1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
22 #include <net/inet_dscp.h>
24 #include <net/route.h>
26 #include <net/ip6_fib.h>
28 #include <net/gro_cells.h>
30 #include <linux/interrupt.h>
32 #ifdef CONFIG_XFRM_STATISTICS
36 #define XFRM_PROTO_ESP 50
37 #define XFRM_PROTO_AH 51
38 #define XFRM_PROTO_COMP 108
39 #define XFRM_PROTO_IPIP 4
40 #define XFRM_PROTO_IPV6 41
41 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
42 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
44 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
45 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
46 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
47 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
48 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
49 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
50 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
51 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
53 #ifdef CONFIG_XFRM_STATISTICS
54 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
55 #define XFRM_ADD_STATS(net, field, val) SNMP_ADD_STATS((net)->mib.xfrm_statistics, field, val)
57 #define XFRM_INC_STATS(net, field) ((void)(net))
58 #define XFRM_ADD_STATS(net, field, val) ((void)(net))
62 /* Organization of SPD aka "XFRM rules"
63 ------------------------------------
66 - policy rule, struct xfrm_policy (=SPD entry)
67 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
68 - instance of a transformer, struct xfrm_state (=SA)
69 - template to clone xfrm_state, struct xfrm_tmpl
71 SPD is organized as hash table (for policies that meet minimum address prefix
72 length setting, net->xfrm.policy_hthresh). Other policies are stored in
73 lists, sorted into rbtree ordered by destination and source address networks.
74 See net/xfrm/xfrm_policy.c for details.
76 (To be compatible with existing pfkeyv2 implementations,
77 many rules with priority of 0x7fffffff are allowed to exist and
78 such rules are ordered in an unpredictable way, thanks to bsd folks.)
80 If "action" is "block", then we prohibit the flow, otherwise:
81 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
82 policy entry has list of up to XFRM_MAX_DEPTH transformations,
83 described by templates xfrm_tmpl. Each template is resolved
84 to a complete xfrm_state (see below) and we pack bundle of transformations
85 to a dst_entry returned to requester.
87 dst -. xfrm .-> xfrm_state #1
88 |---. child .-> dst -. xfrm .-> xfrm_state #2
89 |---. child .-> dst -. xfrm .-> xfrm_state #3
93 Resolution of xrfm_tmpl
94 -----------------------
96 1. ->mode Mode: transport or tunnel
97 2. ->id.proto Protocol: AH/ESP/IPCOMP
98 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
99 Q: allow to resolve security gateway?
100 4. ->id.spi If not zero, static SPI.
101 5. ->saddr Local tunnel endpoint, ignored for transport mode.
102 6. ->algos List of allowed algos. Plain bitmask now.
103 Q: ealgos, aalgos, calgos. What a mess...
104 7. ->share Sharing mode.
105 Q: how to implement private sharing mode? To add struct sock* to
108 Having this template we search through SAD searching for entries
109 with appropriate mode/proto/algo, permitted by selector.
110 If no appropriate entry found, it is requested from key manager.
113 Q: How to find all the bundles referring to a physical path for
114 PMTU discovery? Seems, dst should contain list of all parents...
115 and enter to infinite locking hierarchy disaster.
116 No! It is easier, we will not search for them, let them find us.
117 We add genid to each dst plus pointer to genid of raw IP route,
118 pmtu disc will update pmtu on raw IP route and increase its genid.
