LXR linux/include/net/xfrm.h

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _NET_XFRM_H
   3#define _NET_XFRM_H
   4
   5#include <linux/compiler.h>
   6#include <linux/xfrm.h>
   7#include <linux/spinlock.h>
   8#include <linux/list.h>
   9#include <linux/skbuff.h>
  10#include <linux/socket.h>
  11#include <linux/pfkeyv2.h>
  12#include <linux/ipsec.h>
  13#include <linux/in6.h>
  14#include <linux/mutex.h>
  15#include <linux/audit.h>
  16#include <linux/slab.h>
  17#include <linux/refcount.h>
  18
  19#include <net/sock.h>
  20#include <net/dst.h>
  21#include <net/ip.h>
  22#include <net/route.h>
  23#include <net/ipv6.h>
  24#include <net/ip6_fib.h>
  25#include <net/flow.h>
  26#include <net/gro_cells.h>
  27
  28#include <linux/interrupt.h>
  29
  30#ifdef CONFIG_XFRM_STATISTICS
  31#include <net/snmp.h>
  32#endif
  33
  34#define XFRM_PROTO_ESP          50
  35#define XFRM_PROTO_AH           51
  36#define XFRM_PROTO_COMP         108
  37#define XFRM_PROTO_IPIP         4
  38#define XFRM_PROTO_IPV6         41
  39#define XFRM_PROTO_ROUTING      IPPROTO_ROUTING
  40#define XFRM_PROTO_DSTOPTS      IPPROTO_DSTOPTS
  41
  42#define XFRM_ALIGN4(len)        (((len) + 3) & ~3)
  43#define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
  44#define MODULE_ALIAS_XFRM_MODE(family, encap) \
  45        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
  46#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
  47        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
  48#define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
  49        MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
  50
  51#ifdef CONFIG_XFRM_STATISTICS
  52#define XFRM_INC_STATS(net, field)      SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
  53#else
  54#define XFRM_INC_STATS(net, field)      ((void)(net))
  55#endif
  56
  57
  58/* Organization of SPD aka "XFRM rules"
  59   ------------------------------------
  60
  61   Basic objects:
  62   - policy rule, struct xfrm_policy (=SPD entry)
  63   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
  64   - instance of a transformer, struct xfrm_state (=SA)
  65   - template to clone xfrm_state, struct xfrm_tmpl
  66
  67   SPD is plain linear list of xfrm_policy rules, ordered by priority.
  68   (To be compatible with existing pfkeyv2 implementations,
  69   many rules with priority of 0x7fffffff are allowed to exist and
  70   such rules are ordered in an unpredictable way, thanks to bsd folks.)
  71
  72   Lookup is plain linear search until the first match with selector.
  73
  74   If "action" is "block", then we prohibit the flow, otherwise:
  75   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
  76   policy entry has list of up to XFRM_MAX_DEPTH transformations,
  77   described by templates xfrm_tmpl. Each template is resolved
  78   to a complete xfrm_state (see below) and we pack bundle of transformations
  79   to a dst_entry returned to requestor.
  80
  81   dst -. xfrm  .-> xfrm_state #1
  82    |---. child .-> dst -. xfrm .-> xfrm_state #2
  83                     |---. child .-> dst -. xfrm .-> xfrm_state #3
  84                                      |---. child .-> NULL
  85
  86   Bundles are cached at xrfm_policy struct (field ->bundles).
  87
  88
  89   Resolution of xrfm_tmpl
  90   -----------------------
  91   Template contains:
  92   1. ->mode            Mode: transport or tunnel
  93   2. ->id.proto        Protocol: AH/ESP/IPCOMP
  94   3. ->id.daddr        Remote tunnel endpoint, ignored for transport mode.
  95      Q: allow to resolve security gateway?
  96   4. ->id.spi          If not zero, static SPI.
  97   5. ->saddr           Local tunnel endpoint, ignored for transport mode.
  98   6. ->algos           List of allowed algos. Plain bitmask now.
  99      Q: ealgos, aalgos, calgos. What a mess...
 100   7. ->share           Sharing mode.
 101      Q: how to implement private sharing mode? To add struct sock* to
 102      flow id?
 103
 104   Having this template we search through SAD searching for entries
 105   with appropriate mode/proto/algo, permitted by selector.
 106   If no appropriate entry found, it is requested from key manager.
 107
 108   PROBLEMS:
 109   Q: How to find all the bundles referring to a physical path for
 110      PMTU discovery? Seems, dst should contain list of all parents...
 111      and enter to infinite locking hierarchy disaster.
 112      No! It is easier, we will not search for them, let them find us.
 113      We add genid to each dst plus pointer to genid of raw IP route,
 114      pmtu disc will update pmtu on raw IP route and increase its genid.
 115      dst_check() will see this for top level and trigger resyncing
 116      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
 117 */
 118
 119struct xfrm_state_walk {
 120        struct list_head        all;
 121        u8                      state;
 122        u8                      dying;
 123        u8                      proto;
 124        u32                     seq;
 125        struct xfrm_address_filter *filter;
 126};
 127
 128struct xfrm_state_offload {
 129        struct net_device       *dev;
 130        unsigned long           offload_handle;
 131        unsigned int            num_exthdrs;
 132        u8                      flags;
 133};
 134
 135struct xfrm_mode {
 136        u8 encap;
 137        u8 family;
 138        u8 flags;
 139};
 140
 141/* Flags for xfrm_mode. */
 142enum {
 143        XFRM_MODE_FLAG_TUNNEL = 1,
 144};
 145
 146/* Full description of state of transformer. */
 147struct xfrm_state {
 148        possible_net_t          xs_net;
 149        union {
 150                struct hlist_node       gclist;
 151                struct hlist_node       bydst;
 152        };
 153        struct hlist_node       bysrc;
 154        struct hlist_node       byspi;
 155
 156        refcount_t              refcnt;
 157        spinlock_t              lock;
 158
 159        struct xfrm_id          id;
 160        struct xfrm_selector    sel;
 161        struct xfrm_mark        mark;
 162        u32                     if_id;
 163        u32                     tfcpad;
 164
 165        u32                     genid;
 166
 167        /* Key manager bits */
 168        struct xfrm_state_walk  km;
 169
 170        /* Parameters of this state. */
 171        struct {
 172                u32             reqid;
 173                u8              mode;
 174                u8              replay_window;
 175                u8              aalgo, ealgo, calgo;
 176                u8              flags;
 177                u16             family;
 178                xfrm_address_t  saddr;
 179                int             header_len;
 180                int             trailer_len;
 181                u32             extra_flags;
 182                struct xfrm_mark        smark;
 183        } props;
 184
 185        struct xfrm_lifetime_cfg lft;
 186
 187        /* Data for transformer */
 188        struct xfrm_algo_auth   *aalg;
 189        struct xfrm_algo        *ealg;
 190        struct xfrm_algo        *calg;
 191        struct xfrm_algo_aead   *aead;
 192        const char              *geniv;
 193
 194        /* Data for encapsulator */
 195        struct xfrm_encap_tmpl  *encap;
 196
 197        /* Data for care-of address */
 198        xfrm_address_t  *coaddr;
 199
 200        /* IPComp needs an IPIP tunnel for handling uncompressed packets */
 201        struct xfrm_state       *tunnel;
 202
 203        /* If a tunnel, number of users + 1 */
 204        atomic_t                tunnel_users;
 205
 206        /* State for replay detection */
 207        struct xfrm_replay_state replay;
 208        struct xfrm_replay_state_esn *replay_esn;
 209
 210        /* Replay detection state at the time we sent the last notification */
 211        struct xfrm_replay_state preplay;
 212        struct xfrm_replay_state_esn *preplay_esn;
 213
 214        /* The functions for replay detection. */
 215        const struct xfrm_replay *repl;
 216
 217        /* internal flag that only holds state for delayed aevent at the
 218         * moment
 219        */
 220        u32                     xflags;
 221
 222        /* Replay detection notification settings */
 223        u32                     replay_maxage;
 224        u32                     replay_maxdiff;
 225
 226        /* Replay detection notification timer */
 227        struct timer_list       rtimer;
 228
 229        /* Statistics */
 230        struct xfrm_stats       stats;
 231
 232        struct xfrm_lifetime_cur curlft;
