Linux/include/net/xfrm.h

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_XFRM_H 3 #define _NET_XFRM_H 4 5 #include <linux/compiler.h> 6 #include <linux/xfrm.h> 7 #include <linux/spinlock.h> 8 #include <linux/list.h> 9 #include <linux/skbuff.h> 10 #include <linux/socket.h> 11 #include <linux/pfkeyv2.h> 12 #include <linux/ipsec.h> 13 #include <linux/in6.h> 14 #include <linux/mutex.h> 15 #include <linux/audit.h> 16 #include <linux/slab.h> 17 #include <linux/refcount.h> 18 #include <linux/sockptr.h> 19 20 #include <net/sock.h> 21 #include <net/dst.h> 22 #include <net/ip.h> 23 #include <net/route.h> 24 #include <net/ipv6.h> 25 #include <net/ip6_fib.h> 26 #include <net/flow.h> 27 #include <net/gro_cells.h> 28 29 #include <linux/interrupt.h> 30 31 #ifdef CONFIG_XFRM_STATISTICS 32 #include <net/snmp.h> 33 #endif 34 35 #define XFRM_PROTO_ESP 50 36 #define XFRM_PROTO_AH 51 37 #define XFRM_PROTO_COMP 108 38 #define XFRM_PROTO_IPIP 4 39 #define XFRM_PROTO_IPV6 41 40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING 41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS 42 43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3) 44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7) 45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \ 46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap)) 47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \ 48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto)) 49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \ 50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto)) 51 52 #ifdef CONFIG_XFRM_STATISTICS 53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field) 54 #define XFRM_ADD_STATS(net, field, val) SNMP_ADD_STATS((net)->mib.xfrm_statistics, field, val) 55 #else 56 #define XFRM_INC_STATS(net, field) ((void)(net)) 57 #define XFRM_ADD_STATS(net, field, val) ((void)(net)) 58 #endif 59 60 61 /* Organization of SPD aka "XFRM rules" 62 ------------------------------------ 63 64 Basic objects: 65 - policy rule, struct xfrm_policy (=SPD entry) 66 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle) 67 - instance of a transformer, struct xfrm_state (=SA) 68 - template to clone xfrm_state, struct xfrm_tmpl 69 70 SPD is plain linear list of xfrm_policy rules, ordered by priority. 71 (To be compatible with existing pfkeyv2 implementations, 72 many rules with priority of 0x7fffffff are allowed to exist and 73 such rules are ordered in an unpredictable way, thanks to bsd folks.) 74 75 Lookup is plain linear search until the first match with selector. 76 77 If "action" is "block", then we prohibit the flow, otherwise: 78 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise, 79 policy entry has list of up to XFRM_MAX_DEPTH transformations, 80 described by templates xfrm_tmpl. Each template is resolved 81 to a complete xfrm_state (see below) and we pack bundle of transformations 82 to a dst_entry returned to requestor. 83 84 dst -. xfrm .-> xfrm_state #1 85 |---. child .-> dst -. xfrm .-> xfrm_state #2 86 |---. child .-> dst -. xfrm .-> xfrm_state #3 87 |---. child .-> NULL 88 89 Bundles are cached at xrfm_policy struct (field ->bundles). 90 91 92 Resolution of xrfm_tmpl 93 ----------------------- 94 Template contains: 95 1. ->mode Mode: transport or tunnel 96 2. ->id.proto Protocol: AH/ESP/IPCOMP 97 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode. 98 Q: allow to resolve security gateway? 99 4. ->id.spi If not zero, static SPI. 100 5. ->saddr Local tunnel endpoint, ignored for transport mode. 101 6. ->algos List of allowed algos. Plain bitmask now. 102 Q: ealgos, aalgos, calgos. What a mess... 103 7. ->share Sharing mode. 104 Q: how to implement private sharing mode? To add struct sock* to 105 flow id? 106 107 Having this template we search through SAD searching for entries 108 with appropriate mode/proto/algo, permitted by selector. 109 If no appropriate entry found, it is requested from key manager. 110 111 PROBLEMS: 112 Q: How to find all the bundles referring to a physical path for 113 PMTU discovery? Seems, dst should contain list of all parents... 114 and enter to infinite locking hierarchy disaster. 115 No! It is easier, we will not search for them, let them find us. 116 We add genid to each dst plus pointer to genid of raw IP route, 117 pmtu disc will update pmtu on raw IP route and increase its genid. 118 dst_check() will see this for top level and trigger resyncing 119 metrics. Plus, it will be made via sk->sk_dst_cache. Solved. 120 */ 121 122 struct xfrm_state_walk { 123 struct list_head all; 124 u8 state; 125 u8 dying; 126 u8 proto; 127 u32 seq; 128 struct xfrm_address_filter *filter; 129 }; 130 131 enum { 132 XFRM_DEV_OFFLOAD_IN = 1, 133 XFRM_DEV_OFFLOAD_OUT, 134 XFRM_DEV_OFFLOAD_FWD, 135 }; 136 137 enum { 138 XFRM_DEV_OFFLOAD_UNSPECIFIED, 139 XFRM_DEV_OFFLOAD_CRYPTO, 140 XFRM_DEV_OFFLOAD_PACKET, 141 }; 142 143 enum { 144 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1, 145 }; 146 147 struct xfrm_dev_offload { 148 struct net_device *dev; 149 netdevice_tracker dev_tracker; 150 struct net_device *real_dev; 151 unsigned long offload_handle; 152 u8 dir : 2; 153 u8 type : 2; 154 u8 flags : 2; 155 }; 156 157 struct xfrm_mode { 158 u8 encap; 159 u8 family; 160 u8 flags; 161 }; 162 163 /* Flags for xfrm_mode. */ 164 enum { 165 XFRM_MODE_FLAG_TUNNEL = 1, 166 }; 167 168 enum xfrm_replay_mode { 169 XFRM_REPLAY_MODE_LEGACY, 170 XFRM_REPLAY_MODE_BMP, 171 XFRM_REPLAY_MODE_ESN, 172 }; 173 174 /* Full description of state of transformer. */ 175 struct xfrm_state { 176 possible_net_t xs_net; 177 union { 178 struct hlist_node gclist; 179 struct hlist_node bydst; 180 }; 181 union { 182 struct hlist_node dev_gclist; 183 struct hlist_node bysrc; 184 }; 185 struct hlist_node byspi; 186 struct hlist_node byseq; 187 188 refcount_t refcnt; 189 spinlock_t lock; 190 191 struct xfrm_id id; 192 struct xfrm_selector sel; 193 struct xfrm_mark mark; 194 u32 if_id; 195 u32 tfcpad; 196 197 u32 genid; 198 199 /* Key manager bits */ 200 struct xfrm_state_walk km; 201 202 /* Parameters of this state. */ 203 struct { 204 u32 reqid; 205 u8 mode; 206 u8 replay_window; 207 u8 aalgo, ealgo, calgo; 208 u8 flags; 209 u16 family; 210 xfrm_address_t saddr; 211 int header_len; 212 int trailer_len; 213 u32 extra_flags; 214 struct xfrm_mark smark; 215 } props; 216 217 struct xfrm_lifetime_cfg lft; 218 219 /* Data for transformer */ 220 struct xfrm_algo_auth *aalg; 221 struct xfrm_algo *ealg; 222 struct xfrm_algo *calg; 223 struct xfrm_algo_aead *aead; 224 const char *geniv; 225 226 /* mapping change rate limiting */ 227 __be16 new_mapping_sport; 228 u32 new_mapping; /* seconds */ 229 u32 mapping_maxage; /* seconds for input SA */ 230 231 /* Data for encapsulator */ 232 struct xfrm_encap_tmpl *encap; 233 struct sock __rcu *encap_sk; 234 235 /* NAT keepalive */ 236 u32 nat_keepalive_interval; /* seconds */ 237 time64_t nat_keepalive_expiration; 238 239 /* Data for care-of address */ 240 xfrm_address_t *coaddr; 241 242 /* IPComp needs an IPIP tunnel for handling uncompressed packets */ 243 struct xfrm_state *tunnel; 244 245 /* If a tunnel, number of users + 1 */ 246 atomic_t tunnel_users; 247 248 /* State for replay detection */ 249 struct xfrm_replay_state replay; 250 struct xfrm_replay_state_esn *replay_esn; 251 252 /* Replay detection state at the time we sent the last notification */ 253 struct xfrm_replay_state preplay; 254 struct xfrm_replay_state_esn *preplay_esn; 255 256 /* replay detection mode */ 257 enum xfrm_replay_mode repl_mode; 258 /* internal flag that only holds state for delayed aevent at the 259 * moment 260 */ 261 u32 xflags; 262 263 /* Replay detection notification settings */ 264 u32 replay_maxage; 265 u32 replay_maxdiff; 266 267 /* Replay detection notification timer */ 268 struct timer_list rtimer; 269 270 /* Statistics */ 271 struct xfrm_stats