119 dst_check() will see this for top level and trigger resyncing
120 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
123 struct xfrm_state_walk {
124 struct list_head all;
129 struct xfrm_address_filter *filter;
133 XFRM_DEV_OFFLOAD_IN = 1,
134 XFRM_DEV_OFFLOAD_OUT,
135 XFRM_DEV_OFFLOAD_FWD,
139 XFRM_DEV_OFFLOAD_UNSPECIFIED,
140 XFRM_DEV_OFFLOAD_CRYPTO,
141 XFRM_DEV_OFFLOAD_PACKET,
145 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1,
148 struct xfrm_dev_offload {
149 struct net_device *dev;
150 netdevice_tracker dev_tracker;
151 struct net_device *real_dev;
152 unsigned long offload_handle;
164 /* Flags for xfrm_mode. */
166 XFRM_MODE_FLAG_TUNNEL = 1,
169 enum xfrm_replay_mode {
170 XFRM_REPLAY_MODE_LEGACY,
171 XFRM_REPLAY_MODE_BMP,
172 XFRM_REPLAY_MODE_ESN,
175 /* Full description of state of transformer. */
177 possible_net_t xs_net;
179 struct hlist_node gclist;
180 struct hlist_node bydst;
183 struct hlist_node dev_gclist;
184 struct hlist_node bysrc;
186 struct hlist_node byspi;
187 struct hlist_node byseq;
188 struct hlist_node state_cache;
189 struct hlist_node state_cache_input;
196 struct xfrm_selector sel;
197 struct xfrm_mark mark;
203 /* Key manager bits */
204 struct xfrm_state_walk km;
206 /* Parameters of this state. */
211 u8 aalgo, ealgo, calgo;
214 xfrm_address_t saddr;
218 struct xfrm_mark smark;
221 struct xfrm_lifetime_cfg lft;
223 /* Data for transformer */
224 struct xfrm_algo_auth *aalg;
225 struct xfrm_algo *ealg;
226 struct xfrm_algo *calg;
227 struct xfrm_algo_aead *aead;
230 /* mapping change rate limiting */
231 __be16 new_mapping_sport;
232 u32 new_mapping; /* seconds */
233 u32 mapping_maxage; /* seconds for input SA */
235 /* Data for encapsulator */
236 struct xfrm_encap_tmpl *encap;
237 struct sock __rcu *encap_sk;
240 u32 nat_keepalive_interval; /* seconds */
241 time64_t nat_keepalive_expiration;
243 /* Data for care-of address */
244 xfrm_address_t *coaddr;
246 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
247 struct xfrm_state *tunnel;
249 /* If a tunnel, number of users + 1 */
250 atomic_t tunnel_users;
252 /* State for replay detection */
253 struct xfrm_replay_state replay;
254 struct xfrm_replay_state_esn *replay_esn;
256 /* Replay detection state at the time we sent the last notification */
257 struct xfrm_replay_state preplay;
258 struct xfrm_replay_state_esn *preplay_esn;
260 /* replay detection mode */
261 enum xfrm_replay_mode repl_mode;
262 /* internal flag that only holds state for delayed aevent at the
267 /* Replay detection notification settings */
271 /* Replay detection notification timer */
272 struct timer_list rtimer;
275 struct xfrm_stats stats;
277 struct xfrm_lifetime_cur curlft;
278 struct hrtimer mtimer;
280 struct xfrm_dev_offload xso;
282 /* used to fix curlft->add_time when changing date */
288 struct page_frag xfrag;
290 /* Reference to data common to all the instances of this
292 const struct xfrm_type *type;
293 struct xfrm_mode inner_mode;
294 struct xfrm_mode inner_mode_iaf;
295 struct xfrm_mode outer_mode;
297 const struct xfrm_type_offload *type_offload;
299 /* Security context */
300 struct xfrm_sec_ctx *security;
302 /* Private data of this transformer, format is opaque,
303 * interpreted by xfrm_type methods. */
308 static inline struct net *xs_net(struct xfrm_state *x)
310 return read_pnet(&x->xs_net);
313 /* xflags - make enum if more show up */
314 #define XFRM_TIME_DEFER 1
315 #define XFRM_SOFT_EXPIRE 2
326 /* callback structure passed from either netlink or pfkey */
342 struct xfrm_if_decode_session_result {
348 bool (*decode_session)(struct sk_buff *skb,
349 unsigned short family,
350 struct xfrm_if_decode_session_result *res);
353 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
354 void xfrm_if_unregister_cb(void);
356 struct xfrm_dst_lookup_params {
360 xfrm_address_t *saddr;
361 xfrm_address_t *daddr;
370 struct xfrm_policy_afinfo {
371 struct dst_ops *dst_ops;
372 struct dst_entry *(*dst_lookup)(const struct xfrm_dst_lookup_params *params);
373 int (*get_saddr)(xfrm_address_t *saddr,
374 const struct xfrm_dst_lookup_params *params);
375 int (*fill_dst)(struct xfrm_dst *xdst,
