optlen;
 673
 674        /* Used by IPv6 only, zero for IPv4. */
 675        u8 flow_lbl[3];
 676};
 677
 678#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 679
 680/*
 681 * This structure is used by the input processing to locate the SPI and
 682 * related information.
 683 */
 684struct xfrm_spi_skb_cb {
 685        struct xfrm_tunnel_skb_cb header;
 686
 687        unsigned int daddroff;
 688        unsigned int family;
 689};
 690
 691#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 692
 693#ifdef CONFIG_AUDITSYSCALL
 694static inline struct audit_buffer *xfrm_audit_start(const char *op)
 695{
 696        struct audit_buffer *audit_buf = NULL;
 697
 698        if (audit_enabled == 0)
 699                return NULL;
 700        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
 701                                    AUDIT_MAC_IPSEC_EVENT);
 702        if (audit_buf == NULL)
 703                return NULL;
 704        audit_log_format(audit_buf, "op=%s", op);
 705        return audit_buf;
 706}
 707
 708static inline void xfrm_audit_helper_usrinfo(bool task_valid,
 709                                             struct audit_buffer *audit_buf)
 710{
 711        const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
 712                                            audit_get_loginuid(current) :
 713                                            INVALID_UID);
 714        const unsigned int ses = task_valid ? audit_get_sessionid(current) :
 715                (unsigned int) -1;
 716
 717        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 718        audit_log_task_context(audit_buf);
 719}
 720
 721void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
 722void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 723                              bool task_valid);
 724void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
 725void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
 726void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 727                                      struct sk_buff *skb);
 728void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
 729                             __be32 net_seq);
 730void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 731void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
 732                               __be32 net_seq);
 733void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
 734                              u8 proto);
 735#else
 736
 737static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 738                                         bool task_valid)
 739{
 740}
 741
 742static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 743                                            bool task_valid)
 744{
 745}
 746
 747static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 748                                        bool task_valid)
 749{
 750}
 751
 752static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 753                                           bool task_valid)
 754{
 755}
 756
 757static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 758                                             struct sk_buff *skb)
 759{
 760}
 761
 762static inline void xfrm_audit_state_replay(struct xfrm_state *x,
 763                                           struct sk_buff *skb, __be32 net_seq)
 764{
 765}
 766
 767static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 768                                      u16 family)
 769{
 770}
 771
 772static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 773                                      __be32 net_spi, __be32 net_seq)
 774{
 775}
 776
 777static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 778                                     struct sk_buff *skb, u8 proto)
 779{
 780}
 781#endif /* CONFIG_AUDITSYSCALL */
 782
 783static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 784{
 785        if (likely(policy != NULL))
 786                atomic_inc(&policy->refcnt);
 787}
 788
 789void xfrm_policy_destroy(struct xfrm_policy *policy);
 790
 791static inline void xfrm_pol_put(struct xfrm_policy *policy)
 792{
 793        if (atomic_dec_and_test(&policy->refcnt))
 794                xfrm_policy_destroy(policy);
 795}
 796
 797static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 798{
 799        int i;
 800        for (i = npols - 1; i >= 0; --i)
 801                xfrm_pol_put(pols[i]);
 802}
 803
 804void __xfrm_state_destroy(struct xfrm_state *);
 805
 806static inline void __xfrm_state_put(struct xfrm_state *x)
 807{
 808        atomic_dec(&x->refcnt);
 809}
 810
 811static inline void xfrm_state_put(struct xfrm_state *x)
 812{
 813        if (atomic_dec_and_test(&x->refcnt))
 814                __xfrm_state_destroy(x);
 815}
 816
 817static inline void xfrm_state_hold(struct xfrm_state *x)
 818{
 819        atomic_inc(&x->refcnt);
 820}
 821
 822static inline bool addr_match(const void *token1, const void *token2,
 823                              int prefixlen)
 824{
 825        const __be32 *a1 = token1;
 826        const __be32 *a2 = token2;
 827        int pdw;
 828        int pbi;
 829
 830        pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
 831        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 832
 833        if (pdw)
 834                if (memcmp(a1, a2, pdw << 2))
 835                        return false;
 836
 837        if (pbi) {
 838                __be32 mask;
 839
 840                mask = htonl((0xffffffff) << (32 - pbi));
 841
 842                if ((a1[pdw] ^ a2[pdw]) & mask)
 843                        return false;
 844        }
 845
 846        return true;
 847}
 848