stats; 272 273 struct xfrm_lifetime_cur curlft; 274 struct hrtimer mtimer; 275 276 struct xfrm_dev_offload xso; 277 278 /* used to fix curlft->add_time when changing date */ 279 long saved_tmo; 280 281 /* Last used time */ 282 time64_t lastused; 283 284 struct page_frag xfrag; 285 286 /* Reference to data common to all the instances of this 287 * transformer. */ 288 const struct xfrm_type *type; 289 struct xfrm_mode inner_mode; 290 struct xfrm_mode inner_mode_iaf; 291 struct xfrm_mode outer_mode; 292 293 const struct xfrm_type_offload *type_offload; 294 295 /* Security context */ 296 struct xfrm_sec_ctx *security; 297 298 /* Private data of this transformer, format is opaque, 299 * interpreted by xfrm_type methods. */ 300 void *data; 301 u8 dir; 302 }; 303 304 static inline struct net *xs_net(struct xfrm_state *x) 305 { 306 return read_pnet(&x->xs_net); 307 } 308 309 /* xflags - make enum if more show up */ 310 #define XFRM_TIME_DEFER 1 311 #define XFRM_SOFT_EXPIRE 2 312 313 enum { 314 XFRM_STATE_VOID, 315 XFRM_STATE_ACQ, 316 XFRM_STATE_VALID, 317 XFRM_STATE_ERROR, 318 XFRM_STATE_EXPIRED, 319 XFRM_STATE_DEAD 320 }; 321 322 /* callback structure passed from either netlink or pfkey */ 323 struct km_event { 324 union { 325 u32 hard; 326 u32 proto; 327 u32 byid; 328 u32 aevent; 329 u32 type; 330 } data; 331 332 u32 seq; 333 u32 portid; 334 u32 event; 335 struct net *net; 336 }; 337 338 struct xfrm_if_decode_session_result { 339 struct net *net; 340 u32 if_id; 341 }; 342 343 struct xfrm_if_cb { 344 bool (*decode_session)(struct sk_buff *skb, 345 unsigned short family, 346 struct xfrm_if_decode_session_result *res); 347 }; 348 349 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb); 350 void xfrm_if_unregister_cb(void); 351 352 struct net_device; 353 struct xfrm_type; 354 struct xfrm_dst; 355 struct xfrm_policy_afinfo { 356 struct dst_ops *dst_ops; 357 struct dst_entry *(*dst_lookup)(struct net *net, 358 int tos, int oif, 359 const xfrm_address_t *saddr, 360 const xfrm_address_t *daddr, 361 u32 mark); 362 int (*get_saddr)(struct net *net, int oif, 363 xfrm_address_t *saddr, 364 xfrm_address_t *daddr, 365 u32 mark); 366 int (*fill_dst)(struct xfrm_dst *xdst, 367 struct net_device *dev, 368 const struct flowi *fl); 369 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig); 370 }; 371 372 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family); 373 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo); 374 void km_policy_notify(struct xfrm_policy *xp, int dir, 375 const struct km_event *c); 376 void km_state_notify(struct xfrm_state *x, const struct km_event *c); 377 378 struct xfrm_tmpl; 379 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, 380 struct xfrm_policy *pol); 381 void km_state_expired(struct xfrm_state *x, int hard, u32 portid); 382 int __xfrm_state_delete(struct xfrm_state *x); 383 384 struct xfrm_state_afinfo { 385 u8 family; 386 u8 proto; 387 388 const struct xfrm_type_offload *type_offload_esp; 389 390 const struct xfrm_type *type_esp; 391 const struct xfrm_type *type_ipip; 392 const struct xfrm_type *type_ipip6; 393 const struct xfrm_type *type_comp; 394 const struct xfrm_type *type_ah; 395 const struct xfrm_type *type_routing; 396 const struct xfrm_type *type_dstopts; 397 398 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb); 399 int (*transport_finish)(struct sk_buff *skb, 400 int async); 401 void (*local_error)(struct sk_buff *skb, u32 mtu); 402 }; 403 404 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo); 405 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo); 406 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 407 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family); 408 409 struct xfrm_input_afinfo { 410 u8 family; 411 bool is_ipip; 412 int (*callback)(struct sk_buff *skb, u8 protocol, 413 int err); 414 }; 415 416 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); 417 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); 418 419 void xfrm_flush_gc(void); 420 void xfrm_state_delete_tunnel(struct xfrm_state *x); 421 422 struct xfrm_type { 423 struct module *owner; 424 u8 proto; 425 u8 flags; 426 #define XFRM_TYPE_NON_FRAGMENT 1 427 #define XFRM_TYPE_REPLAY_PROT 2 428 #define XFRM_TYPE_LOCAL_COADDR 4 429 #define XFRM_TYPE_REMOTE_COADDR 8 430 431 int (*init_state)(struct xfrm_state *x, 432 struct netlink_ext_ack *extack); 433 void (*destructor)(struct xfrm_state *); 434 int (*input)(struct xfrm_state *, struct sk_buff *skb); 435 int (*output)(struct xfrm_state *, struct sk_buff *pskb); 436 int (*reject)(struct xfrm_state *, struct sk_buff *, 437 const struct flowi *); 438 }; 439 440 int xfrm_register_type(const struct xfrm_type *type, unsigned short family); 441 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family); 442 443 struct xfrm_type_offload { 444 struct module *owner; 445 u8 proto; 446 void (*encap)(struct xfrm_state *, struct sk_buff *pskb); 447 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb); 448 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features); 449 }; 450 451 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family); 452 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family); 453 454 static inline int xfrm_af2proto(unsigned int family) 455 { 456 switch(family) { 457 case AF_INET: 458 return IPPROTO_IPIP; 459 case AF_INET6: 460 return IPPROTO_IPV6; 461 default: 462 return 0; 463 } 464 } 465 466 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) 467 { 468 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || 469 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) 470 return &x->inner_mode; 471 else 472 return &x->inner_mode_iaf; 473 } 474 475 struct xfrm_tmpl { 476 /* id in template is interpreted as: 477 * daddr - destination of tunnel, may be zero for transport mode. 478 * spi - zero to acquire spi. Not zero if spi is static, then 479 * daddr must be fixed too. 480 * proto - AH/ESP/IPCOMP 481 */ 482 struct xfrm_id id; 483 484 /* Source address of tunnel. Ignored, if it is not a tunnel. */ 485 xfrm_address_t saddr; 486 487 unsigned short encap_family; 488 489 u32 reqid; 490 491 /* Mode: transport, tunnel etc. */ 492 u8 mode; 493 494 /* Sharing mode: unique, this session only, this user only etc. */ 495 u8 share; 496 497 /* May skip this transfomration if no SA is found */ 498 u8 optional; 499 500 /* Skip aalgos/ealgos/calgos checks. */ 501 u8 allalgs; 502 503 /* Bit mask of algos allowed for acquisition */ 504 u32 aalgos; 505 u32 ealgos; 506 u32 calgos; 507 }; 508 509 #define XFRM_MAX_DEPTH 6 510 #define XFRM_MAX_OFFLOAD_DEPTH 1 511 512 struct xfrm_policy_walk_entry { 513 struct list_head all; 514 u8 dead; 515 }; 516 517 struct xfrm_policy_walk { 518 struct xfrm_policy_walk_entry walk; 519 u8 type; 520 u32 seq; 521 }; 522 523 struct xfrm_policy_queue { 524 struct sk_buff_head hold_queue; 525 struct timer_list hold_timer; 526 unsigned long timeout; 527 }; 528 529 struct xfrm_policy { 530 possible_net_t xp_net; 531 struct hlist_node bydst; 532 struct hlist_node byidx; 533 534 /* This lock only affects elements except for entry. */ 535 rwlock_t lock; 536 refcount_t refcnt; 537 u32 pos; 538 struct timer_list timer; 539 540 atomic_t genid; 541 u32 priority; 542 u32 index; 543 u32 if_id; 544 struct xfrm_mark mark; 545 struct xfrm_selector selector; 546 struct xfrm_lifetime_cfg lft; 547 struct xfrm_lifetime_cur curlft; 548 struct xfrm_policy_walk_entry walk; 549 struct xfrm_policy_queue polq; 550 bool bydst_reinsert; 551 u8 type; 552 u8 action; 553 u8 flags; 554 u8 xfrm_nr; 555 u16 family; 556 struct xfrm_sec_ctx *security; 557 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 558 struct hlist_node bydst_inexact_list; 559 struct rcu_head rcu; 560 561 struct xfrm_dev_offload xdo; 562 }; 563 564 static inline struct net *xp_net(const struct xfrm_policy *xp) 565 { 566 return read_pnet(&xp->xp_net); 