376 struct net_device *dev,
377 const struct flowi *fl);
378 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
381 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
382 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
383 void km_policy_notify(struct xfrm_policy *xp, int dir,
384 const struct km_event *c);
385 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
388 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
389 struct xfrm_policy *pol);
390 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
391 int __xfrm_state_delete(struct xfrm_state *x);
393 struct xfrm_state_afinfo {
397 const struct xfrm_type_offload *type_offload_esp;
399 const struct xfrm_type *type_esp;
400 const struct xfrm_type *type_ipip;
401 const struct xfrm_type *type_ipip6;
402 const struct xfrm_type *type_comp;
403 const struct xfrm_type *type_ah;
404 const struct xfrm_type *type_routing;
405 const struct xfrm_type *type_dstopts;
407 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
408 int (*transport_finish)(struct sk_buff *skb,
410 void (*local_error)(struct sk_buff *skb, u32 mtu);
413 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
414 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
415 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
416 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
418 struct xfrm_input_afinfo {
421 int (*callback)(struct sk_buff *skb, u8 protocol,
425 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
426 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
428 void xfrm_flush_gc(void);
429 void xfrm_state_delete_tunnel(struct xfrm_state *x);
432 struct module *owner;
435 #define XFRM_TYPE_NON_FRAGMENT 1
436 #define XFRM_TYPE_REPLAY_PROT 2
437 #define XFRM_TYPE_LOCAL_COADDR 4
438 #define XFRM_TYPE_REMOTE_COADDR 8
440 int (*init_state)(struct xfrm_state *x,
441 struct netlink_ext_ack *extack);
442 void (*destructor)(struct xfrm_state *);
443 int (*input)(struct xfrm_state *, struct sk_buff *skb);
444 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
445 int (*reject)(struct xfrm_state *, struct sk_buff *,
446 const struct flowi *);
449 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
450 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
452 struct xfrm_type_offload {
453 struct module *owner;
455 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
456 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
457 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
460 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
461 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
463 static inline int xfrm_af2proto(unsigned int family)
475 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
477 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
478 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
479 return &x->inner_mode;
481 return &x->inner_mode_iaf;
485 /* id in template is interpreted as:
486 * daddr - destination of tunnel, may be zero for transport mode.
487 * spi - zero to acquire spi. Not zero if spi is static, then
488 * daddr must be fixed too.
489 * proto - AH/ESP/IPCOMP
493 /* Source address of tunnel. Ignored, if it is not a tunnel. */
494 xfrm_address_t saddr;
496 unsigned short encap_family;
500 /* Mode: transport, tunnel etc. */
503 /* Sharing mode: unique, this session only, this user only etc. */
506 /* May skip this transfomration if no SA is found */
509 /* Skip aalgos/ealgos/calgos checks. */
512 /* Bit mask of algos allowed for acquisition */
518 #define XFRM_MAX_DEPTH 6
519 #define XFRM_MAX_OFFLOAD_DEPTH 1
521 struct xfrm_policy_walk_entry {
522 struct list_head all;
526 struct xfrm_policy_walk {
527 struct xfrm_policy_walk_entry walk;
532 struct xfrm_policy_queue {
533 struct sk_buff_head hold_queue;
534 struct timer_list hold_timer;
535 unsigned long timeout;
539 * struct xfrm_policy - xfrm policy
540 * @xp_net: network namespace the policy lives in
541 * @bydst: hlist node for SPD hash table or rbtree list
542 * @byidx: hlist node for index hash table
543 * @state_cache_list: hlist head for policy cached xfrm states
544 * @lock: serialize changes to policy structure members