 233        struct hrtimer          mtimer;
 234
 235        struct xfrm_state_offload xso;
 236
 237        /* used to fix curlft->add_time when changing date */
 238        long            saved_tmo;
 239
 240        /* Last used time */
 241        time64_t                lastused;
 242
 243        struct page_frag xfrag;
 244
 245        /* Reference to data common to all the instances of this
 246         * transformer. */
 247        const struct xfrm_type  *type;
 248        struct xfrm_mode        inner_mode;
 249        struct xfrm_mode        inner_mode_iaf;
 250        struct xfrm_mode        outer_mode;
 251
 252        const struct xfrm_type_offload  *type_offload;
 253
 254        /* Security context */
 255        struct xfrm_sec_ctx     *security;
 256
 257        /* Private data of this transformer, format is opaque,
 258         * interpreted by xfrm_type methods. */
 259        void                    *data;
 260};
 261
 262static inline struct net *xs_net(struct xfrm_state *x)
 263{
 264        return read_pnet(&x->xs_net);
 265}
 266
 267/* xflags - make enum if more show up */
 268#define XFRM_TIME_DEFER 1
 269#define XFRM_SOFT_EXPIRE 2
 270
 271enum {
 272        XFRM_STATE_VOID,
 273        XFRM_STATE_ACQ,
 274        XFRM_STATE_VALID,
 275        XFRM_STATE_ERROR,
 276        XFRM_STATE_EXPIRED,
 277        XFRM_STATE_DEAD
 278};
 279
 280/* callback structure passed from either netlink or pfkey */
 281struct km_event {
 282        union {
 283                u32 hard;
 284                u32 proto;
 285                u32 byid;
 286                u32 aevent;
 287                u32 type;
 288        } data;
 289
 290        u32     seq;
 291        u32     portid;
 292        u32     event;
 293        struct net *net;
 294};
 295
 296struct xfrm_replay {
 297        void    (*advance)(struct xfrm_state *x, __be32 net_seq);
 298        int     (*check)(struct xfrm_state *x,
 299                         struct sk_buff *skb,
 300                         __be32 net_seq);
 301        int     (*recheck)(struct xfrm_state *x,
 302                           struct sk_buff *skb,
 303                           __be32 net_seq);
 304        void    (*notify)(struct xfrm_state *x, int event);
 305        int     (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
 306};
 307
 308struct xfrm_if_cb {
 309        struct xfrm_if  *(*decode_session)(struct sk_buff *skb,
 310                                           unsigned short family);
 311};
 312
 313void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
 314void xfrm_if_unregister_cb(void);
 315
 316struct net_device;
 317struct xfrm_type;
 318struct xfrm_dst;
 319struct xfrm_policy_afinfo {
 320        struct dst_ops          *dst_ops;
 321        struct dst_entry        *(*dst_lookup)(struct net *net,
 322                                               int tos, int oif,
 323                                               const xfrm_address_t *saddr,
 324                                               const xfrm_address_t *daddr,
 325                                               u32 mark);
 326        int                     (*get_saddr)(struct net *net, int oif,
 327                                             xfrm_address_t *saddr,
 328                                             xfrm_address_t *daddr,
 329                                             u32 mark);
 330        int                     (*fill_dst)(struct xfrm_dst *xdst,
 331                                            struct net_device *dev,
 332                                            const struct flowi *fl);
 333        struct dst_entry        *(*blackhole_route)(struct net *net, struct dst_entry *orig);
 334};
 335
 336int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
 337void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
 338void km_policy_notify(struct xfrm_policy *xp, int dir,
 339                      const struct km_event *c);
 340void km_state_notify(struct xfrm_state *x, const struct km_event *c);
 341
 342struct xfrm_tmpl;
 343int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
 344             struct xfrm_policy *pol);
 345void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
 346int __xfrm_state_delete(struct xfrm_state *x);
 347
 348struct xfrm_state_afinfo {
 349        u8                              family;
 350        u8                              proto;
 351
 352        const struct xfrm_type_offload *type_offload_esp;
 353
 354        const struct xfrm_type          *type_esp;
 355        const struct xfrm_type          *type_ipip;
 356        const struct xfrm_type          *type_ipip6;
 357        const struct xfrm_type          *type_comp;
 358        const struct xfrm_type          *type_ah;
 359        const struct xfrm_type          *type_routing;
 360        const struct xfrm_type          *type_dstopts;
 361
 362        int                     (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
 363        int                     (*output_finish)(struct sock *sk, struct sk_buff *skb);
 364        int                     (*extract_input)(struct xfrm_state *x,
 365                                                 struct sk_buff *skb);
 366        int                     (*extract_output)(struct xfrm_state *x,
 367                                                  struct sk_buff *skb);
 368        int                     (*transport_finish)(struct sk_buff *skb,
 369                                                    int async);
 370        void                    (*local_error)(struct sk_buff *skb, u32 mtu);
 371};
 372
 373int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
 374int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 375struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
 376struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
 377
 378struct xfrm_input_afinfo {
 379        unsigned int            family;
 380        int                     (*callback)(struct sk_buff *skb, u8 protocol,
 381                                            int err);
 382};
 383
 384int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
 385int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
 386
 387void xfrm_flush_gc(void);
 388void xfrm_state_delete_tunnel(struct xfrm_state *x);
 389
 390struct xfrm_type {
 391        char                    *description;
 392        struct module           *owner;
 393        u8                      proto;
 394        u8                      flags;
 395#define XFRM_TYPE_NON_FRAGMENT  1
 396#define XFRM_TYPE_REPLAY_PROT   2
 397#define XFRM_TYPE_LOCAL_COADDR  4
 398#define XFRM_TYPE_REMOTE_COADDR 8
 399
 400        int                     (*init_state)(struct xfrm_state *x);
 401        void                    (*destructor)(struct xfrm_state *);
 402        int                     (*input)(struct xfrm_state *, struct sk_buff *skb);
 403        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
 404        int                     (*reject)(struct xfrm_state *, struct sk_buff *,
 405                                          const struct flowi *);
 406        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
 407};
 408
 409int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
 410void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 411
 412struct xfrm_type_offload {
 413        char            *description;
 414        struct module   *owner;
 415        u8              proto;
 416        void            (*encap)(struct xfrm_state *, struct sk_buff *pskb);
 417        int             (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
 418        int             (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
 419};
 420
 421int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
 422void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
 423
 424static inline int xfrm_af2proto(unsigned int family)
 425{
 426        switch(family) {
 427        case AF_INET:
 428                return IPPROTO_IPIP;
 429        case AF_INET6:
 430                return IPPROTO_IPV6;
 431        default:
 432                return 0;
 433        }
 434}
 435
 436static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
 437{
 438        if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
 439            (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
 440                return &x->inner_mode;
 441        else
 442                return &x->inner_mode_iaf;
 443}
 444
 445struct xfrm_tmpl {
 446/* id in template is interpreted as:
 447 * daddr - destination of tunnel, may be zero for transport mode.