 849static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
 850{
 851        /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
 852        if (prefixlen == 0)
 853                return true;
 854        return !((a1 ^ a2) & htonl(0xFFFFFFFFu << (32 - prefixlen)));
 855}
 856
 857static __inline__
 858__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
 859{
 860        __be16 port;
 861        switch(fl->flowi_proto) {
 862        case IPPROTO_TCP:
 863        case IPPROTO_UDP:
 864        case IPPROTO_UDPLITE:
 865        case IPPROTO_SCTP:
 866                port = uli->ports.sport;
 867                break;
 868        case IPPROTO_ICMP:
 869        case IPPROTO_ICMPV6:
 870                port = htons(uli->icmpt.type);
 871                break;
 872        case IPPROTO_MH:
 873                port = htons(uli->mht.type);
 874                break;
 875        case IPPROTO_GRE:
 876                port = htons(ntohl(uli->gre_key) >> 16);
 877                break;
 878        default:
 879                port = 0;       /*XXX*/
 880        }
 881        return port;
 882}
 883
 884static __inline__
 885__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
 886{
 887        __be16 port;
 888        switch(fl->flowi_proto) {
 889        case IPPROTO_TCP:
 890        case IPPROTO_UDP:
 891        case IPPROTO_UDPLITE:
 892        case IPPROTO_SCTP:
 893                port = uli->ports.dport;
 894                break;
 895        case IPPROTO_ICMP:
 896        case IPPROTO_ICMPV6:
 897                port = htons(uli->icmpt.code);
 898                break;
 899        case IPPROTO_GRE:
 900                port = htons(ntohl(uli->gre_key) & 0xffff);
 901                break;
 902        default:
 903                port = 0;       /*XXX*/
 904        }
 905        return port;
 906}
 907
 908bool xfrm_selector_match(const struct xfrm_selector *sel,
 909                         const struct flowi *fl, unsigned short family);
 910
 911#ifdef CONFIG_SECURITY_NETWORK_XFRM
 912/*      If neither has a context --> match
 913 *      Otherwise, both must have a context and the sids, doi, alg must match
 914 */
 915static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 916{
 917        return ((!s1 && !s2) ||
 918                (s1 && s2 &&
 919                 (s1->ctx_sid == s2->ctx_sid) &&
 920                 (s1->ctx_doi == s2->ctx_doi) &&
 921                 (s1->ctx_alg == s2->ctx_alg)));
 922}
 923#else
 924static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 925{
 926        return true;
 927}
 928#endif
 929
 930/* A struct encoding bundle of transformations to apply to some set of flow.
 931 *
 932 * dst->child points to the next element of bundle.
 933 * dst->xfrm  points to an instanse of transformer.
 934 *
 935 * Due to unfortunate limitations of current routing cache, which we
 936 * have no time to fix, it mirrors struct rtable and bound to the same
 937 * routing key, including saddr,daddr. However, we can have many of
 938 * bundles differing by session id. All the bundles grow from a parent
 939 * policy rule.
 940 */
 941struct xfrm_dst {
 942        union {
 943                struct dst_entry        dst;
 944                struct rtable           rt;
 945                struct rt6_info         rt6;
 946        } u;
 947        struct dst_entry *route;
 948        struct flow_cache_object flo;
 949        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
 950        int num_pols, num_xfrms;
 951#ifdef CONFIG_XFRM_SUB_POLICY
 952        struct flowi *origin;
 953        struct xfrm_selector *partner;
 954#endif
 955        u32 xfrm_genid;
 956        u32 policy_genid;
 957        u32 route_mtu_cached;
 958        u32 child_mtu_cached;
 959        u32 route_cookie;
 960        u32 path_cookie;
 961};
 962
 963#ifdef CONFIG_XFRM
 964static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 965{
 966        xfrm_pols_put(xdst->pols, xdst->num_pols);
 967        dst_release(xdst->route);
 968        if (likely(xdst->u.dst.xfrm))
 969                xfrm_state_put(xdst->u.dst.xfrm);
 970#ifdef CONFIG_XFRM_SUB_POLICY
 971        kfree(xdst->origin);
 972        xdst->origin = NULL;
 973        kfree(xdst->partner);
 974        xdst->partner = NULL;
 975#endif
 976}
 977#endif
 978
 979void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 980
 981struct sec_path {
 982        atomic_t                refcnt;
 983        int                     len;
 984        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
 985};
 986
 987static inline int secpath_exists(struct sk_buff *skb)
 988{
 989#ifdef CONFIG_XFRM
 990        return skb->sp != NULL;
 991#else
 992        return 0;
 993#endif
 994}
 995
 996static inline struct sec_path *
 997secpath_get(struct sec_path *sp)
 998{
 999        if (sp)
1000                atomic_inc(&sp->refcnt);

1001        return sp;
1002}
1003
1004void __secpath_destroy(struct sec_path *sp);
1005
1006static inline void
1007secpath_put(struct sec_path *sp)
1008{
1009        if (sp && atomic_dec_and_test(&sp->refcnt))
1010                __secpath_destroy(sp);
1011}
1012
1013struct sec_path *secpath_dup(struct sec_path *src);
1014
1015static inline void
1016secpath_reset(struct sk_buff *skb)
1017{
1018#ifdef CONFIG_XFRM
1019        secpath_put(skb->sp);
1020        skb->sp = NULL;
1021#endif
1022}
1023
1024static inline int
1025xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1026{
1027        switch (family) {
1028        case AF_INET:
1029                return addr->a4 == 0;
1030        case AF_INET6:
1031                return ipv6_addr_any(&addr->in6);
1032        }
1033        return 0;
1034}
1035
1036static inline int