545 * @refcnt: reference count, freed once it reaches 0
546 * @pos: kernel internal tie-breaker to determine age of policy
548 * @genid: generation, used to invalidate old policies
549 * @priority: priority, set by userspace
550 * @index: policy index (autogenerated)
551 * @if_id: virtual xfrm interface id
553 * @selector: selector
554 * @lft: liftime configuration data
555 * @curlft: liftime state
556 * @walk: list head on pernet policy list
557 * @polq: queue to hold packets while aqcuire operaion in progress
558 * @bydst_reinsert: policy tree node needs to be merged
559 * @type: XFRM_POLICY_TYPE_MAIN or _SUB
560 * @action: XFRM_POLICY_ALLOW or _BLOCK
561 * @flags: XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP
562 * @xfrm_nr: number of used templates in @xfrm_vec
563 * @family: protocol family
564 * @security: SELinux security label
565 * @xfrm_vec: array of templates to resolve state
566 * @rcu: rcu head, used to defer memory release
567 * @xdo: hardware offload state
570 possible_net_t xp_net;
571 struct hlist_node bydst;
572 struct hlist_node byidx;
574 struct hlist_head state_cache_list;
576 /* This lock only affects elements except for entry. */
580 struct timer_list timer;
586 struct xfrm_mark mark;
587 struct xfrm_selector selector;
588 struct xfrm_lifetime_cfg lft;
589 struct xfrm_lifetime_cur curlft;
590 struct xfrm_policy_walk_entry walk;
591 struct xfrm_policy_queue polq;
598 struct xfrm_sec_ctx *security;
599 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
602 struct xfrm_dev_offload xdo;
605 static inline struct net *xp_net(const struct xfrm_policy *xp)
607 return read_pnet(&xp->xp_net);
610 struct xfrm_kmaddress {
611 xfrm_address_t local;
612 xfrm_address_t remote;
617 struct xfrm_migrate {
618 xfrm_address_t old_daddr;
619 xfrm_address_t old_saddr;
620 xfrm_address_t new_daddr;
621 xfrm_address_t new_saddr;
630 #define XFRM_KM_TIMEOUT 30
632 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
633 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
635 /* default aevent timeout in units of 100ms */
636 #define XFRM_AE_ETIME 10
637 /* Async Event timer multiplier */
638 #define XFRM_AE_ETH_M 10
639 /* default seq threshold size */
640 #define XFRM_AE_SEQT_SIZE 2
643 struct list_head list;
644 int (*notify)(struct xfrm_state *x, const struct km_event *c);
645 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
646 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
647 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
648 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
649 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
650 int (*migrate)(const struct xfrm_selector *sel,
652 const struct xfrm_migrate *m,
654 const struct xfrm_kmaddress *k,
655 const struct xfrm_encap_tmpl *encap);
656 bool (*is_alive)(const struct km_event *c);
659 void xfrm_register_km(struct xfrm_mgr *km);
660 void xfrm_unregister_km(struct xfrm_mgr *km);
662 struct xfrm_tunnel_skb_cb {
664 struct inet_skb_parm h4;
665 struct inet6_skb_parm h6;
669 struct ip_tunnel *ip4;
674 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
677 * This structure is used for the duration where packets are being
678 * transformed by IPsec. As soon as the packet leaves IPsec the
679 * area beyond the generic IP part may be overwritten.
682 struct xfrm_tunnel_skb_cb header;
684 /* Sequence number for replay protection. */
697 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
700 * This structure is used by the afinfo prepare_input/prepare_output functions
701 * to transmit header information to the mode input/output functions.
703 struct xfrm_mode_skb_cb {
704 struct xfrm_tunnel_skb_cb header;
706 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
710 /* IP header length (excluding options or extension headers). */
713 /* TOS for IPv4, class for IPv6. */
716 /* TTL for IPv4, hop limitfor IPv6. */
719 /* Protocol for IPv4, NH for IPv6. */
722 /* Option length for IPv4, zero for IPv6. */
725 /* Used by IPv6 only, zero for IPv4. */
729 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
732 * This structure is used by the input processing to locate the SPI and
733 * related information.