567 } 568 569 struct xfrm_kmaddress { 570 xfrm_address_t local; 571 xfrm_address_t remote; 572 u32 reserved; 573 u16 family; 574 }; 575 576 struct xfrm_migrate { 577 xfrm_address_t old_daddr; 578 xfrm_address_t old_saddr; 579 xfrm_address_t new_daddr; 580 xfrm_address_t new_saddr; 581 u8 proto; 582 u8 mode; 583 u16 reserved; 584 u32 reqid; 585 u16 old_family; 586 u16 new_family; 587 }; 588 589 #define XFRM_KM_TIMEOUT 30 590 /* what happened */ 591 #define XFRM_REPLAY_UPDATE XFRM_AE_CR 592 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE 593 594 /* default aevent timeout in units of 100ms */ 595 #define XFRM_AE_ETIME 10 596 /* Async Event timer multiplier */ 597 #define XFRM_AE_ETH_M 10 598 /* default seq threshold size */ 599 #define XFRM_AE_SEQT_SIZE 2 600 601 struct xfrm_mgr { 602 struct list_head list; 603 int (*notify)(struct xfrm_state *x, const struct km_event *c); 604 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp); 605 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir); 606 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 607 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c); 608 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); 609 int (*migrate)(const struct xfrm_selector *sel, 610 u8 dir, u8 type, 611 const struct xfrm_migrate *m, 612 int num_bundles, 613 const struct xfrm_kmaddress *k, 614 const struct xfrm_encap_tmpl *encap); 615 bool (*is_alive)(const struct km_event *c); 616 }; 617 618 void xfrm_register_km(struct xfrm_mgr *km); 619 void xfrm_unregister_km(struct xfrm_mgr *km); 620 621 struct xfrm_tunnel_skb_cb { 622 union { 623 struct inet_skb_parm h4; 624 struct inet6_skb_parm h6; 625 } header; 626 627 union { 628 struct ip_tunnel *ip4; 629 struct ip6_tnl *ip6; 630 } tunnel; 631 }; 632 633 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0])) 634 635 /* 636 * This structure is used for the duration where packets are being 637 * transformed by IPsec. As soon as the packet leaves IPsec the 638 * area beyond the generic IP part may be overwritten. 639 */ 640 struct xfrm_skb_cb { 641 struct xfrm_tunnel_skb_cb header; 642 643 /* Sequence number for replay protection. */ 644 union { 645 struct { 646 __u32 low; 647 __u32 hi; 648 } output; 649 struct { 650 __be32 low; 651 __be32 hi; 652 } input; 653 } seq; 654 }; 655 656 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) 657 658 /* 659 * This structure is used by the afinfo prepare_input/prepare_output functions 660 * to transmit header information to the mode input/output functions. 661 */ 662 struct xfrm_mode_skb_cb { 663 struct xfrm_tunnel_skb_cb header; 664 665 /* Copied from header for IPv4, always set to zero and DF for IPv6. */ 666 __be16 id; 667 __be16 frag_off; 668 669 /* IP header length (excluding options or extension headers). */ 670 u8 ihl; 671 672 /* TOS for IPv4, class for IPv6. */ 673 u8 tos; 674 675 /* TTL for IPv4, hop limitfor IPv6. */ 676 u8 ttl; 677 678 /* Protocol for IPv4, NH for IPv6. */ 679 u8 protocol; 680 681 /* Option length for IPv4, zero for IPv6. */ 682 u8 optlen; 683 684 /* Used by IPv6 only, zero for IPv4. */ 685 u8 flow_lbl[3]; 686 }; 687 688 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0])) 689 690 /* 691 * This structure is used by the input processing to locate the SPI and 692 * related information. 693 */ 694 struct xfrm_spi_skb_cb { 695 struct xfrm_tunnel_skb_cb header; 696 697 unsigned int daddroff; 698 unsigned int family; 699 __be32 seq; 700 }; 701 702 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) 703 704 #ifdef CONFIG_AUDITSYSCALL 705 static inline struct audit_buffer *xfrm_audit_start(const char *op) 706 { 707 struct audit_buffer *audit_buf = NULL; 708 709 if (audit_enabled == AUDIT_OFF) 710 return NULL; 711 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, 712 AUDIT_MAC_IPSEC_EVENT); 713 if (audit_buf == NULL) 714 return NULL; 715 audit_log_format(audit_buf, "op=%s", op); 716 return audit_buf; 717 } 718 719 static inline void xfrm_audit_helper_usrinfo(bool task_valid, 720 struct audit_buffer *audit_buf) 721 { 722 const unsigned int auid = from_kuid(&init_user_ns, task_valid ? 723 audit_get_loginuid(current) : 724 INVALID_UID); 725 const unsigned int ses = task_valid ? audit_get_sessionid(current) : 726 AUDIT_SID_UNSET; 727 728 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); 729 audit_log_task_context(audit_buf); 730 } 731 732 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid); 733 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 734 bool task_valid); 735 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid); 736 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid); 737 void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 738 struct sk_buff *skb); 739 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb, 740 __be32 net_seq); 741 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); 742 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi, 743 __be32 net_seq); 744 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb, 745 u8 proto); 746 #else 747 748 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 749 bool task_valid) 750 { 751 } 752 753 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 754 bool task_valid) 755 { 756 } 757 758 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, 759 bool task_valid) 760 { 761 } 762 763 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, 764 bool task_valid) 765 { 766 } 767 768 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 769 struct sk_buff *skb) 770 { 771 } 772 773 static inline void xfrm_audit_state_replay(struct xfrm_state *x, 774 struct sk_buff *skb, __be32 net_seq) 775 { 776 } 777 778 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb, 779 u16 family) 780 { 781 } 782 783 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 784 __be32 net_spi, __be32 net_seq) 785 { 786 } 787 788 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x, 789 struct sk_buff *skb, u8 proto) 790 { 791 } 792 #endif /* CONFIG_AUDITSYSCALL */ 793 794 static inline void xfrm_pol_hold(struct xfrm_policy *policy) 795 { 796 if (likely(policy != NULL)) 797 refcount_inc(&policy->refcnt); 798 } 799 800 void xfrm_policy_destroy(struct xfrm_policy *policy); 801 802 static inline void xfrm_pol_put(struct xfrm_policy *policy) 803 { 804 if (refcount_dec_and_test(&policy->refcnt)) 805 xfrm_policy_destroy(policy); 806 } 807 808 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) 809 { 810 int i; 811 for (i = npols - 1; i >= 0; --i) 812 xfrm_pol_put(pols[i]); 813 } 814 815 void __xfrm_state_destroy(struct xfrm_state *, bool); 816 817 static inline void __xfrm_state_put(struct xfrm_state *x) 818 { 819 refcount_dec(&x->refcnt); 820 } 821 822 static inline void xfrm_state_put(struct xfrm_state *x) 823 { 824 if (refcount_dec_and_test(&x->refcnt)) 825 __xfrm_state_destroy(x, false); 826 } 827 828 static inline void xfrm_state_put_sync(struct xfrm_state *x) 829 { 830 if (refcount_dec_and_test(&x->refcnt)) 831 __xfrm_state_destroy(x, true); 832 } 833 834 static inline void xfrm_state_hold(struct xfrm_state *x) 835 { 836 refcount_inc(&x->refcnt); 837 } 838 839 static inline bool addr_match(const void *token1, const void *token2, 840 unsigned int prefixlen) 841 { 842 const __be32 *a1 = token1; 843 const __be32 *a2 = token2; 844 unsigned int pdw; 845 unsigned int pbi; 846 847 pdw = prefixlen >> 5; /* num of whole u32 in prefix */ 848 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */ 849 850 if (pdw) 851 if (memcmp(a1, a2, pdw << 2)) 852 return false; 853 854 if (pbi) { 855 __be32 mask; 856 857 mask = htonl((0xffffffff) << (32 - pbi)); 858 859 if ((a1[pdw] ^ a2[pdw]) & mask) 860 return false; 861 } 862 863 return true; 864 } 865 866 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen) 867 { 868 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */ 869 if (sizeof(long) == 