 448 * spi   - zero to acquire spi. Not zero if spi is static, then
 449 *         daddr must be fixed too.
 450 * proto - AH/ESP/IPCOMP
 451 */
 452        struct xfrm_id          id;
 453
 454/* Source address of tunnel. Ignored, if it is not a tunnel. */
 455        xfrm_address_t          saddr;
 456
 457        unsigned short          encap_family;
 458
 459        u32                     reqid;
 460
 461/* Mode: transport, tunnel etc. */
 462        u8                      mode;
 463
 464/* Sharing mode: unique, this session only, this user only etc. */
 465        u8                      share;
 466
 467/* May skip this transfomration if no SA is found */
 468        u8                      optional;
 469
 470/* Skip aalgos/ealgos/calgos checks. */
 471        u8                      allalgs;
 472
 473/* Bit mask of algos allowed for acquisition */
 474        u32                     aalgos;
 475        u32                     ealgos;
 476        u32                     calgos;
 477};
 478
 479#define XFRM_MAX_DEPTH          6
 480#define XFRM_MAX_OFFLOAD_DEPTH  1
 481
 482struct xfrm_policy_walk_entry {
 483        struct list_head        all;
 484        u8                      dead;
 485};
 486
 487struct xfrm_policy_walk {
 488        struct xfrm_policy_walk_entry walk;
 489        u8 type;
 490        u32 seq;
 491};
 492
 493struct xfrm_policy_queue {
 494        struct sk_buff_head     hold_queue;
 495        struct timer_list       hold_timer;
 496        unsigned long           timeout;
 497};
 498
 499struct xfrm_policy {
 500        possible_net_t          xp_net;
 501        struct hlist_node       bydst;
 502        struct hlist_node       byidx;
 503
 504        /* This lock only affects elements except for entry. */
 505        rwlock_t                lock;
 506        refcount_t              refcnt;
 507        u32                     pos;
 508        struct timer_list       timer;
 509
 510        atomic_t                genid;
 511        u32                     priority;
 512        u32                     index;
 513        u32                     if_id;
 514        struct xfrm_mark        mark;
 515        struct xfrm_selector    selector;
 516        struct xfrm_lifetime_cfg lft;
 517        struct xfrm_lifetime_cur curlft;
 518        struct xfrm_policy_walk_entry walk;
 519        struct xfrm_policy_queue polq;
 520        bool                    bydst_reinsert;
 521        u8                      type;
 522        u8                      action;
 523        u8                      flags;
 524        u8                      xfrm_nr;
 525        u16                     family;
 526        struct xfrm_sec_ctx     *security;
 527        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 528        struct hlist_node       bydst_inexact_list;
 529        struct rcu_head         rcu;
 530};
 531
 532static inline struct net *xp_net(const struct xfrm_policy *xp)
 533{
 534        return read_pnet(&xp->xp_net);
 535}
 536
 537struct xfrm_kmaddress {
 538        xfrm_address_t          local;
 539        xfrm_address_t          remote;
 540        u32                     reserved;
 541        u16                     family;
 542};
 543
 544struct xfrm_migrate {
 545        xfrm_address_t          old_daddr;
 546        xfrm_address_t          old_saddr;
 547        xfrm_address_t          new_daddr;
 548        xfrm_address_t          new_saddr;
 549        u8                      proto;
 550        u8                      mode;
 551        u16                     reserved;
 552        u32                     reqid;
 553        u16                     old_family;
 554        u16                     new_family;
 555};
 556
 557#define XFRM_KM_TIMEOUT                30
 558/* what happened */
 559#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
 560#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
 561
 562/* default aevent timeout in units of 100ms */
 563#define XFRM_AE_ETIME                   10
 564/* Async Event timer multiplier */
 565#define XFRM_AE_ETH_M                   10
 566/* default seq threshold size */
 567#define XFRM_AE_SEQT_SIZE               2
 568
 569struct xfrm_mgr {
 570        struct list_head        list;
 571        int                     (*notify)(struct xfrm_state *x, const struct km_event *c);
 572        int                     (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
 573        struct xfrm_policy      *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
 574        int                     (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
 575        int                     (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
 576        int                     (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
 577        int                     (*migrate)(const struct xfrm_selector *sel,
 578                                           u8 dir, u8 type,
 579                                           const struct xfrm_migrate *m,
 580                                           int num_bundles,
 581                                           const struct xfrm_kmaddress *k,
 582                                           const struct xfrm_encap_tmpl *encap);
 583        bool                    (*is_alive)(const struct km_event *c);
 584};
 585
 586int xfrm_register_km(struct xfrm_mgr *km);
 587int xfrm_unregister_km(struct xfrm_mgr *km);
 588
 589struct xfrm_tunnel_skb_cb {
 590        union {
 591                struct inet_skb_parm h4;
 592                struct inet6_skb_parm h6;
 593        } header;
 594
 595        union {
 596                struct ip_tunnel *ip4;
 597                struct ip6_tnl *ip6;
 598        } tunnel;
 599};
 600
 601#define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
 602
 603/*
 604 * This structure is used for the duration where packets are being
 605 * transformed by IPsec.  As soon as the packet leaves IPsec the
 606 * area beyond the generic IP part may be overwritten.
 607 */
 608struct xfrm_skb_cb {
 609        struct xfrm_tunnel_skb_cb header;
 610
 611        /* Sequence number for replay protection. */
 612        union {
 613                struct {
 614                        __u32 low;
 615                        __u32 hi;
 616                } output;
 617                struct {
 618                        __be32 low;
 619                        __be32 hi;
 620                } input;
 621        } seq;
 622};
 623
 624#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
 625
 626/*
 627 * This structure is used by the afinfo prepare_input/prepare_output functions
 628 * to transmit header information to the mode input/output functions.
 629 */
 630struct xfrm_mode_skb_cb {
 631        struct xfrm_tunnel_skb_cb header;
 632
 633        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
 634        __be16 id;
 635        __be16 frag_off;
 636
 637        /* IP header length (excluding options or extension headers). */
 638        u8 ihl;
 639
 640        /* TOS for IPv4, class for IPv6. */
 641        u8 tos;
 642
 643        /* TTL for IPv4, hop limitfor IPv6. */
 644        u8 ttl;
 645
 646        /* Protocol for IPv4, NH for IPv6. */
 647        u8 protocol;
 648
 649        /* Option length for IPv4, zero for IPv6. */
 650        u8 optlen;
 651
 652        /* Used by IPv6 only, zero for IPv4. */
 653        u8 flow_lbl[3];
 654};
 655
 656#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
 657
 658/*
 659 * This structure is used by the input processing to locate the SPI and
 660 * related information.