1037__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1038{
1039        return  (tmpl->saddr.a4 &&
1040                 tmpl->saddr.a4 != x->props.saddr.a4);
1041}
1042
1043static inline int
1044__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1045{
1046        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1047                 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1048}
1049
1050static inline int
1051xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1052{
1053        switch (family) {
1054        case AF_INET:
1055                return __xfrm4_state_addr_cmp(tmpl, x);
1056        case AF_INET6:
1057                return __xfrm6_state_addr_cmp(tmpl, x);
1058        }
1059        return !0;
1060}
1061
1062#ifdef CONFIG_XFRM
1063int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1064                        unsigned short family);
1065
1066static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1067                                       struct sk_buff *skb,
1068                                       unsigned int family, int reverse)
1069{
1070        struct net *net = dev_net(skb->dev);
1071        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1072
1073        if (sk && sk->sk_policy[XFRM_POLICY_IN])
1074                return __xfrm_policy_check(sk, ndir, skb, family);
1075
1076        return  (!net->xfrm.policy_count[dir] && !skb->sp) ||
1077                (skb_dst(skb)->flags & DST_NOPOLICY) ||
1078                __xfrm_policy_check(sk, ndir, skb, family);
1079}
1080
1081static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1082{
1083        return __xfrm_policy_check2(sk, dir, skb, family, 0);
1084}
1085
1086static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1087{
1088        return xfrm_policy_check(sk, dir, skb, AF_INET);
1089}
1090
1091static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1092{
1093        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1094}
1095
1096static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1097                                             struct sk_buff *skb)
1098{
1099        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1100}
1101
1102static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1103                                             struct sk_buff *skb)
1104{
1105        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1106}
1107
1108int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1109                          unsigned int family, int reverse);
1110
1111static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1112                                      unsigned int family)
1113{
1114        return __xfrm_decode_session(skb, fl, family, 0);
1115}
1116
1117static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1118                                              struct flowi *fl,
1119                                              unsigned int family)
1120{
1121        return __xfrm_decode_session(skb, fl, family, 1);
1122}
1123
1124int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1125
1126static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1127{
1128        struct net *net = dev_net(skb->dev);
1129
1130        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1131                (skb_dst(skb)->flags & DST_NOXFRM) ||
1132                __xfrm_route_forward(skb, family);
1133}
1134
1135static inline int xfrm4_route_forward(struct sk_buff *skb)
1136{
1137        return xfrm_route_forward(skb, AF_INET);
1138}
1139
1140static inline int xfrm6_route_forward(struct sk_buff *skb)
1141{
1142        return xfrm_route_forward(skb, AF_INET6);
1143}
1144
1145int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1146
1147static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1148{
1149        sk->sk_policy[0] = NULL;
1150        sk->sk_policy[1] = NULL;
1151        if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1152                return __xfrm_sk_clone_policy(sk, osk);
1153        return 0;
1154}
1155
1156int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1157
1158static inline void xfrm_sk_free_policy(struct sock *sk)
1159{
1160        struct xfrm_policy *pol;
1161
1162        pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1163        if (unlikely(pol != NULL)) {
1164                xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1165                sk->sk_policy[0] = NULL;
1166        }
1167        pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1168        if (unlikely(pol != NULL)) {
1169                xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1170                sk->sk_policy[1] = NULL;
1171        }
1172}
1173
1174void xfrm_garbage_collect(struct net *net);
1175
1176#else
1177
1178static inline void xfrm_sk_free_policy(struct sock *sk) {}
1179static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1180static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }  
1181static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 
1182static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1183{ 
1184        return 1; 
1185} 
1186static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1187{
1188        return 1;
1189}
1190static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1191{
1192        return 1;
1193}
1194static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1195                                              struct flowi *fl,
1196                                              unsigned int family)
1197{
1198        return -ENOSYS;
1199}
1200static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1201                                             struct sk_buff *skb)
1202{
1203        return 1;
1204}