4 && prefixlen == 0) 870 return true; 871 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen))); 872 } 873 874 static __inline__ 875 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli) 876 { 877 __be16 port; 878 switch(fl->flowi_proto) { 879 case IPPROTO_TCP: 880 case IPPROTO_UDP: 881 case IPPROTO_UDPLITE: 882 case IPPROTO_SCTP: 883 port = uli->ports.sport; 884 break; 885 case IPPROTO_ICMP: 886 case IPPROTO_ICMPV6: 887 port = htons(uli->icmpt.type); 888 break; 889 case IPPROTO_MH: 890 port = htons(uli->mht.type); 891 break; 892 case IPPROTO_GRE: 893 port = htons(ntohl(uli->gre_key) >> 16); 894 break; 895 default: 896 port = 0; /*XXX*/ 897 } 898 return port; 899 } 900 901 static __inline__ 902 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli) 903 { 904 __be16 port; 905 switch(fl->flowi_proto) { 906 case IPPROTO_TCP: 907 case IPPROTO_UDP: 908 case IPPROTO_UDPLITE: 909 case IPPROTO_SCTP: 910 port = uli->ports.dport; 911 break; 912 case IPPROTO_ICMP: 913 case IPPROTO_ICMPV6: 914 port = htons(uli->icmpt.code); 915 break; 916 case IPPROTO_GRE: 917 port = htons(ntohl(uli->gre_key) & 0xffff); 918 break; 919 default: 920 port = 0; /*XXX*/ 921 } 922 return port; 923 } 924 925 bool xfrm_selector_match(const struct xfrm_selector *sel, 926 const struct flowi *fl, unsigned short family); 927 928 #ifdef CONFIG_SECURITY_NETWORK_XFRM 929 /* If neither has a context --> match 930 * Otherwise, both must have a context and the sids, doi, alg must match 931 */ 932 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 933 { 934 return ((!s1 && !s2) || 935 (s1 && s2 && 936 (s1->ctx_sid == s2->ctx_sid) && 937 (s1->ctx_doi == s2->ctx_doi) && 938 (s1->ctx_alg == s2->ctx_alg))); 939 } 940 #else 941 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 942 { 943 return true; 944 } 945 #endif 946 947 /* A struct encoding bundle of transformations to apply to some set of flow. 948 * 949 * xdst->child points to the next element of bundle. 950 * dst->xfrm points to an instanse of transformer. 951 * 952 * Due to unfortunate limitations of current routing cache, which we 953 * have no time to fix, it mirrors struct rtable and bound to the same 954 * routing key, including saddr,daddr. However, we can have many of 955 * bundles differing by session id. All the bundles grow from a parent 956 * policy rule. 957 */ 958 struct xfrm_dst { 959 union { 960 struct dst_entry dst; 961 struct rtable rt; 962 struct rt6_info rt6; 963 } u; 964 struct dst_entry *route; 965 struct dst_entry *child; 966 struct dst_entry *path; 967 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 968 int num_pols, num_xfrms; 969 u32 xfrm_genid; 970 u32 policy_genid; 971 u32 route_mtu_cached; 972 u32 child_mtu_cached; 973 u32 route_cookie; 974 u32 path_cookie; 975 }; 976 977 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) 978 { 979 #ifdef CONFIG_XFRM 980 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 981 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; 982 983 return xdst->path; 984 } 985 #endif 986 return (struct dst_entry *) dst; 987 } 988 989 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) 990 { 991 #ifdef CONFIG_XFRM 992 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 993 struct xfrm_dst *xdst = (struct xfrm_dst *) dst; 994 return xdst->child; 995 } 996 #endif 997 return NULL; 998 } 999 1000 #ifdef CONFIG_XFRM 1001 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child) 1002 { 1003 xdst->child = child; 1004 } 1005 1006 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) 1007 { 1008 xfrm_pols_put(xdst->pols, xdst->num_pols); 1009 dst_release(xdst->route); 1010 if (likely(xdst->u.dst.xfrm)) 1011 xfrm_state_put(xdst->u.dst.xfrm); 1012 } 1013 #endif 1014 1015 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 1016 1017 struct xfrm_if_parms { 1018 int link; /* ifindex of underlying L2 interface */ 1019 u32 if_id; /* interface identifyer */ 1020 bool collect_md; 1021 }; 1022 1023 struct xfrm_if { 1024 struct xfrm_if __rcu *next; /* next interface in list */ 1025 struct net_device *dev; /* virtual device associated with interface */ 1026 struct net *net; /* netns for packet i/o */ 1027 struct xfrm_if_parms p; /* interface parms */ 1028 1029 struct gro_cells gro_cells; 1030 }; 1031 1032 struct xfrm_offload { 1033 /* Output sequence number for replay protection on offloading. */ 1034 struct { 1035 __u32 low; 1036 __u32 hi; 1037 } seq; 1038 1039 __u32 flags; 1040 #define SA_DELETE_REQ 1 1041 #define CRYPTO_DONE 2 1042 #define CRYPTO_NEXT_DONE 4 1043 #define CRYPTO_FALLBACK 8 1044 #define XFRM_GSO_SEGMENT 16 1045 #define XFRM_GRO 32 1046 /* 64 is free */ 1047 #define XFRM_DEV_RESUME 128 1048 #define XFRM_XMIT 256 1049 1050 __u32 status; 1051 #define CRYPTO_SUCCESS 1 1052 #define CRYPTO_GENERIC_ERROR 2 1053 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4 1054 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8 1055 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16 1056 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32 1057 #define CRYPTO_INVALID_PACKET_SYNTAX 64 1058 #define CRYPTO_INVALID_PROTOCOL 128 1059 1060 /* Used to keep whole l2 header for transport mode GRO */ 1061 __u32 orig_mac_len; 1062 1063 __u8 proto; 1064 __u8 inner_ipproto; 1065 }; 1066 1067 struct sec_path { 1068 int len; 1069 int olen; 1070 int verified_cnt; 1071 1072 struct xfrm_state *xvec[XFRM_MAX_DEPTH]; 1073 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH]; 1074 }; 1075 1076 struct sec_path *secpath_set(struct sk_buff *skb); 1077 1078 static inline void 1079 secpath_reset(struct sk_buff *skb) 1080 { 1081 #ifdef CONFIG_XFRM 1082 skb_ext_del(skb, SKB_EXT_SEC_PATH); 1083 #endif 1084 } 1085 1086 static inline int 1087 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family) 1088 { 1089 switch (family) { 1090 case AF_INET: 1091 return addr->a4 == 0; 1092 case AF_INET6: 1093 return ipv6_addr_any(&addr->in6); 1094 } 1095 return 0; 1096 } 1097 1098 static inline int 1099 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1100 { 1101 return (tmpl->saddr.a4 && 1102 tmpl->saddr.a4 != x->props.saddr.a4); 1103 } 1104 1105 static inline int 1106 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1107 { 1108 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && 1109 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); 1110 } 1111 1112 static inline int 1113 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family) 1114 { 1115 switch (family) { 1116 case AF_INET: 1117 return __xfrm4_state_addr_cmp(tmpl, x); 1118 case AF_INET6: 1119 return __xfrm6_state_addr_cmp(tmpl, x); 1120 } 1121 return !0; 1122 } 1123 1124 #ifdef CONFIG_XFRM 1125 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb) 1126 { 1127 struct sec_path *sp = skb_sec_path(skb); 1128 1129 return sp->xvec[sp->len - 1]; 1130 } 1131 #endif 1132 1133 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb) 1134 { 1135 #ifdef CONFIG_XFRM 1136 struct sec_path *sp = skb_sec_path(skb); 1137 1138 if (!sp || !sp->olen || sp->len != sp->olen) 1139 return NULL; 1140 1141 return &sp->ovec[sp->olen - 1]; 1142 #else 1143 return NULL; 1144 #endif 1145 } 1146 1147 #ifdef CONFIG_XFRM 1148 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, 1149 unsigned short family); 1150 1151 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, 1152 int dir) 1153 { 1154 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) 1155 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; 1156 1157 return false; 1158 } 1159 1160 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb, 1161 int dir, unsigned short family) 1162 { 1163 if (dir != XFRM_POLICY_OUT && family == AF_INET) { 1164 /* same dst may be used for traffic originating from 1165 * devices with different policy settings. 