735 struct xfrm_spi_skb_cb {
736 struct xfrm_tunnel_skb_cb header;
738 unsigned int daddroff;
743 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
745 #ifdef CONFIG_AUDITSYSCALL
746 static inline struct audit_buffer *xfrm_audit_start(const char *op)
748 struct audit_buffer *audit_buf = NULL;
750 if (audit_enabled == AUDIT_OFF)
752 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
753 AUDIT_MAC_IPSEC_EVENT);
754 if (audit_buf == NULL)
756 audit_log_format(audit_buf, "op=%s", op);
760 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
761 struct audit_buffer *audit_buf)
763 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
764 audit_get_loginuid(current) :
766 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
769 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
770 audit_log_task_context(audit_buf);
773 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
774 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
776 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
777 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
778 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
779 struct sk_buff *skb);
780 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
782 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
783 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
785 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
789 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
794 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
799 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
804 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
809 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
814 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
815 struct sk_buff *skb, __be32 net_seq)
819 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
824 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
825 __be32 net_spi, __be32 net_seq)
829 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
830 struct sk_buff *skb, u8 proto)
833 #endif /* CONFIG_AUDITSYSCALL */
835 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
837 if (likely(policy != NULL))
838 refcount_inc(&policy->refcnt);
841 void xfrm_policy_destroy(struct xfrm_policy *policy);
843 static inline void xfrm_pol_put(struct xfrm_policy *policy)
845 if (refcount_dec_and_test(&policy->refcnt))
846 xfrm_policy_destroy(policy);
849 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
852 for (i = npols - 1; i >= 0; --i)
853 xfrm_pol_put(pols[i]);
856 void __xfrm_state_destroy(struct xfrm_state *, bool);
858 static inline void __xfrm_state_put(struct xfrm_state *x)
860 refcount_dec(&x->refcnt);
863 static inline void xfrm_state_put(struct xfrm_state *x)
865 if (refcount_dec_and_test(&x->refcnt))
866 __xfrm_state_destroy(x, false);
869 static inline void xfrm_state_put_sync(struct xfrm_state *x)
871 if (refcount_dec_and_test(&x->refcnt))
872 __xfrm_state_destroy(x, true);
875 static inline void xfrm_state_hold(struct xfrm_state *x)
877 refcount_inc(&x->refcnt);
880 static inline bool addr_match(const void *token1, const void *token2,
881 unsigned int prefixlen)
883 const __be32 *a1 = token1;
884 const __be32 *a2 = token2;
888 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
889 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
892 if (memcmp(a1, a2, pdw << 2))
898 mask = htonl((0xffffffff) << (32 - pbi));
900 if ((a1[pdw] ^ a2[pdw]) & mask)
907 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
909 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
910 if (sizeof(long) == 4 && prefixlen == 0)
912 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
916 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
919 switch(fl->flowi_proto) {
922 case IPPROTO_UDPLITE:
924 port = uli->ports.sport;
928 port = htons(uli->icmpt.type);
931 port = htons(uli->mht.type);
934 port = htons(ntohl(uli->gre_key) >> 16);
943 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
946 switch(fl->flowi_proto) {
949 case IPPROTO_UDPLITE:
951 port = uli->ports.dport;
955 port = htons(uli->icmpt.code);
958 port = htons(ntohl(uli->gre_key) & 0xffff);
966 bool xfrm_selector_match(const struct xfrm_selector *sel,
967 const struct flowi *fl, unsigned short family);
969 #ifdef CONFIG_SECURITY_NETWORK_XFRM
970 /* If neither has a context --> match
971 * Otherwise, both must have a context and the sids, doi, alg must match
973 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
975 return ((!s1 && !s2) ||
977 (s1->ctx_sid == s2->ctx_sid) &&
978 (s1->ctx_doi == s2->ctx_doi) &&
979 (s1->ctx_alg == s2->ctx_alg)));
982 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
988 /* A struct encoding bundle of transformations to apply to some set of flow.
990 * xdst->child points to the next element of bundle.
991 * dst->xfrm points to an instanse of transformer.