 661 */
 662struct xfrm_spi_skb_cb {
 663        struct xfrm_tunnel_skb_cb header;
 664
 665        unsigned int daddroff;
 666        unsigned int family;
 667        __be32 seq;
 668};
 669
 670#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 671
 672#ifdef CONFIG_AUDITSYSCALL
 673static inline struct audit_buffer *xfrm_audit_start(const char *op)
 674{
 675        struct audit_buffer *audit_buf = NULL;
 676
 677        if (audit_enabled == AUDIT_OFF)
 678                return NULL;
 679        audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
 680                                    AUDIT_MAC_IPSEC_EVENT);
 681        if (audit_buf == NULL)
 682                return NULL;
 683        audit_log_format(audit_buf, "op=%s", op);
 684        return audit_buf;
 685}
 686
 687static inline void xfrm_audit_helper_usrinfo(bool task_valid,
 688                                             struct audit_buffer *audit_buf)
 689{
 690        const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
 691                                            audit_get_loginuid(current) :
 692                                            INVALID_UID);
 693        const unsigned int ses = task_valid ? audit_get_sessionid(current) :
 694                AUDIT_SID_UNSET;
 695
 696        audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
 697        audit_log_task_context(audit_buf);
 698}
 699
 700void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
 701void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 702                              bool task_valid);
 703void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
 704void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
 705void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 706                                      struct sk_buff *skb);
 707void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
 708                             __be32 net_seq);
 709void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
 710void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
 711                               __be32 net_seq);
 712void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
 713                              u8 proto);
 714#else
 715
 716static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
 717                                         bool task_valid)
 718{
 719}
 720
 721static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
 722                                            bool task_valid)
 723{
 724}
 725
 726static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
 727                                        bool task_valid)
 728{
 729}
 730
 731static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
 732                                           bool task_valid)
 733{
 734}
 735
 736static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 737                                             struct sk_buff *skb)
 738{
 739}
 740
 741static inline void xfrm_audit_state_replay(struct xfrm_state *x,
 742                                           struct sk_buff *skb, __be32 net_seq)
 743{
 744}
 745
 746static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
 747                                      u16 family)
 748{
 749}
 750
 751static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
 752                                      __be32 net_spi, __be32 net_seq)
 753{
 754}
 755
 756static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 757                                     struct sk_buff *skb, u8 proto)
 758{
 759}
 760#endif /* CONFIG_AUDITSYSCALL */
 761
 762static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 763{
 764        if (likely(policy != NULL))
 765                refcount_inc(&policy->refcnt);
 766}
 767
 768void xfrm_policy_destroy(struct xfrm_policy *policy);
 769
 770static inline void xfrm_pol_put(struct xfrm_policy *policy)
 771{
 772        if (refcount_dec_and_test(&policy->refcnt))
 773                xfrm_policy_destroy(policy);
 774}
 775
 776static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
 777{
 778        int i;
 779        for (i = npols - 1; i >= 0; --i)
 780                xfrm_pol_put(pols[i]);
 781}
 782
 783void __xfrm_state_destroy(struct xfrm_state *, bool);
 784
 785static inline void __xfrm_state_put(struct xfrm_state *x)
 786{
 787        refcount_dec(&x->refcnt);
 788}
 789
 790static inline void xfrm_state_put(struct xfrm_state *x)
 791{
 792        if (refcount_dec_and_test(&x->refcnt))
 793                __xfrm_state_destroy(x, false);
 794}
 795
 796static inline void xfrm_state_put_sync(struct xfrm_state *x)
 797{
 798        if (refcount_dec_and_test(&x->refcnt))
 799                __xfrm_state_destroy(x, true);
 800}
 801
 802static inline void xfrm_state_hold(struct xfrm_state *x)
 803{
 804        refcount_inc(&x->refcnt);
 805}
 806
 807static inline bool addr_match(const void *token1, const void *token2,
 808                              unsigned int prefixlen)
 809{
 810        const __be32 *a1 = token1;
 811        const __be32 *a2 = token2;
 812        unsigned int pdw;
 813        unsigned int pbi;
 814
 815        pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
 816        pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
 817
 818        if (pdw)
 819                if (memcmp(a1, a2, pdw << 2))
 820                        return false;
 821
 822        if (pbi) {
 823                __be32 mask;
 824
 825                mask = htonl((0xffffffff) << (32 - pbi));
 826
 827                if ((a1[pdw] ^ a2[pdw]) & mask)
 828                        return false;
 829        }
 830
 831        return true;
 832}
 833
 834static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
 835{
 836        /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
 837        if (sizeof(long) == 4 && prefixlen == 0)
 838                return true;
 839        return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
 840}
 841
 842static __inline__
 843__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
 844{
 845        __be16 port;
 846        switch(fl->flowi_proto) {
 847        case IPPROTO_TCP:
 848        case IPPROTO_UDP:
 849        case IPPROTO_UDPLITE:
 850        case IPPROTO_SCTP:
 851                port = uli->ports.sport;
 852                break;
 853        case IPPROTO_ICMP:
 854        case IPPROTO_ICMPV6:
 855                port = htons(uli->icmpt.type);
 856                break;
 857        case IPPROTO_MH:
 858                port = htons(uli->mht.type);
 859                break;
 860        case IPPROTO_GRE:
 861                port = htons(ntohl(uli->gre_key) >> 16);
 862                break;
 863        default:
 864                port = 0;       /*XXX*/
 865        }
 866        return port;
 867}
 868
 869static __inline__
 870__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
 871{
 872        __be16 port;
 873        switch(fl->flowi_proto) {
 874        case IPPROTO_TCP:
 875        case IPPROTO_UDP:
 876        case IPPROTO_UDPLITE:
 877        case IPPROTO_SCTP:
 878                port = uli->ports.dport;
 879                break;
 880        case IPPROTO_ICMP:
 881        case IPPROTO_ICMPV6:
 882                port = htons(uli->icmpt.code);
 883                break;
 884        case IPPROTO_GRE:
 885                port = htons(ntohl(uli->gre_key) & 0xffff);
 886                break;
 887        default:
 888                port = 0;       /*XXX*/
 889        }
 890        return port;
 891}
 892
 893bool xfrm_selector_match(const struct xfrm_selector *sel,
 894                         const struct flowi *fl, unsigned short family);
 895
 896#ifdef CONFIG_SECURITY_NETWORK_XFRM
 897/*      If neither has a context --> match
 898 *      Otherwise, both must have a context and the sids, doi, alg must match
 899 */
 900static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 901{
 902        return ((!s1 && !s2) ||
 903                (s1 && s2 &&
 904                 (s1->ctx_sid == s2->ctx_sid) &&
 905                 (s1->ctx_doi == s2->ctx_doi) &&
 906                 (s1->ctx_alg == s2->ctx_alg)));
 907}
 908#else
 909static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
 910{
 911        return true;
 912}
 913#endif
 914
 915/* A struct encoding bundle of transformations to apply to some set of flow.