1205static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1206                                             struct sk_buff *skb)
1207{
1208        return 1;
1209}
1210static inline void xfrm_garbage_collect(struct net *net)
1211{
1212}
1213#endif
1214
1215static __inline__
1216xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1217{
1218        switch (family){
1219        case AF_INET:
1220                return (xfrm_address_t *)&fl->u.ip4.daddr;
1221        case AF_INET6:
1222                return (xfrm_address_t *)&fl->u.ip6.daddr;
1223        }
1224        return NULL;
1225}
1226
1227static __inline__
1228xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1229{
1230        switch (family){
1231        case AF_INET:
1232                return (xfrm_address_t *)&fl->u.ip4.saddr;
1233        case AF_INET6:
1234                return (xfrm_address_t *)&fl->u.ip6.saddr;
1235        }
1236        return NULL;
1237}
1238
1239static __inline__
1240void xfrm_flowi_addr_get(const struct flowi *fl,
1241                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1242                         unsigned short family)
1243{
1244        switch(family) {
1245        case AF_INET:
1246                memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1247                memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1248                break;
1249        case AF_INET6:
1250                saddr->in6 = fl->u.ip6.saddr;
1251                daddr->in6 = fl->u.ip6.daddr;
1252                break;
1253        }
1254}
1255
1256static __inline__ int
1257__xfrm4_state_addr_check(const struct xfrm_state *x,
1258                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1259{
1260        if (daddr->a4 == x->id.daddr.a4 &&
1261            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1262                return 1;
1263        return 0;
1264}
1265
1266static __inline__ int
1267__xfrm6_state_addr_check(const struct xfrm_state *x,
1268                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1269{
1270        if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1271            (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1272             ipv6_addr_any((struct in6_addr *)saddr) || 
1273             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1274                return 1;
1275        return 0;
1276}
1277
1278static __inline__ int
1279xfrm_state_addr_check(const struct xfrm_state *x,
1280                      const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1281                      unsigned short family)
1282{
1283        switch (family) {
1284        case AF_INET:
1285                return __xfrm4_state_addr_check(x, daddr, saddr);
1286        case AF_INET6:
1287                return __xfrm6_state_addr_check(x, daddr, saddr);
1288        }
1289        return 0;
1290}
1291
1292static __inline__ int
1293xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1294                           unsigned short family)
1295{
1296        switch (family) {
1297        case AF_INET:
1298                return __xfrm4_state_addr_check(x,
1299                                                (const xfrm_address_t *)&fl->u.ip4.daddr,
1300                                                (const xfrm_address_t *)&fl->u.ip4.saddr);
1301        case AF_INET6:
1302                return __xfrm6_state_addr_check(x,
1303                                                (const xfrm_address_t *)&fl->u.ip6.daddr,
1304                                                (const xfrm_address_t *)&fl->u.ip6.saddr);
1305        }
1306        return 0;
1307}
1308
1309static inline int xfrm_state_kern(const struct xfrm_state *x)
1310{
1311        return atomic_read(&x->tunnel_users);
1312}
1313
1314static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1315{
1316        return (!userproto || proto == userproto ||
1317                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1318                                                  proto == IPPROTO_ESP ||
1319                                                  proto == IPPROTO_COMP)));
1320}
1321
1322/*
1323 * xfrm algorithm information
1324 */
1325struct xfrm_algo_aead_info {
1326        char *geniv;
1327        u16 icv_truncbits;
1328};
1329
1330struct xfrm_algo_auth_info {
1331        u16 icv_truncbits;
1332        u16 icv_fullbits;
1333};
1334
1335struct xfrm_algo_encr_info {
1336        char *geniv;
1337        u16 blockbits;
1338        u16 defkeybits;
1339};
1340
1341struct xfrm_algo_comp_info {
1342        u16 threshold;
1343};
1344
1345struct xfrm_algo_desc {
1346        char *name;
1347        char *compat;
1348        u8 available:1;
1349        u8 pfkey_supported:1;
1350        union {
1351                struct xfrm_algo_aead_info aead;
1352                struct xfrm_algo_auth_info auth;
1353                struct xfrm_algo_encr_info encr;
1354                struct xfrm_algo_comp_info comp;
1355        } uinfo;
1356        struct sadb_alg desc;
1357};
1358
1359/* XFRM protocol handlers.  */
1360struct xfrm4_protocol {
1361        int (*handler)(struct sk_buff *skb);
1362        int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1363                             int encap_type);
1364        int (*cb_handler)(struct sk_buff *skb, int err);
1365        int (*err_handler)(struct sk_buff *skb, u32 info);
1366
1367        struct xfrm4_protocol __rcu *next;
1368        int priority;
1369};
1370
1371struct xfrm6_protocol {
1372        int (*handler)(struct sk_buff *skb);
1373        int (*cb_handler)(struct sk_buff *skb, int err);
1374        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1375                           u8 type, u8 code, int offset, __be32 info);