1166 */ 1167 return IPCB(skb)->flags & IPSKB_NOPOLICY; 1168 } 1169 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); 1170 } 1171 1172 static inline int __xfrm_policy_check2(struct sock *sk, int dir, 1173 struct sk_buff *skb, 1174 unsigned int family, int reverse) 1175 { 1176 struct net *net = dev_net(skb->dev); 1177 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); 1178 struct xfrm_offload *xo = xfrm_offload(skb); 1179 struct xfrm_state *x; 1180 1181 if (sk && sk->sk_policy[XFRM_POLICY_IN]) 1182 return __xfrm_policy_check(sk, ndir, skb, family); 1183 1184 if (xo) { 1185 x = xfrm_input_state(skb); 1186 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) 1187 return (xo->flags & CRYPTO_DONE) && 1188 (xo->status & CRYPTO_SUCCESS); 1189 } 1190 1191 return __xfrm_check_nopolicy(net, skb, dir) || 1192 __xfrm_check_dev_nopolicy(skb, dir, family) || 1193 __xfrm_policy_check(sk, ndir, skb, family); 1194 } 1195 1196 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1197 { 1198 return __xfrm_policy_check2(sk, dir, skb, family, 0); 1199 } 1200 1201 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1202 { 1203 return xfrm_policy_check(sk, dir, skb, AF_INET); 1204 } 1205 1206 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1207 { 1208 return xfrm_policy_check(sk, dir, skb, AF_INET6); 1209 } 1210 1211 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1212 struct sk_buff *skb) 1213 { 1214 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); 1215 } 1216 1217 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1218 struct sk_buff *skb) 1219 { 1220 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); 1221 } 1222 1223 int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl, 1224 unsigned int family, int reverse); 1225 1226 static inline int xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl, 1227 unsigned int family) 1228 { 1229 return __xfrm_decode_session(net, skb, fl, family, 0); 1230 } 1231 1232 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb, 1233 struct flowi *fl, 1234 unsigned int family) 1235 { 1236 return __xfrm_decode_session(net, skb, fl, family, 1); 1237 } 1238 1239 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); 1240 1241 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) 1242 { 1243 struct net *net = dev_net(skb->dev); 1244 1245 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && 1246 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) 1247 return true; 1248 1249 return (skb_dst(skb)->flags & DST_NOXFRM) || 1250 __xfrm_route_forward(skb, family); 1251 } 1252 1253 static inline int xfrm4_route_forward(struct sk_buff *skb) 1254 { 1255 return xfrm_route_forward(skb, AF_INET); 1256 } 1257 1258 static inline int xfrm6_route_forward(struct sk_buff *skb) 1259 { 1260 return xfrm_route_forward(skb, AF_INET6); 1261 } 1262 1263 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk); 1264 1265 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) 1266 { 1267 if (!sk_fullsock(osk)) 1268 return 0; 1269 sk->sk_policy[0] = NULL; 1270 sk->sk_policy[1] = NULL; 1271 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) 1272 return __xfrm_sk_clone_policy(sk, osk); 1273 return 0; 1274 } 1275 1276 int xfrm_policy_delete(struct xfrm_policy *pol, int dir); 1277 1278 static inline void xfrm_sk_free_policy(struct sock *sk) 1279 { 1280 struct xfrm_policy *pol; 1281 1282 pol = rcu_dereference_protected(sk->sk_policy[0], 1); 1283 if (unlikely(pol != NULL)) { 1284 xfrm_policy_delete(pol, XFRM_POLICY_MAX); 1285 sk->sk_policy[0] = NULL; 1286 } 1287 pol = rcu_dereference_protected(sk->sk_policy[1], 1); 1288 if (unlikely(pol != NULL)) { 1289 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1); 1290 sk->sk_policy[1] = NULL; 1291 } 1292 } 1293 1294 #else 1295 1296 static inline void xfrm_sk_free_policy(struct sock *sk) {} 1297 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; } 1298 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } 1299 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 1300 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1301 { 1302 return 1; 1303 } 1304 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1305 { 1306 return 1; 1307 } 1308 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1309 { 1310 return 1; 1311 } 1312 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb, 1313 struct flowi *fl, 1314 unsigned int family) 1315 { 1316 return -ENOSYS; 1317 } 1318 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1319 struct sk_buff *skb) 1320 { 1321 return 1; 1322 } 1323 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1324 struct sk_buff *skb) 1325 { 1326 return 1; 1327 } 1328 #endif 1329 1330 static __inline__ 1331 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family) 1332 { 1333 switch (family){ 1334 case AF_INET: 1335 return (xfrm_address_t *)&fl->u.ip4.daddr; 1336 case AF_INET6: 1337 return (xfrm_address_t *)&fl->u.ip6.daddr; 1338 } 1339 return NULL; 1340 } 1341 1342 static __inline__ 1343 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family) 1344 { 1345 switch (family){ 1346 case AF_INET: 1347 return (xfrm_address_t *)&fl->u.ip4.saddr; 1348 case AF_INET6: 1349 return (xfrm_address_t *)&fl->u.ip6.saddr; 1350 } 1351 return NULL; 1352 } 1353 1354 static __inline__ 1355 void xfrm_flowi_addr_get(const struct flowi *fl, 1356 xfrm_address_t *saddr, xfrm_address_t *daddr, 1357 unsigned short family) 1358 { 1359 switch(family) { 1360 case AF_INET: 1361 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); 1362 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); 1363 break; 1364 case AF_INET6: 1365 saddr->in6 = fl->u.ip6.saddr; 1366 daddr->in6 = fl->u.ip6.daddr; 1367 break; 1368 } 1369 } 1370 1371 static __inline__ int 1372 __xfrm4_state_addr_check(const struct xfrm_state *x, 1373 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1374 { 1375 if (daddr->a4 == x->id.daddr.a4 && 1376 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) 1377 return 1; 1378 return 0; 1379 } 1380 1381 static __inline__ int 1382 __xfrm6_state_addr_check(const struct xfrm_state *x, 1383 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1384 { 1385 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && 1386 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || 1387 ipv6_addr_any((struct in6_addr *)saddr) || 1388 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) 1389 return 1; 1390 return 0; 1391 } 1392 1393 static __inline__ int 1394 xfrm_state_addr_check(const struct xfrm_state *x, 1395 const xfrm_address_t *daddr, const xfrm_address_t *saddr, 1396 unsigned short family) 1397 { 1398 switch (family) { 1399 case AF_INET: 1400 return __xfrm4_state_addr_check(x, daddr, saddr); 1401 case AF_INET6: 1402 return __xfrm6_state_addr_check(x, daddr, saddr); 1403 } 1404 return 0; 1405 } 1406 1407 static __inline__ int 1408 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl, 1409 unsigned short family) 1410 { 1411 switch (family) { 1412 case AF_INET: 1413 return __xfrm4_state_addr_check(x, 1414 (const xfrm_address_t *)&fl->u.ip4.daddr, 1415 (const xfrm_address_t *)&fl->u.ip4.saddr); 1416 case AF_INET6: 1417 return __xfrm6_state_addr_check(x, 1418 (const xfrm_address_t *)&fl->u.ip6.daddr, 1419 (const xfrm_address_t *)&fl->u.ip6.saddr); 1420 } 1421 return 0; 1422 } 1423 1424 static inline int xfrm_state_kern(const struct xfrm_state *x) 1425 { 1426 return atomic_read(&x->tunnel_users); 1427 } 1428 1429 static inline bool xfrm_id_proto_valid(u8 proto) 1430 { 1431 switch (proto) { 1432 case IPPROTO_AH: 1433 case IPPROTO_ESP: 1434 case IPPROTO_COMP: 1435 #if IS_ENABLED(CONFIG_IPV6) 1436 case IPPROTO_ROUTING: 1437 case IPPROTO_DSTOPTS: 1438 #endif 1439 return true; 1440 default: 1441 return false; 1442 } 1443 } 1444 1445 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */ 1446 static inline int xfrm_id_proto_match(u8 proto, u8 userproto) 1447 { 1448 return (!userproto || proto == userproto || 1449 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH || 1450 proto == IPPROTO_ESP || 1451 proto == IPPROTO_COMP))); 1452 } 1453 1454 /* 1455 * xfrm algorithm information 1456 */ 1457 struct xfrm_algo_aead_info { 1458 char *geniv; 1459 u16 icv_truncbits; 1460 }; 1461 1462 struct xfrm_algo_auth_info { 1463 u16 icv_truncbits; 1464 u16 icv_fullbits; 1465 }; 1466 1467 struct xfrm_algo_encr_info { 1468 char *geniv; 1469 u16 blockbits; 1470 u16 defkeybits; 1471 }; 1472 1473 struct xfrm_algo_comp_info { 1474 u16 threshold; 1475 }; 1476 1477 struct xfrm_algo_desc { 1478 char *name; 1479 char *compat; 1480 u8 available:1; 1481 u8 pfkey_supported:1; 1482 union { 1483 struct xfrm_algo_aead_info aead; 1484 struct xfrm_algo_auth_info auth; 1485 struct xfrm_algo_encr_info encr; 1486 struct xfrm_algo_comp_info comp; 1487 } uinfo; 1488 struct sadb_alg desc; 1489 }; 1490 1491 /* XFRM protocol handlers. */ 1492 struct xfrm4_protocol { 1493 int (*handler)(struct sk_buff *skb); 1494 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1495 int encap_type); 1496 int (*cb_handler)(struct sk_buff *skb, int err); 1497 int (*err_handler)(struct sk_buff *skb, u32 info); 1498 1499 struct xfrm4_protocol __rcu *next; 1500 int priority; 1501 }; 1502 1503 struct xfrm6_protocol { 1504 int (*handler)(struct sk_buff *skb); 1505 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1506 int encap_type); 1507 int (*cb_handler)(struct sk_buff *skb, int err); 1508 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1509 u8 type, u8 code, int offset, __be32 info); 1510 1511 struct xfrm6_protocol __rcu *next; 1512 int priority; 1513 }; 1514 1515 /* XFRM tunnel handlers. */ 1516 struct xfrm_tunnel { 1517 int (*handler)(struct sk_buff *skb); 1518 int (*cb_handler)(struct sk_buff *skb, int err); 1519 int (*err_handler)(struct sk_buff *skb, u32 info); 1520 1521 struct xfrm_tunnel __rcu *next; 1522 int priority; 1523 }; 1524 1525 struct xfrm6_tunnel { 1526 int (*handler)(struct sk_buff *skb); 1527 int (*cb_handler)(struct sk_buff *skb, int err); 1528 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1529 u8 type, u8 code, int offset, __be32 info); 1530 struct xfrm6_tunnel __rcu *next; 1531 int priority; 1532 }; 1533 1534 void xfrm_init(void); 1535 void xfrm4_init(void); 1536 int xfrm_state_init(struct net *net); 1537 void xfrm_state_fini(struct net *net); 1538 void xfrm4_state_init(void); 1539 void xfrm4_protocol_init(void); 1540 #ifdef CONFIG_XFRM 1541 int xfrm6_init(void); 1542 void xfrm6_fini(void); 1543 int xfrm6_state_init(void); 1544 void xfrm6_state_fini(void); 1545 int xfrm6_protocol_init(void); 1546 void xfrm6_protocol_fini(void); 1547 #else 1548 static inline int xfrm6_init(void) 1549 { 1550 return 0; 1551 } 1552 static inline void xfrm6_fini(void) 1553 { 1554 ; 1555 } 1556 #endif 1557 1558 #ifdef CONFIG_XFRM_STATISTICS 1559 int xfrm_proc_init(struct net *net); 1560 void xfrm_proc_fini(struct net *net); 1561 #endif 1562 1563 int xfrm_sysctl_init(struct net *net); 1564 #ifdef CONFIG_SYSCTL 1565 void xfrm_sysctl_fini(struct net *net); 1566 #else 1567 static inline void xfrm_sysctl_fini(struct net *net) 1568 { 1569 } 1570 #endif 1571 1572 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto, 1573 struct xfrm_address_filter *filter); 1574 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1575 int (*func)(struct xfrm_state *, int, void*), void *); 1576 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); 1577 struct xfrm_state *xfrm_state_alloc(struct net *net); 1578 void xfrm_state_free(struct xfrm_state *x); 1579 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, 1580 const xfrm_address_t *saddr, 1581 const struct flowi *fl, 1582 struct xfrm_tmpl *tmpl, 1583 struct xfrm_policy *pol, int *err, 1584 unsigned short family, u32 if_id); 1585 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, 1586 xfrm_address_t *daddr, 1587 xfrm_address_t *saddr, 1588 unsigned short family, 1589 u8 mode, u8 proto, u32 reqid); 1590 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 1591 unsigned short family); 1592 int xfrm_state_check_expire(struct xfrm_state *x); 1593 void xfrm_state_update_stats(struct net *net); 1594 #ifdef CONFIG_XFRM_OFFLOAD 1595 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x) 1596 { 1597 struct xfrm_dev_offload *xdo = &x->xso; 1598 struct net_device *dev = READ_ONCE(xdo->dev); 1599 1600 if (dev && dev->xfrmdev_ops && 1601 dev->xfrmdev_ops->xdo_dev_state_update_stats) 1602 dev->xfrmdev_ops->xdo_dev_state_update_stats(x); 1603 1604 } 1605 #else 1606 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x) {} 1607 #endif 1608 void xfrm_state_insert(struct xfrm_state *x); 1609 int xfrm_state_add(struct xfrm_state *x); 1610 int xfrm_state_update(struct xfrm_state *x); 1611 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark, 1612 const xfrm_address_t *daddr, __be32 spi, 1613 u8 proto, unsigned short family); 1614 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark, 1615 const xfrm_address_t *daddr, 1616 const xfrm_address_t *saddr, 1617 u8 proto, 1618 unsigned short family); 1619 #ifdef CONFIG_XFRM_SUB_POLICY 1620 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1621 unsigned short family); 1622 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1623 unsigned short family); 1624 #else 1625 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s, 1626 int n, unsigned short family) 1627 { 1628 } 1629 1630 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s, 1631 int n, unsigned short family) 1632 { 1633 } 1634 #endif 1635 1636 struct xfrmk_sadinfo { 1637 u32 sadhcnt; /* current hash bkts */ 1638 u32 sadhmcnt; /* max allowed hash bkts */ 1639 u32 sadcnt; /* current running count */ 1640 }; 1641 1642 struct xfrmk_spdinfo { 1643 u32 incnt; 1644 u32 outcnt; 1645 u32 fwdcnt; 1646 u32 inscnt; 1647 u32 outscnt; 1648 u32 fwdscnt; 1649 u32 spdhcnt; 1650 u32 spdhmcnt; 1651 }; 1652 1653 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq); 1654 int xfrm_state_delete(struct xfrm_state *x); 1655 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync); 1656 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid); 1657 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev, 1658 bool task_valid); 1659 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); 1660 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); 1661 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); 1662 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack); 1663 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); 1664 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, 1665 struct netlink_ext_ack *extack); 1666 int xfrm_init_state(struct xfrm_state *x); 1667 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); 1668 int xfrm_input_resume(struct sk_buff *skb, int nexthdr); 1669 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, 1670 int (*finish)(struct net *, struct sock *, 1671 struct sk_buff *)); 1672 int xfrm_trans_queue(struct sk_buff *skb, 1673 int (*finish)(struct net *, struct sock *, 1674 struct sk_buff *)); 1675 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err); 1676 int xfrm_output(struct sock *sk, struct sk_buff *skb); 1677 1678 #if IS_ENABLED(CONFIG_NET_PKTGEN) 1679 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb); 1680 #endif 1681 1682 void xfrm_local_error(struct sk_buff *skb, int mtu); 1683 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1684 int encap_type); 1685 int xfrm4_transport_finish(struct sk_buff *skb, int async); 1686 int xfrm4_rcv(struct sk_buff *skb); 1687 1688 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) 1689 { 1690 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; 1691 XFRM_SPI_SKB_CB(skb)->family = AF_INET; 1692 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); 1693 return xfrm_input(skb, nexthdr, spi, 0); 1694 } 1695 1696 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1697 