 916 *
 917 * xdst->child points to the next element of bundle.
 918 * dst->xfrm  points to an instanse of transformer.
 919 *
 920 * Due to unfortunate limitations of current routing cache, which we
 921 * have no time to fix, it mirrors struct rtable and bound to the same
 922 * routing key, including saddr,daddr. However, we can have many of
 923 * bundles differing by session id. All the bundles grow from a parent
 924 * policy rule.
 925 */
 926struct xfrm_dst {
 927        union {
 928                struct dst_entry        dst;
 929                struct rtable           rt;
 930                struct rt6_info         rt6;
 931        } u;
 932        struct dst_entry *route;
 933        struct dst_entry *child;
 934        struct dst_entry *path;
 935        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
 936        int num_pols, num_xfrms;
 937        u32 xfrm_genid;
 938        u32 policy_genid;
 939        u32 route_mtu_cached;
 940        u32 child_mtu_cached;
 941        u32 route_cookie;
 942        u32 path_cookie;
 943};
 944
 945static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
 946{
 947#ifdef CONFIG_XFRM
 948        if (dst->xfrm) {
 949                const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
 950
 951                return xdst->path;
 952        }
 953#endif
 954        return (struct dst_entry *) dst;
 955}
 956
 957static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
 958{
 959#ifdef CONFIG_XFRM
 960        if (dst->xfrm) {
 961                struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
 962                return xdst->child;
 963        }
 964#endif
 965        return NULL;
 966}
 967
 968#ifdef CONFIG_XFRM
 969static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
 970{
 971        xdst->child = child;
 972}
 973
 974static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
 975{
 976        xfrm_pols_put(xdst->pols, xdst->num_pols);
 977        dst_release(xdst->route);
 978        if (likely(xdst->u.dst.xfrm))
 979                xfrm_state_put(xdst->u.dst.xfrm);
 980}
 981#endif
 982
 983void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
 984
 985struct xfrm_if_parms {
 986        int link;               /* ifindex of underlying L2 interface */
 987        u32 if_id;              /* interface identifyer */
 988};
 989
 990struct xfrm_if {
 991        struct xfrm_if __rcu *next;     /* next interface in list */
 992        struct net_device *dev;         /* virtual device associated with interface */
 993        struct net *net;                /* netns for packet i/o */
 994        struct xfrm_if_parms p;         /* interface parms */
 995
 996        struct gro_cells gro_cells;
 997};
 998
 999struct xfrm_offload {
1000        /* Output sequence number for replay protection on offloading. */

1001        struct {
1002                __u32 low;
1003                __u32 hi;
1004        } seq;
1005
1006        __u32                   flags;
1007#define SA_DELETE_REQ           1
1008#define CRYPTO_DONE             2
1009#define CRYPTO_NEXT_DONE        4
1010#define CRYPTO_FALLBACK         8
1011#define XFRM_GSO_SEGMENT        16
1012#define XFRM_GRO                32
1013#define XFRM_ESP_NO_TRAILER     64
1014#define XFRM_DEV_RESUME         128
1015
1016        __u32                   status;
1017#define CRYPTO_SUCCESS                          1
1018#define CRYPTO_GENERIC_ERROR                    2
1019#define CRYPTO_TRANSPORT_AH_AUTH_FAILED         4
1020#define CRYPTO_TRANSPORT_ESP_AUTH_FAILED        8
1021#define CRYPTO_TUNNEL_AH_AUTH_FAILED            16
1022#define CRYPTO_TUNNEL_ESP_AUTH_FAILED           32
1023#define CRYPTO_INVALID_PACKET_SYNTAX            64
1024#define CRYPTO_INVALID_PROTOCOL                 128
1025
1026        __u8                    proto;
1027};
1028
1029struct sec_path {
1030        int                     len;
1031        int                     olen;
1032
1033        struct xfrm_state       *xvec[XFRM_MAX_DEPTH];
1034        struct xfrm_offload     ovec[XFRM_MAX_OFFLOAD_DEPTH];
1035};
1036
1037struct sec_path *secpath_set(struct sk_buff *skb);
1038
1039static inline void
1040secpath_reset(struct sk_buff *skb)
1041{
1042#ifdef CONFIG_XFRM
1043        skb_ext_del(skb, SKB_EXT_SEC_PATH);
1044#endif
1045}
1046
1047static inline int
1048xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1049{
1050        switch (family) {
1051        case AF_INET:
1052                return addr->a4 == 0;
1053        case AF_INET6:
1054                return ipv6_addr_any(&addr->in6);
1055        }
1056        return 0;
1057}
1058
1059static inline int
1060__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1061{
1062        return  (tmpl->saddr.a4 &&
1063                 tmpl->saddr.a4 != x->props.saddr.a4);
1064}
1065
1066static inline int
1067__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1068{
1069        return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1070                 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1071}
1072
1073static inline int
1074xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1075{
1076        switch (family) {
1077        case AF_INET:
1078                return __xfrm4_state_addr_cmp(tmpl, x);
1079        case AF_INET6:
1080                return __xfrm6_state_addr_cmp(tmpl, x);
1081        }
1082        return !0;
1083}
1084
1085#ifdef CONFIG_XFRM
1086int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1087                        unsigned short family);
1088
1089static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1090                                       struct sk_buff *skb,
1091                                       unsigned int family, int reverse)
1092{
1093        struct net *net = dev_net(skb->dev);
1094        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1095
1096        if (sk && sk->sk_policy[XFRM_POLICY_IN])
1097                return __xfrm_policy_check(sk, ndir, skb, family);
1098
1099        return  (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1100                (skb_dst(skb)->flags & DST_NOPOLICY) ||
1101                __xfrm_policy_check(sk, ndir, skb, family);
1102}
1103
1104static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1105{
1106        return __xfrm_policy_check2(sk, dir, skb, family, 0);
1107}
1108
1109static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1110{
1111        return xfrm_policy_check(sk, dir, skb, AF_INET);
1112}
1113
1114static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1115{
1116        return xfrm_policy_check(sk, dir, skb, AF_INET6);
1117}
1118
1119static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1120                                             struct sk_buff *skb)
1121{
1122        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1123}
1124
1125static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1126                                             struct sk_buff *skb)
1127{
1128        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1129}
1130
1131int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1132                          unsigned int family, int reverse);
1133
1134static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1135                                      unsigned int family)
1136{
1137        return __xfrm_decode_session(skb, fl, family, 0);
1138}
1139
1140static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1141                                              struct flowi *fl,
1142                                              unsigned int family)
1143{
1144        return __xfrm_decode_session(skb, fl, family, 1);
1145}
1146
1147int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1148
1149static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1150{
1151        struct net *net = dev_net(skb->dev);
1152
1153        return  !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1154                (skb_dst(skb)->flags & DST_NOXFRM) ||
1155                __xfrm_route_forward(skb, family);
1156}
1157
1158static inline int xfrm4_route_forward(struct sk_buff *skb)
1159{
1160        return xfrm_route_forward(skb, AF_INET);
1161}
1162
1163static inline int xfrm6_route_forward(struct sk_buff *skb)
1164{
1165        return xfrm_route_forward(skb, AF_INET6);
1166}
1167
1168int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1169
1170static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1171{
1172        sk->sk_policy[0] = NULL;
1173        sk->sk_policy[1] = NULL;
1174        if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1175                return __xfrm_sk_clone_policy(sk, osk);
1176        return 0;
1177}
1178
1179int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1180
1181static inline void xfrm_sk_free_policy(struct sock *sk)
1182{
1183        struct xfrm_policy *pol;
1184
1185        pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1186        if (unlikely(pol != NULL)) {
1187                xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1188                sk->sk_policy[0] = NULL;
1189        }
1190        pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1191        if (unlikely(pol != NULL)) {
1192                xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1193                sk->sk_policy[1] = NULL;
1194        }
1195}
1196
1197#else
1198
1199static inline void xfrm_sk_free_policy(struct sock *sk) {}