993 * Due to unfortunate limitations of current routing cache, which we
994 * have no time to fix, it mirrors struct rtable and bound to the same
995 * routing key, including saddr,daddr. However, we can have many of
996 * bundles differing by session id. All the bundles grow from a parent
1001 struct dst_entry dst;
1003 struct rt6_info rt6;
1005 struct dst_entry *route;
1006 struct dst_entry *child;
1007 struct dst_entry *path;
1008 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1009 int num_pols, num_xfrms;
1012 u32 route_mtu_cached;
1013 u32 child_mtu_cached;
1018 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
1021 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
1022 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
1027 return (struct dst_entry *) dst;
1030 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
1033 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
1034 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
1042 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
1044 xdst->child = child;
1047 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
1049 xfrm_pols_put(xdst->pols, xdst->num_pols);
1050 dst_release(xdst->route);
1051 if (likely(xdst->u.dst.xfrm))
1052 xfrm_state_put(xdst->u.dst.xfrm);
1056 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
1058 struct xfrm_if_parms {
1059 int link; /* ifindex of underlying L2 interface */
1060 u32 if_id; /* interface identifier */
1065 struct xfrm_if __rcu *next; /* next interface in list */
1066 struct net_device *dev; /* virtual device associated with interface */
1067 struct net *net; /* netns for packet i/o */
1068 struct xfrm_if_parms p; /* interface parms */
1070 struct gro_cells gro_cells;
1073 struct xfrm_offload {
1074 /* Output sequence number for replay protection on offloading. */
1081 #define SA_DELETE_REQ 1
1082 #define CRYPTO_DONE 2
1083 #define CRYPTO_NEXT_DONE 4
1084 #define CRYPTO_FALLBACK 8
1085 #define XFRM_GSO_SEGMENT 16
1088 #define XFRM_DEV_RESUME 128
1089 #define XFRM_XMIT 256
1092 #define CRYPTO_SUCCESS 1
1093 #define CRYPTO_GENERIC_ERROR 2
1094 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1095 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1096 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1097 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1098 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1099 #define CRYPTO_INVALID_PROTOCOL 128
1101 /* Used to keep whole l2 header for transport mode GRO */
1113 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1114 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1117 struct sec_path *secpath_set(struct sk_buff *skb);
1120 secpath_reset(struct sk_buff *skb)
1123 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1128 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1132 return addr->a4 == 0;
1134 return ipv6_addr_any(&addr->in6);
1140 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1142 return (tmpl->saddr.a4 &&
1143 tmpl->saddr.a4 != x->props.saddr.a4);
1147 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1149 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1150 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1154 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1158 return __xfrm4_state_addr_cmp(tmpl, x);
1160 return __xfrm6_state_addr_cmp(tmpl, x);
1166 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1168 struct sec_path *sp = skb_sec_path(skb);
1170 return sp->xvec[sp->len - 1];
1174 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1177 struct sec_path *sp = skb_sec_path(skb);
1179 if (!sp || !sp->olen || sp->len != sp->olen)
1182 return &sp->ovec[sp->olen - 1];
1189 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1190 unsigned short family);
1192 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1195 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1196 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1201 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1202 int dir, unsigned short family)
1204 if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1205 /* same dst may be used for traffic originating from
1206 * devices with different policy settings.
1208 return IPCB(skb)->flags & IPSKB_NOPOLICY;
1210 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1213 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1214 struct sk_buff *skb,
1215 unsigned int family, int reverse)
1217 struct net *net = dev_net(skb->dev);
1218 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1219 struct xfrm_offload *xo = xfrm_offload(skb);
1220 struct xfrm_state *x;
1222 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1223 return __xfrm_policy_check(sk, ndir, skb, family);
1226 x = xfrm_input_state(skb);
1227 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1228 return (xo->flags & CRYPTO_DONE) &&
1229 (xo->status & CRYPTO_SUCCESS);
1232 return __xfrm_check_nopolicy(net, skb, dir) ||
1233 __xfrm_check_dev_nopolicy(skb, dir, family) ||
1234 __xfrm_policy_check(sk, ndir, skb, family);