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol); 1698 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol); 1699 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); 1700 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family); 1701 void xfrm4_local_error(struct sk_buff *skb, u32 mtu); 1702 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi, 1703 struct ip6_tnl *t); 1704 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1705 int encap_type); 1706 int xfrm6_transport_finish(struct sk_buff *skb, int async); 1707 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t); 1708 int xfrm6_rcv(struct sk_buff *skb); 1709 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, 1710 xfrm_address_t *saddr, u8 proto); 1711 void xfrm6_local_error(struct sk_buff *skb, u32 mtu); 1712 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol); 1713 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol); 1714 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family); 1715 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family); 1716 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr); 1717 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr); 1718 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1719 1720 #ifdef CONFIG_XFRM 1721 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu); 1722 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1723 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1724 struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head, 1725 struct sk_buff *skb); 1726 struct sk_buff *xfrm6_gro_udp_encap_rcv(struct sock *sk, struct list_head *head, 1727 struct sk_buff *skb); 1728 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, 1729 int optlen); 1730 #else 1731 static inline int xfrm_user_policy(struct sock *sk, int optname, 1732 sockptr_t optval, int optlen) 1733 { 1734 return -ENOPROTOOPT; 1735 } 1736 #endif 1737 1738 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif, 1739 const xfrm_address_t *saddr, 1740 const xfrm_address_t *daddr, 1741 int family, u32 mark); 1742 1743 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp); 1744 1745 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type); 1746 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, 1747 int (*func)(struct xfrm_policy *, int, int, void*), 1748 void *); 1749 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net); 1750 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 1751 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, 1752 const struct xfrm_mark *mark, 1753 u32 if_id, u8 type, int dir, 1754 struct xfrm_selector *sel, 1755 struct xfrm_sec_ctx *ctx, int delete, 1756 int *err); 1757 struct xfrm_policy *xfrm_policy_byid(struct net *net, 1758 const struct xfrm_mark *mark, u32 if_id, 1759 u8 type, int dir, u32 id, int delete, 1760 int *err); 1761 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid); 1762 void xfrm_policy_hash_rebuild(struct net *net); 1763 u32 xfrm_get_acqseq(void); 1764 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack); 1765 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi, 1766 struct netlink_ext_ack *extack); 1767 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, 1768 u8 mode, u32 reqid, u32 if_id, u8 proto, 1769 const xfrm_address_t *daddr, 1770 const xfrm_address_t *saddr, int create, 1771 unsigned short family); 1772 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); 1773 1774 #ifdef CONFIG_XFRM_MIGRATE 1775 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1776 const struct xfrm_migrate *m, int num_bundles, 1777 const struct xfrm_kmaddress *k, 1778 const struct xfrm_encap_tmpl *encap); 1779 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net, 1780 u32 if_id); 1781 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1782 struct xfrm_migrate *m, 1783 struct xfrm_encap_tmpl *encap); 1784 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1785 struct xfrm_migrate *m, int num_bundles, 1786 struct xfrm_kmaddress *k, struct net *net, 1787 struct xfrm_encap_tmpl *encap, u32 if_id, 1788 struct netlink_ext_ack *extack); 1789 #endif 1790 1791 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 1792 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid); 1793 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, 1794 xfrm_address_t *addr); 1795 1796 void xfrm_input_init(void); 1797 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq); 1798 1799 void xfrm_probe_algs(void); 1800 int xfrm_count_pfkey_auth_supported(void); 1801 int xfrm_count_pfkey_enc_supported(void); 1802 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx); 1803 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); 1804 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); 1805 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id); 1806 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); 1807 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe); 1808 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe); 1809 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe); 1810 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, 1811 int probe); 1812 1813 static inline bool xfrm6_addr_equal(const xfrm_address_t *a, 1814 const xfrm_address_t *b) 1815 { 1816 return ipv6_addr_equal((const struct in6_addr *)a, 1817 (const struct in6_addr *)b); 1818 } 1819 1820 static inline bool xfrm_addr_equal(const xfrm_address_t *a, 1821 const xfrm_address_t *b, 1822 sa_family_t family) 1823 { 1824 switch (family) { 1825 default: 1826 case AF_INET: 1827 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; 1828 case AF_INET6: 1829 return xfrm6_addr_equal(a, b); 1830 } 1831 } 1832 1833 static inline int xfrm_policy_id2dir(u32 index) 1834 { 1835 return index & 7; 1836 } 1837 1838 #ifdef CONFIG_XFRM 1839 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq); 1840 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1841 void xfrm_replay_notify(struct xfrm_state *x, int event); 1842 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); 1843 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1844 1845 static inline int xfrm_aevent_is_on(struct net *net) 1846 { 1847 struct sock *nlsk; 1848 int ret = 0; 1849 1850 rcu_read_lock(); 1851 nlsk = rcu_dereference(net->xfrm.nlsk); 1852 if (nlsk) 1853 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS); 1854 rcu_read_unlock(); 1855 return ret; 1856 } 1857 1858 static inline int xfrm_acquire_is_on(struct net *net) 1859 { 1860 struct sock *nlsk; 1861 int ret = 0; 1862 1863 rcu_read_lock(); 1864 nlsk = rcu_dereference(net->xfrm.nlsk); 1865 if (nlsk) 1866 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE); 1867 rcu_read_unlock(); 1868 1869 return ret; 1870 } 1871 #endif 1872 1873 static inline unsigned int aead_len(struct xfrm_algo_aead *alg) 1874 { 1875 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1876 } 1877 1878 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg) 1879 { 1880 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1881 } 1882 1883 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) 1884 { 1885 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1886 } 1887 1888 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn) 1889 { 1890 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); 1891 } 1892 1893 #ifdef CONFIG_XFRM_MIGRATE 1894 static inline int xfrm_replay_clone(struct xfrm_state *x, 1895 struct xfrm_state *orig) 1896 { 1897 1898 x->replay_esn = kmemdup(orig->replay_esn, 1899 xfrm_replay_state_esn_len(orig->replay_esn), 1900 GFP_KERNEL); 1901 if (!x->replay_esn) 1902 return -ENOMEM; 1903 x->preplay_esn = kmemdup(orig->preplay_esn, 1904 xfrm_replay_state_esn_len(orig->preplay_esn), 1905 GFP_KERNEL); 1906 if (!x->preplay_esn) 1907 return -ENOMEM; 1908 1909 return 0; 1910 } 1911 1912 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig) 1913 { 1914 return