1200static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1201static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1202static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1203static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1204{
1205        return 1;
1206}
1207static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1208{
1209        return 1;
1210}
1211static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1212{
1213        return 1;
1214}
1215static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1216                                              struct flowi *fl,
1217                                              unsigned int family)
1218{
1219        return -ENOSYS;
1220}
1221static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1222                                             struct sk_buff *skb)
1223{
1224        return 1;
1225}
1226static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1227                                             struct sk_buff *skb)
1228{
1229        return 1;
1230}
1231#endif
1232
1233static __inline__
1234xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1235{
1236        switch (family){
1237        case AF_INET:
1238                return (xfrm_address_t *)&fl->u.ip4.daddr;
1239        case AF_INET6:
1240                return (xfrm_address_t *)&fl->u.ip6.daddr;
1241        }
1242        return NULL;
1243}
1244
1245static __inline__
1246xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1247{
1248        switch (family){
1249        case AF_INET:
1250                return (xfrm_address_t *)&fl->u.ip4.saddr;
1251        case AF_INET6:
1252                return (xfrm_address_t *)&fl->u.ip6.saddr;
1253        }
1254        return NULL;
1255}
1256
1257static __inline__
1258void xfrm_flowi_addr_get(const struct flowi *fl,
1259                         xfrm_address_t *saddr, xfrm_address_t *daddr,
1260                         unsigned short family)
1261{
1262        switch(family) {
1263        case AF_INET:
1264                memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1265                memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1266                break;
1267        case AF_INET6:
1268                saddr->in6 = fl->u.ip6.saddr;
1269                daddr->in6 = fl->u.ip6.daddr;
1270                break;
1271        }
1272}
1273
1274static __inline__ int
1275__xfrm4_state_addr_check(const struct xfrm_state *x,
1276                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1277{
1278        if (daddr->a4 == x->id.daddr.a4 &&
1279            (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1280                return 1;
1281        return 0;
1282}
1283
1284static __inline__ int
1285__xfrm6_state_addr_check(const struct xfrm_state *x,
1286                         const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1287{
1288        if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1289            (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1290             ipv6_addr_any((struct in6_addr *)saddr) ||
1291             ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1292                return 1;
1293        return 0;
1294}
1295
1296static __inline__ int
1297xfrm_state_addr_check(const struct xfrm_state *x,
1298                      const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1299                      unsigned short family)
1300{
1301        switch (family) {
1302        case AF_INET:
1303                return __xfrm4_state_addr_check(x, daddr, saddr);
1304        case AF_INET6:
1305                return __xfrm6_state_addr_check(x, daddr, saddr);
1306        }
1307        return 0;
1308}
1309
1310static __inline__ int
1311xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1312                           unsigned short family)
1313{
1314        switch (family) {
1315        case AF_INET:
1316                return __xfrm4_state_addr_check(x,
1317                                                (const xfrm_address_t *)&fl->u.ip4.daddr,
1318                                                (const xfrm_address_t *)&fl->u.ip4.saddr);
1319        case AF_INET6:
1320                return __xfrm6_state_addr_check(x,
1321                                                (const xfrm_address_t *)&fl->u.ip6.daddr,
1322                                                (const xfrm_address_t *)&fl->u.ip6.saddr);
1323        }
1324        return 0;
1325}
1326
1327static inline int xfrm_state_kern(const struct xfrm_state *x)
1328{
1329        return atomic_read(&x->tunnel_users);
1330}
1331
1332static inline bool xfrm_id_proto_valid(u8 proto)
1333{
1334        switch (proto) {
1335        case IPPROTO_AH:
1336        case IPPROTO_ESP:
1337        case IPPROTO_COMP:
1338#if IS_ENABLED(CONFIG_IPV6)
1339        case IPPROTO_ROUTING:
1340        case IPPROTO_DSTOPTS:
1341#endif
1342                return true;
1343        default:
1344                return false;
1345        }
1346}
1347
1348/* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1349static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1350{
1351        return (!userproto || proto == userproto ||
1352                (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1353                                                  proto == IPPROTO_ESP ||
1354                                                  proto == IPPROTO_COMP)));
1355}
1356
1357/*
1358 * xfrm algorithm information
1359 */
1360struct xfrm_algo_aead_info {
1361        char *geniv;
1362        u16 icv_truncbits;
1363};
1364
1365struct xfrm_algo_auth_info {
1366        u16 icv_truncbits;
1367        u16 icv_fullbits;
1368};
1369
1370struct xfrm_algo_encr_info {
1371        char *geniv;
1372        u16 blockbits;
1373        u16 defkeybits;
1374};
1375
1376struct xfrm_algo_comp_info {
1377        u16 threshold;
1378};
1379
1380struct xfrm_algo_desc {
1381        char *name;
1382        char *compat;
1383        u8 available:1;
1384        u8 pfkey_supported:1;
1385        union {
1386                struct xfrm_algo_aead_info aead;
1387                struct xfrm_algo_auth_info auth;
1388                struct xfrm_algo_encr_info encr;
1389                struct xfrm_algo_comp_info comp;
1390        } uinfo;
1391        struct sadb_alg desc;
1392};
1393
1394/* XFRM protocol handlers.  */
1395struct xfrm4_protocol {
1396        int (*handler)(struct sk_buff *skb);
1397        int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1398                             int encap_type);
1399        int (*cb_handler)(struct sk_buff *skb, int err);
1400        int (*err_handler)(struct sk_buff *skb, u32 info);
1401
1402        struct xfrm4_protocol __rcu *next;
1403        int priority;
1404};
1405
1406struct xfrm6_protocol {
1407        int (*handler)(struct sk_buff *skb);
1408        int (*cb_handler)(struct sk_buff *skb, int err);
1409        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1410                           u8 type, u8 code, int offset, __be32 info);
1411
1412        struct xfrm6_protocol __rcu *next;
1413        int priority;
1414};
1415
1416/* XFRM tunnel handlers.  */
1417struct xfrm_tunnel {
1418        int (*handler)(struct sk_buff *skb);
1419        int (*err_handler)(struct sk_buff *skb, u32 info);
1420
1421        struct xfrm_tunnel __rcu *next;
1422        int priority;
1423};
1424
1425struct xfrm6_tunnel {
1426        int (*handler)(struct sk_buff *skb);
1427        int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1428                           u8 type, u8 code, int offset, __be32 info);
1429        struct xfrm6_tunnel __rcu *next;
1430        int priority;
1431};
1432
1433void xfrm_init(void);
1434void xfrm4_init(void);
1435int xfrm_state_init(struct net *net);
1436void xfrm_state_fini(struct net *net);
1437void xfrm4_state_init(void);
1438void xfrm4_protocol_init(void);
1439#ifdef CONFIG_XFRM
1440int xfrm6_init(void);
1441void xfrm6_fini(void);
1442int xfrm6_state_init(void);
1443void xfrm6_state_fini(void);
1444int xfrm6_protocol_init(void);
1445void xfrm6_protocol_fini(void);
1446#else
1447static inline int xfrm6_init(void)
1448{
1449        return 0;
1450}
1451static inline void xfrm6_fini(void)
1452{
1453        ;
1454}
1455#endif
1456
1457#ifdef CONFIG_XFRM_STATISTICS
1458int xfrm_proc_init(struct net *net);
1459void xfrm_proc_fini(struct net *net);
1460#endif
1461
1462int xfrm_sysctl_init(struct net *net);
1463#ifdef CONFIG_SYSCTL
1464void xfrm_sysctl_fini(struct net *net);
1465#else
1466static inline void xfrm_sysctl_fini(struct net *net)
1467{
1468}
1469#endif
1470
1471void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1472                          struct xfrm_address_filter *filter);
1473int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1474                    int (*func)(struct xfrm_state *, int, void*), void *);
1475void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1476struct xfrm_state *xfrm_state_alloc(struct net *net);
1477void xfrm_state_free(struct xfrm_state *x);
1478struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1479                                   const xfrm_address_t *saddr,
1480                                   const struct flowi *fl,
1481                                   struct xfrm_tmpl *tmpl,
1482                                   struct xfrm_policy *pol, int *err,
1483                                   unsigned short family, u32 if_id);