1237 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1239 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1242 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1244 return xfrm_policy_check(sk, dir, skb, AF_INET);
1247 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1249 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1252 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1253 struct sk_buff *skb)
1255 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1258 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1259 struct sk_buff *skb)
1261 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1264 int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1265 unsigned int family, int reverse);
1267 static inline int xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1268 unsigned int family)
1270 return __xfrm_decode_session(net, skb, fl, family, 0);
1273 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1275 unsigned int family)
1277 return __xfrm_decode_session(net, skb, fl, family, 1);
1280 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1282 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1284 struct net *net = dev_net(skb->dev);
1286 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1287 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1290 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1291 __xfrm_route_forward(skb, family);
1294 static inline int xfrm4_route_forward(struct sk_buff *skb)
1296 return xfrm_route_forward(skb, AF_INET);
1299 static inline int xfrm6_route_forward(struct sk_buff *skb)
1301 return xfrm_route_forward(skb, AF_INET6);
1304 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1306 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1308 if (!sk_fullsock(osk))
1310 sk->sk_policy[0] = NULL;
1311 sk->sk_policy[1] = NULL;
1312 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1313 return __xfrm_sk_clone_policy(sk, osk);
1317 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1319 static inline void xfrm_sk_free_policy(struct sock *sk)
1321 struct xfrm_policy *pol;
1323 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1324 if (unlikely(pol != NULL)) {
1325 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1326 sk->sk_policy[0] = NULL;
1328 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1329 if (unlikely(pol != NULL)) {
1330 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1331 sk->sk_policy[1] = NULL;
1337 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1338 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1339 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1340 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1341 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1345 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1349 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1353 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1355 unsigned int family)
1359 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1360 struct sk_buff *skb)
1364 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1365 struct sk_buff *skb)
1372 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1376 return (xfrm_address_t *)&fl->u.ip4.daddr;
1378 return (xfrm_address_t *)&fl->u.ip6.daddr;
1384 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1388 return (xfrm_address_t *)&fl->u.ip4.saddr;
1390 return (xfrm_address_t *)&fl->u.ip6.saddr;
1396 void xfrm_flowi_addr_get(const struct flowi *fl,
1397 xfrm_address_t *saddr, xfrm_address_t *daddr,
1398 unsigned short family)
1402 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1403 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1406 saddr->in6 = fl->u.ip6.saddr;
1407 daddr->in6 = fl->u.ip6.daddr;
1412 static __inline__ int
1413 __xfrm4_state_addr_check(const struct xfrm_state *x,
1414 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1416 if (daddr->a4 == x->id.daddr.a4 &&
1417 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1422 static __inline__ int
1423 __xfrm6_state_addr_check(const struct xfrm_state *x,
1424 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1426 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1427 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1428 ipv6_addr_any((struct in6_addr *)saddr) ||
1429 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1434 static __inline__ int
1435 xfrm_state_addr_check(const struct xfrm_state *x,
1436 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1437 unsigned short family)
1441 return __xfrm4_state_addr_check(x, daddr, saddr);
1443 return __xfrm6_state_addr_check(x, daddr, saddr);
1448 static __inline__ int
1449 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1450 unsigned short family)
1454 return __xfrm4_state_addr_check(x,
1455 (const xfrm_address_t *)&fl->u.ip4.daddr,
1456 (const xfrm_address_t *)&fl->u.ip4.saddr);
1458 return __xfrm6_state_addr_check(x,
1459 (const xfrm_address_t *)&fl->u.ip6.daddr,
1460 (const xfrm_address_t *)&fl->u.ip6.saddr);