kmemdup(orig, aead_len(orig), GFP_KERNEL); 1915 } 1916 1917 1918 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1919 { 1920 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL); 1921 } 1922 1923 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig) 1924 { 1925 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL); 1926 } 1927 1928 static inline void xfrm_states_put(struct xfrm_state **states, int n) 1929 { 1930 int i; 1931 for (i = 0; i < n; i++) 1932 xfrm_state_put(*(states + i)); 1933 } 1934 1935 static inline void xfrm_states_delete(struct xfrm_state **states, int n) 1936 { 1937 int i; 1938 for (i = 0; i < n; i++) 1939 xfrm_state_delete(*(states + i)); 1940 } 1941 #endif 1942 1943 void __init xfrm_dev_init(void); 1944 1945 #ifdef CONFIG_XFRM_OFFLOAD 1946 void xfrm_dev_resume(struct sk_buff *skb); 1947 void xfrm_dev_backlog(struct softnet_data *sd); 1948 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again); 1949 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, 1950 struct xfrm_user_offload *xuo, 1951 struct netlink_ext_ack *extack); 1952 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 1953 struct xfrm_user_offload *xuo, u8 dir, 1954 struct netlink_ext_ack *extack); 1955 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x); 1956 void xfrm_dev_state_delete(struct xfrm_state *x); 1957 void xfrm_dev_state_free(struct xfrm_state *x); 1958 1959 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 1960 { 1961 struct xfrm_dev_offload *xso = &x->xso; 1962 struct net_device *dev = READ_ONCE(xso->dev); 1963 1964 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn) 1965 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); 1966 } 1967 1968 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 1969 { 1970 struct xfrm_state *x = dst->xfrm; 1971 struct xfrm_dst *xdst; 1972 1973 if (!x || !x->type_offload) 1974 return false; 1975 1976 xdst = (struct xfrm_dst *) dst; 1977 if (!x->xso.offload_handle && !xdst->child->xfrm) 1978 return true; 1979 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) && 1980 !xdst->child->xfrm) 1981 return true; 1982 1983 return false; 1984 } 1985 1986 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 1987 { 1988 struct xfrm_dev_offload *xdo = &x->xdo; 1989 struct net_device *dev = xdo->dev; 1990 1991 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete) 1992 dev->xfrmdev_ops->xdo_dev_policy_delete(x); 1993 } 1994 1995 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 1996 { 1997 struct xfrm_dev_offload *xdo = &x->xdo; 1998 struct net_device *dev = xdo->dev; 1999 2000 if (dev && dev->xfrmdev_ops) { 2001 if (dev->xfrmdev_ops->xdo_dev_policy_free) 2002 dev->xfrmdev_ops->xdo_dev_policy_free(x); 2003 xdo->dev = NULL; 2004 netdev_put(dev, &xdo->dev_tracker); 2005 } 2006 } 2007 #else 2008 static inline void xfrm_dev_resume(struct sk_buff *skb) 2009 { 2010 } 2011 2012 static inline void xfrm_dev_backlog(struct softnet_data *sd) 2013 { 2014 } 2015 2016 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again) 2017 { 2018 return skb; 2019 } 2020 2021 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack) 2022 { 2023 return 0; 2024 } 2025 2026 static inline void xfrm_dev_state_delete(struct xfrm_state *x) 2027 { 2028 } 2029 2030 static inline void xfrm_dev_state_free(struct xfrm_state *x) 2031 { 2032 } 2033 2034 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 2035 struct xfrm_user_offload *xuo, u8 dir, 2036 struct netlink_ext_ack *extack) 2037 { 2038 return 0; 2039 } 2040 2041 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 2042 { 2043 } 2044 2045 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 2046 { 2047 } 2048 2049 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 2050 { 2051 return false; 2052 } 2053 2054 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 2055 { 2056 } 2057 2058 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 2059 { 2060 return false; 2061 } 2062 #endif 2063 2064 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m) 2065 { 2066 if (attrs[XFRMA_MARK]) 2067 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark)); 2068 else 2069 m->v = m->m = 0; 2070 2071 return m->v & m->m; 2072 } 2073 2074 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m) 2075 { 2076 int ret = 0; 2077 2078 if (m->m | m->v) 2079 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m); 2080 return ret; 2081 } 2082 2083 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x) 2084 { 2085 struct xfrm_mark *m = &x->props.smark; 2086 2087 return (m->v & m->m) | (mark & ~m->m); 2088 } 2089 2090 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id) 2091 { 2092 int ret = 0; 2093 2094 if (if_id) 2095 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id); 2096 return ret; 2097 } 2098 2099 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x, 2100 unsigned int family) 2101 { 2102 bool tunnel = false; 2103 2104 switch(family) { 2105 case AF_INET: 2106 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) 2107 tunnel = true; 2108 break; 2109 case AF_INET6: 2110 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) 2111 tunnel = true; 2112 break; 2113 } 2114 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)) 2115 return -EINVAL; 2116 2117 return 0; 2118 } 2119 2120 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES]; 2121 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1]; 2122 2123 struct xfrm_translator { 2124 /* Allocate frag_list and put compat translation there */ 2125 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src); 2126 2127 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */ 2128 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh, 2129 int maxtype, const struct nla_policy *policy, 2130 struct netlink_ext_ack *extack); 2131 2132 /* Translate 32-bit user_policy from sockptr */ 2133 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen); 2134 2135 struct module *owner; 2136 }; 2137 2138 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT) 2139 extern int xfrm_register_translator(struct xfrm_translator *xtr); 2140 extern int xfrm_unregister_translator(struct xfrm_translator *xtr); 2141 extern struct xfrm_translator *xfrm_get_translator(void); 2142 extern void xfrm_put_translator(struct xfrm_translator *xtr); 2143 #else 2144 static inline struct xfrm_translator *xfrm_get_translator(void) 2145 { 2146 return NULL; 2147 } 2148 static inline void xfrm_put_translator(struct xfrm_translator *xtr) 2149 { 2150 } 2151 #endif 2152 2153 #if IS_ENABLED(CONFIG_IPV6) 2154 static inline bool xfrm6_local_dontfrag(const struct sock *sk) 2155 { 2156 int proto; 2157 2158 if (!sk || sk->sk_family != AF_INET6) 2159 return false; 2160 2161 proto = sk->sk_protocol; 2162 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW) 2163 return inet6_test_bit(DONTFRAG, sk); 2164 2165 return false; 2166 } 2167 #endif 2168 2169 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \ 2170 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)) 2171 2172 extern struct metadata_dst __percpu *xfrm_bpf_md_dst; 2173 2174 int register_xfrm_interface_bpf(void); 2175 2176 #else 2177 2178 static inline int register_xfrm_interface_bpf(void) 2179 { 2180 return 0; 2181 } 2182 2183 #endif 2184 2185 #if IS_ENABLED(CONFIG_DEBUG_INFO_BTF) 2186 int register_xfrm_state_bpf(void); 2187 #else 2188 static inline int register_xfrm_state_bpf(void) 2189 { 2190 return 0; 2191 } 2192 #endif 2193 2194 int xfrm_nat_keepalive_init(unsigned short family); 2195 void xfrm_nat_keepalive_fini(unsigned short family); 2196 int xfrm_nat_keepalive_net_init(struct net *net); 2197 int xfrm_nat_keepalive_net_fini(struct net *net); 2198 void xfrm_nat_keepalive_state_updated(struct xfrm_state *x); 2199 2200 #endif /* _NET_XFRM_H */ 2201

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/include/net/xfrm.h

TOMOYO Linux Cross Reference
Linux/include/net/xfrm.h