1376
1377        struct xfrm6_protocol __rcu *next;
1378        int priority;
1379};
1380
1381/* XFRM tunnel handlers.  */
1382struct xfrm_tunnel {
1383        int (*handler)(struct sk_buff *skb);
1384        int (*err_handler)(struct sk_buff *skb, u32 info);
1385
1386        struct xfrm_tunnel __rcu *next;
1387        int priority;
1388};
1389
1390struct xfrm6_tunnel {
1391        int (*handler)(struct sk_buff *skb);
1392        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1393                           u8 type, u8 code, int offset, __be32 info);
1394        struct xfrm6_tunnel __rcu *next;
1395        int priority;
1396};
1397
1398void xfrm_init(void);
1399void xfrm4_init(void);
1400int xfrm_state_init(struct net *net);
1401void xfrm_state_fini(struct net *net);
1402void xfrm4_state_init(void);
1403void xfrm4_protocol_init(void);
1404#ifdef CONFIG_XFRM
1405int xfrm6_init(void);
1406void xfrm6_fini(void);
1407int xfrm6_state_init(void);
1408void xfrm6_state_fini(void);
1409int xfrm6_protocol_init(void);
1410void xfrm6_protocol_fini(void);
1411#else
1412static inline int xfrm6_init(void)
1413{
1414        return 0;
1415}
1416static inline void xfrm6_fini(void)
1417{
1418        ;
1419}
1420#endif
1421
1422#ifdef CONFIG_XFRM_STATISTICS
1423int xfrm_proc_init(struct net *net);
1424void xfrm_proc_fini(struct net *net);
1425#endif
1426
1427int xfrm_sysctl_init(struct net *net);
1428#ifdef CONFIG_SYSCTL
1429void xfrm_sysctl_fini(struct net *net);
1430#else
1431static inline void xfrm_sysctl_fini(struct net *net)
1432{
1433}
1434#endif
1435
1436void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1437                          struct xfrm_address_filter *filter);
1438int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1439                    int (*func)(struct xfrm_state *, int, void*), void *);
1440void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1441struct xfrm_state *xfrm_state_alloc(struct net *net);
1442struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1443                                   const xfrm_address_t *saddr,
1444                                   const struct flowi *fl,
1445                                   struct xfrm_tmpl *tmpl,
1446                                   struct xfrm_policy *pol, int *err,
1447                                   unsigned short family);
1448struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1449                                       xfrm_address_t *daddr,
1450                                       xfrm_address_t *saddr,
1451                                       unsigned short family,
1452                                       u8 mode, u8 proto, u32 reqid);
1453struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1454                                              unsigned short family);
1455int xfrm_state_check_expire(struct xfrm_state *x);
1456void xfrm_state_insert(struct xfrm_state *x);
1457int xfrm_state_add(struct xfrm_state *x);
1458int xfrm_state_update(struct xfrm_state *x);
1459struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1460                                     const xfrm_address_t *daddr, __be32 spi,
1461                                     u8 proto, unsigned short family);
1462struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1463                                            const xfrm_address_t *daddr,
1464                                            const xfrm_address_t *saddr,
1465                                            u8 proto,
1466                                            unsigned short family);
1467#ifdef CONFIG_XFRM_SUB_POLICY
1468int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1469                   unsigned short family, struct net *net);
1470int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1471                    unsigned short family);
1472#else
1473static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1474                                 int n, unsigned short family, struct net *net)
1475{
1476        return -ENOSYS;
1477}
1478
1479static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1480                                  int n, unsigned short family)
1481{
1482        return -ENOSYS;
1483}
1484#endif
1485
1486struct xfrmk_sadinfo {
1487        u32 sadhcnt; /* current hash bkts */
1488        u32 sadhmcnt; /* max allowed hash bkts */
1489        u32 sadcnt; /* current running count */
1490};
1491
1492struct xfrmk_spdinfo {
1493        u32 incnt;
1494        u32 outcnt;
1495        u32 fwdcnt;
1496        u32 inscnt;
1497        u32 outscnt;
1498        u32 fwdscnt;
1499        u32 spdhcnt;
1500        u32 spdhmcnt;
1501};
1502
1503struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1504int xfrm_state_delete(struct xfrm_state *x);
1505int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
1506void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1507void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1508u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1509int xfrm_init_replay(struct xfrm_state *x);
1510int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1511int __xfrm_init_state(struct xfrm_state *x, bool init_replay);
1512int xfrm_init_state(struct xfrm_state *x);
1513int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1514int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1515int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1516int xfrm_output_resume(struct sk_buff *skb, int err);
1517int xfrm_output(struct sock *sk, struct sk_buff *skb);
1518int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1519void xfrm_local_error(struct sk_buff *skb, int mtu);
1520int xfrm4_extract_header(struct sk_buff *skb);