1484struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1485                                       xfrm_address_t *daddr,
1486                                       xfrm_address_t *saddr,
1487                                       unsigned short family,
1488                                       u8 mode, u8 proto, u32 reqid);
1489struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1490                                              unsigned short family);
1491int xfrm_state_check_expire(struct xfrm_state *x);
1492void xfrm_state_insert(struct xfrm_state *x);
1493int xfrm_state_add(struct xfrm_state *x);
1494int xfrm_state_update(struct xfrm_state *x);
1495struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1496                                     const xfrm_address_t *daddr, __be32 spi,
1497                                     u8 proto, unsigned short family);
1498struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1499                                            const xfrm_address_t *daddr,
1500                                            const xfrm_address_t *saddr,
1501                                            u8 proto,
1502                                            unsigned short family);
1503#ifdef CONFIG_XFRM_SUB_POLICY
1504void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1505                    unsigned short family);
1506void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1507                     unsigned short family);
1508#else
1509static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1510                                  int n, unsigned short family)
1511{
1512}
1513
1514static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1515                                   int n, unsigned short family)
1516{
1517}
1518#endif
1519
1520struct xfrmk_sadinfo {
1521        u32 sadhcnt; /* current hash bkts */
1522        u32 sadhmcnt; /* max allowed hash bkts */
1523        u32 sadcnt; /* current running count */
1524};
1525
1526struct xfrmk_spdinfo {
1527        u32 incnt;
1528        u32 outcnt;
1529        u32 fwdcnt;
1530        u32 inscnt;
1531        u32 outscnt;
1532        u32 fwdscnt;
1533        u32 spdhcnt;
1534        u32 spdhmcnt;
1535};
1536
1537struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1538int xfrm_state_delete(struct xfrm_state *x);
1539int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1540int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1541void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1542void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1543u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1544int xfrm_init_replay(struct xfrm_state *x);
1545u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1546int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1547int xfrm_init_state(struct xfrm_state *x);
1548int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1549int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1550int xfrm_trans_queue(struct sk_buff *skb,
1551                     int (*finish)(struct net *, struct sock *,
1552                                   struct sk_buff *));
1553int xfrm_output_resume(struct sk_buff *skb, int err);
1554int xfrm_output(struct sock *sk, struct sk_buff *skb);
1555
1556#if IS_ENABLED(CONFIG_NET_PKTGEN)
1557int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1558#endif
1559
1560void xfrm_local_error(struct sk_buff *skb, int mtu);
1561int xfrm4_extract_header(struct sk_buff *skb);
1562int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1563int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1564                    int encap_type);
1565int xfrm4_transport_finish(struct sk_buff *skb, int async);
1566int xfrm4_rcv(struct sk_buff *skb);
1567int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1568
1569static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1570{
1571        XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1572        XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1573        XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1574        return xfrm_input(skb, nexthdr, spi, 0);
1575}
1576
1577int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1578int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1579int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);
1580int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1581int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1582int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1583int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1584void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1585int xfrm6_extract_header(struct sk_buff *skb);
1586int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1587int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1588                  struct ip6_tnl *t);
1589int xfrm6_transport_finish(struct sk_buff *skb, int async);
1590int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1591int xfrm6_rcv(struct sk_buff *skb);
1592int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1593                     xfrm_address_t *saddr, u8 proto);
1594void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1595int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1596int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1597int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1598int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1599__be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1600__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1601int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1602int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1603int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);
1604int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1605                          u8 **prevhdr);
1606
1607#ifdef CONFIG_XFRM
1608int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1609int xfrm_user_policy(struct sock *sk, int optname,
1610                     u8 __user *optval, int optlen);
1611#else
1612static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1613{
1614        return -ENOPROTOOPT;
1615}
1616
1617static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1618{
1619        /* should not happen */
1620        kfree_skb(skb);
1621        return 0;
1622}
1623#endif
1624
1625struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1626                                    const xfrm_address_t *saddr,
1627                                    const xfrm_address_t *daddr,
1628                                    int family, u32 mark);
1629
1630struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1631
1632void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1633int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1634                     int (*func)(struct xfrm_policy *, int, int, void*),
1635                     void *);
1636void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1637int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1638struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
1639                                          u8 type, int dir,
1640                                          struct xfrm_selector *sel,
1641                                          struct xfrm_sec_ctx *ctx, int delete,
1642                                          int *err);
1643struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, u8,
1644                                     int dir, u32 id, int delete, int *err);
1645int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1646void xfrm_policy_hash_rebuild(struct net *net);
1647u32 xfrm_get_acqseq(void);
1648int verify_spi_info(u8 proto, u32 min, u32 max);
1649int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1650struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1651                                 u8 mode, u32 reqid, u32 if_id, u8 proto,
1652                                 const xfrm_address_t *daddr,
1653                                 const xfrm_address_t *saddr, int create,
1654                                 unsigned short family);
1655int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1656
1657#ifdef CONFIG_XFRM_MIGRATE
1658int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1659               const struct xfrm_migrate *m, int num_bundles,
1660               const struct xfrm_kmaddress *k,
1661               const struct xfrm_encap_tmpl *encap);
1662struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1663struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1664                                      struct xfrm_migrate *m,
1665                                      struct xfrm_encap_tmpl *encap);
1666int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1667                 struct xfrm_migrate *m, int num_bundles,
1668                 struct xfrm_kmaddress *k, struct net *net,
1669                 struct xfrm_encap_tmpl *encap);
1670#endif
1671
1672int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1673void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1674int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1675              xfrm_address_t *addr);
1676
1677void xfrm_input_init(void);
1678int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1679
1680void xfrm_probe_algs(void);
1681int xfrm_count_pfkey_auth_supported(void);
1682int xfrm_count_pfkey_enc_supported(void);