1521int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1522int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1523                    int encap_type);
1524int xfrm4_transport_finish(struct sk_buff *skb, int async);
1525int xfrm4_rcv(struct sk_buff *skb);
1526
1527static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1528{
1529        XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1530        XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1531        XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1532        return xfrm_input(skb, nexthdr, spi, 0);
1533}
1534
1535int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1536int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1537int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1538int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);
1539int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err);
1540int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1541int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1542int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1543int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1544void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1545int xfrm6_extract_header(struct sk_buff *skb);
1546int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1547int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1548int xfrm6_transport_finish(struct sk_buff *skb, int async);
1549int xfrm6_rcv(struct sk_buff *skb);
1550int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1551                     xfrm_address_t *saddr, u8 proto);
1552void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1553int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err);
1554int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1555int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1556int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1557int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1558__be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1559__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1560int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1561int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1562int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1563int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);
1564int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1565                          u8 **prevhdr);
1566
1567#ifdef CONFIG_XFRM
1568int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1569int xfrm_user_policy(struct sock *sk, int optname,
1570                     u8 __user *optval, int optlen);
1571#else
1572static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1573{
1574        return -ENOPROTOOPT;
1575} 
1576
1577static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1578{
1579        /* should not happen */
1580        kfree_skb(skb);
1581        return 0;
1582}
1583#endif
1584
1585struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1586
1587void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1588int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1589                     int (*func)(struct xfrm_policy *, int, int, void*),
1590                     void *);
1591void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1592int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1593struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1594                                          u8 type, int dir,
1595                                          struct xfrm_selector *sel,
1596                                          struct xfrm_sec_ctx *ctx, int delete,
1597                                          int *err);
1598struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir,
1599                                     u32 id, int delete, int *err);
1600int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1601void xfrm_policy_hash_rebuild(struct net *net);
1602u32 xfrm_get_acqseq(void);
1603int verify_spi_info(u8 proto, u32 min, u32 max);
1604int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1605struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1606                                 u8 mode, u32 reqid, u8 proto,
1607                                 const xfrm_address_t *daddr,
1608                                 const xfrm_address_t *saddr, int create,
1609                                 unsigned short family);
1610int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1611
1612#ifdef CONFIG_XFRM_MIGRATE
1613int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1614               const struct xfrm_migrate *m, int num_bundles,
1615               const struct xfrm_kmaddress *k);
1616struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1617struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1618                                      struct xfrm_migrate *m);
1619int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1620                 struct xfrm_migrate *m, int num_bundles,
1621                 struct xfrm_kmaddress *k, struct net *net);
1622#endif
1623
1624int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1625void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1626int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1627              xfrm_address_t *addr);
1628
1629void xfrm_input_init(void);
1630int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1631
1632void xfrm_probe_algs(void);
1633int xfrm_count_pfkey_auth_supported(void);
1634int xfrm_count_pfkey_enc_supported(void);