1683struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1684struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1685struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1686struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1687struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1688struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1689struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1690struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1691struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1692                                            int probe);
1693
1694static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1695                                    const xfrm_address_t *b)
1696{
1697        return ipv6_addr_equal((const struct in6_addr *)a,
1698                               (const struct in6_addr *)b);
1699}
1700
1701static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1702                                   const xfrm_address_t *b,
1703                                   sa_family_t family)
1704{
1705        switch (family) {
1706        default:
1707        case AF_INET:
1708                return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1709        case AF_INET6:
1710                return xfrm6_addr_equal(a, b);
1711        }
1712}
1713
1714static inline int xfrm_policy_id2dir(u32 index)
1715{
1716        return index & 7;
1717}
1718
1719#ifdef CONFIG_XFRM
1720static inline int xfrm_aevent_is_on(struct net *net)
1721{
1722        struct sock *nlsk;
1723        int ret = 0;
1724
1725        rcu_read_lock();
1726        nlsk = rcu_dereference(net->xfrm.nlsk);
1727        if (nlsk)
1728                ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1729        rcu_read_unlock();
1730        return ret;
1731}
1732
1733static inline int xfrm_acquire_is_on(struct net *net)
1734{
1735        struct sock *nlsk;
1736        int ret = 0;
1737
1738        rcu_read_lock();
1739        nlsk = rcu_dereference(net->xfrm.nlsk);
1740        if (nlsk)
1741                ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1742        rcu_read_unlock();
1743
1744        return ret;
1745}
1746#endif
1747
1748static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1749{
1750        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1751}
1752
1753static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1754{
1755        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1756}
1757
1758static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1759{
1760        return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1761}
1762
1763static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1764{
1765        return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1766}
1767
1768#ifdef CONFIG_XFRM_MIGRATE
1769static inline int xfrm_replay_clone(struct xfrm_state *x,
1770                                     struct xfrm_state *orig)
1771{
1772        x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1773                                GFP_KERNEL);
1774        if (!x->replay_esn)
1775                return -ENOMEM;
1776
1777        x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1778        x->replay_esn->replay_window = orig->replay_esn->replay_window;
1779
1780        x->preplay_esn = kmemdup(x->replay_esn,
1781                                 xfrm_replay_state_esn_len(x->replay_esn),
1782                                 GFP_KERNEL);
1783        if (!x->preplay_esn) {
1784                kfree(x->replay_esn);
1785                return -ENOMEM;
1786        }
1787
1788        return 0;
1789}
1790
1791static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1792{
1793        return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1794}
1795
1796
1797static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1798{
1799        return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1800}
1801
1802static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1803{
1804        return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1805}
1806
1807static inline void xfrm_states_put(struct xfrm_state **states, int n)
1808{
1809        int i;
1810        for (i = 0; i < n; i++)
1811                xfrm_state_put(*(states + i));
1812}
1813
1814static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1815{
1816        int i;
1817        for (i = 0; i < n; i++)
1818                xfrm_state_delete(*(states + i));
1819}
1820#endif
1821
1822#ifdef CONFIG_XFRM
1823static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1824{
1825        struct sec_path *sp = skb_sec_path(skb);
1826
1827        return sp->xvec[sp->len - 1];
1828}
1829#endif
1830
1831static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1832{
1833#ifdef CONFIG_XFRM
1834        struct sec_path *sp = skb_sec_path(skb);
1835
1836        if (!sp || !sp->olen || sp->len != sp->olen)
1837                return NULL;
1838
1839        return &sp->ovec[sp->olen - 1];
1840#else
1841        return NULL;
1842#endif
1843}
1844
1845void __init xfrm_dev_init(void);
1846
1847#ifdef CONFIG_XFRM_OFFLOAD
1848void xfrm_dev_resume(struct sk_buff *skb);
1849void xfrm_dev_backlog(struct softnet_data *sd);
1850struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1851int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1852                       struct xfrm_user_offload *xuo);
1853bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1854
1855static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1856{
1857        struct xfrm_state_offload *xso = &x->xso;
1858
1859        if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1860                xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1861}
1862
1863static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1864{
1865        struct xfrm_state *x = dst->xfrm;
1866        struct xfrm_dst *xdst;
1867
1868        if (!x || !x->type_offload)
1869                return false;
1870
1871        xdst = (struct xfrm_dst *) dst;
1872        if (!x->xso.offload_handle && !xdst->child->xfrm)
1873                return true;
1874        if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1875            !xdst->child->xfrm)
1876                return true;
1877
1878        return false;
1879}
1880
1881static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1882{
1883        struct xfrm_state_offload *xso = &x->xso;
1884
1885        if (xso->dev)
1886                xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1887}
1888
1889static inline void xfrm_dev_state_free(struct xfrm_state *x)
1890{
1891        struct xfrm_state_offload *xso = &x->xso;
1892        struct net_device *dev = xso->dev;
1893
1894        if (dev && dev->xfrmdev_ops) {
1895                if (dev->xfrmdev_ops->xdo_dev_state_free)
1896                        dev->xfrmdev_ops->xdo_dev_state_free(x);
1897                xso->dev = NULL;
1898                dev_put(dev);
1899        }
1900}
1901#else
1902static inline void xfrm_dev_resume(struct sk_buff *skb)
1903{
1904}
1905
1906static inline void xfrm_dev_backlog(struct softnet_data *sd)
1907{
1908}
1909
1910static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1911{
1912        return skb;
1913}
1914
1915static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1916{
1917        return 0;
1918}
1919
1920static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1921{
1922}
1923
1924static inline void xfrm_dev_state_free(struct xfrm_state *x)
1925{
1926}
1927
1928static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1929{
1930        return false;
1931}
1932
1933static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1934{
1935}
1936
1937static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1938{
1939        return false;
1940}
1941#endif
1942
1943static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1944{
1945        if (attrs[XFRMA_MARK])
1946                memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1947        else
1948                m->v = m->m = 0;
1949
1950        return m->v & m->m;
1951}
1952
1953static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1954{
1955        int ret = 0;
1956
1957        if (m->m | m->v)
1958                ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1959        return ret;
1960}
1961
1962static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1963{
1964        struct xfrm_mark *m = &x->props.smark;
1965
1966        return (m->v & m->m) | (mark & ~m->m);
1967}
1968
1969static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1970{
1971        int ret = 0;
1972
1973        if (if_id)
1974                ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
1975        return ret;
1976}
1977
1978static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1979                                    unsigned int family)
1980{
1981        bool tunnel = false;
1982
1983        switch(family) {
1984        case AF_INET:
1985                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1986                        tunnel = true;
1987                break;
1988        case AF_INET6:
1989                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1990                        tunnel = true;
1991                break;
1992        }
1993        if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
1994                return -EINVAL;
1995
1996        return 0;
1997}
1998#endif  /* _NET_XFRM_H */
1999