1635struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1636struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1637struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1638struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1639struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1640struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1641struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1642struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1643struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1644                                            int probe);
1645
1646static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1647                                    const xfrm_address_t *b)
1648{
1649        return ipv6_addr_equal((const struct in6_addr *)a,
1650                               (const struct in6_addr *)b);
1651}
1652
1653static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1654                                   const xfrm_address_t *b,
1655                                   sa_family_t family)
1656{
1657        switch (family) {
1658        default:
1659        case AF_INET:
1660                return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1661        case AF_INET6:
1662                return xfrm6_addr_equal(a, b);
1663        }
1664}
1665
1666static inline int xfrm_policy_id2dir(u32 index)
1667{
1668        return index & 7;
1669}
1670
1671#ifdef CONFIG_XFRM
1672static inline int xfrm_aevent_is_on(struct net *net)
1673{
1674        struct sock *nlsk;
1675        int ret = 0;
1676
1677        rcu_read_lock();
1678        nlsk = rcu_dereference(net->xfrm.nlsk);
1679        if (nlsk)
1680                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1681        rcu_read_unlock();
1682        return ret;
1683}
1684
1685static inline int xfrm_acquire_is_on(struct net *net)
1686{
1687        struct sock *nlsk;
1688        int ret = 0;
1689
1690        rcu_read_lock();
1691        nlsk = rcu_dereference(net->xfrm.nlsk);
1692        if (nlsk)
1693                ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1694        rcu_read_unlock();
1695
1696        return ret;
1697}
1698#endif
1699
1700static inline int aead_len(struct xfrm_algo_aead *alg)
1701{
1702        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1703}
1704
1705static inline int xfrm_alg_len(const struct xfrm_algo *alg)
1706{
1707        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1708}
1709
1710static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1711{
1712        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1713}
1714
1715static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1716{
1717        return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1718}
1719
1720#ifdef CONFIG_XFRM_MIGRATE
1721static inline int xfrm_replay_clone(struct xfrm_state *x,
1722                                     struct xfrm_state *orig)
1723{
1724        x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1725                                GFP_KERNEL);
1726        if (!x->replay_esn)
1727                return -ENOMEM;
1728
1729        x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1730        x->replay_esn->replay_window = orig->replay_esn->replay_window;
1731
1732        x->preplay_esn = kmemdup(x->replay_esn,
1733                                 xfrm_replay_state_esn_len(x->replay_esn),
1734                                 GFP_KERNEL);
1735        if (!x->preplay_esn) {
1736                kfree(x->replay_esn);
1737                return -ENOMEM;
1738        }
1739
1740        return 0;
1741}
1742
1743static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1744{
1745        return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1746}
1747
1748
1749static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1750{
1751        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1752}
1753
1754static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1755{
1756        return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1757}
1758
1759static inline void xfrm_states_put(struct xfrm_state **states, int n)
1760{
1761        int i;
1762        for (i = 0; i < n; i++)
1763                xfrm_state_put(*(states + i));
1764}
1765
1766static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1767{
1768        int i;
1769        for (i = 0; i < n; i++)
1770                xfrm_state_delete(*(states + i));
1771}
1772#endif
1773
1774#ifdef CONFIG_XFRM
1775static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1776{
1777        return skb->sp->xvec[skb->sp->len - 1];
1778}
1779#endif
1780
1781static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1782{
1783        if (attrs[XFRMA_MARK])
1784                memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1785        else
1786                m->v = m->m = 0;
1787
1788        return m->v & m->m;
1789}
1790
1791static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1792{
1793        int ret = 0;
1794
1795        if (m->m | m->v)
1796                ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1797        return ret;
1798}
1799
1800static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1801                                    unsigned int family)
1802{
1803        bool tunnel = false;
1804
1805        switch(family) {
1806        case AF_INET:
1807                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1808                        tunnel = true;
1809                break;
1810        case AF_INET6:
1811                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1812                        tunnel = true;
1813                break;
1814        }
1815        if (tunnel && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL))
1816                return -EINVAL;
1817
1818        return 0;
1819}
1820#endif  /* _NET_XFRM_H */
1821