1465 static inline int xfrm_state_kern(const struct xfrm_state *x)
1467 return atomic_read(&x->tunnel_users);
1470 static inline bool xfrm_id_proto_valid(u8 proto)
1476 #if IS_ENABLED(CONFIG_IPV6)
1477 case IPPROTO_ROUTING:
1478 case IPPROTO_DSTOPTS:
1486 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1487 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1489 return (!userproto || proto == userproto ||
1490 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1491 proto == IPPROTO_ESP ||
1492 proto == IPPROTO_COMP)));
1496 * xfrm algorithm information
1498 struct xfrm_algo_aead_info {
1503 struct xfrm_algo_auth_info {
1508 struct xfrm_algo_encr_info {
1514 struct xfrm_algo_comp_info {
1518 struct xfrm_algo_desc {
1522 u8 pfkey_supported:1;
1524 struct xfrm_algo_aead_info aead;
1525 struct xfrm_algo_auth_info auth;
1526 struct xfrm_algo_encr_info encr;
1527 struct xfrm_algo_comp_info comp;
1529 struct sadb_alg desc;
1532 /* XFRM protocol handlers. */
1533 struct xfrm4_protocol {
1534 int (*handler)(struct sk_buff *skb);
1535 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1537 int (*cb_handler)(struct sk_buff *skb, int err);
1538 int (*err_handler)(struct sk_buff *skb, u32 info);
1540 struct xfrm4_protocol __rcu *next;
1544 struct xfrm6_protocol {
1545 int (*handler)(struct sk_buff *skb);
1546 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1548 int (*cb_handler)(struct sk_buff *skb, int err);
1549 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1550 u8 type, u8 code, int offset, __be32 info);
1552 struct xfrm6_protocol __rcu *next;
1556 /* XFRM tunnel handlers. */
1557 struct xfrm_tunnel {
1558 int (*handler)(struct sk_buff *skb);
1559 int (*cb_handler)(struct sk_buff *skb, int err);
1560 int (*err_handler)(struct sk_buff *skb, u32 info);
1562 struct xfrm_tunnel __rcu *next;
1566 struct xfrm6_tunnel {
1567 int (*handler)(struct sk_buff *skb);
1568 int (*cb_handler)(struct sk_buff *skb, int err);
1569 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1570 u8 type, u8 code, int offset, __be32 info);
1571 struct xfrm6_tunnel __rcu *next;
1575 void xfrm_init(void);
1576 void xfrm4_init(void);
1577 int xfrm_state_init(struct net *net);
1578 void xfrm_state_fini(struct net *net);
1579 void xfrm4_state_init(void);
1580 void xfrm4_protocol_init(void);
1582 int xfrm6_init(void);
1583 void xfrm6_fini(void);
1584 int xfrm6_state_init(void);
1585 void xfrm6_state_fini(void);
1586 int xfrm6_protocol_init(void);
1587 void xfrm6_protocol_fini(void);
1589 static inline int xfrm6_init(void)
1593 static inline void xfrm6_fini(void)
1599 #ifdef CONFIG_XFRM_STATISTICS
1600 int xfrm_proc_init(struct net *net);
1601 void xfrm_proc_fini(struct net *net);
1604 int xfrm_sysctl_init(struct net *net);
1605 #ifdef CONFIG_SYSCTL
1606 void xfrm_sysctl_fini(struct net *net);
1608 static inline void xfrm_sysctl_fini(struct net *net)
1613 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1614 struct xfrm_address_filter *filter);
1615 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1616 int (*func)(struct xfrm_state *, int, void*), void *);
1617 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1618 struct xfrm_state *xfrm_state_alloc(struct net *net);
1619 void xfrm_state_free(struct xfrm_state *x);
1620 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1621 const xfrm_address_t *saddr,
1622 const struct flowi *fl,
1623 struct xfrm_tmpl *tmpl,
1624 struct xfrm_policy *pol, int *err,
1625 unsigned short family, u32 if_id);
1626 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1627 xfrm_address_t *daddr,
1628 xfrm_address_t *saddr,
1629 unsigned short family,
1630 u8 mode, u8 proto, u32 reqid);
1631 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1632 unsigned short family);
1633 int xfrm_state_check_expire(struct xfrm_state *x);
1634 void xfrm_state_update_stats(struct net *net);
1635 #ifdef CONFIG_XFRM_OFFLOAD
1636 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x)
1638 struct xfrm_dev_offload *xdo = &x->xso;
1639 struct net_device *dev = READ_ONCE(xdo->dev);
1641 if (dev && dev->xfrmdev_ops &&
1642 dev->xfrmdev_ops->xdo_dev_state_update_stats)
1643 dev->xfrmdev_ops->xdo_dev_state_update_stats(x);
1647 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x) {}
1649 void xfrm_state_insert(struct xfrm_state *x);
1650 int xfrm_state_add(struct xfrm_state *x);
1651 int xfrm_state_update(struct xfrm_state *x);
1652 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1653 const xfrm_address_t *daddr, __be32 spi,
1654 u8 proto, unsigned short family);
1655 struct xfrm_state *xfrm_input_state_lookup(struct net *net, u32 mark,
1656 const xfrm_address_t *daddr,
1657 __be32 spi, u8 proto,
1658 unsigned short family);
1659 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1660 const xfrm_address_t *daddr,
1661 const xfrm_address_t *saddr,
1663 unsigned short family);
1664 #ifdef CONFIG_XFRM_SUB_POLICY
1665 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1666 unsigned short family);
1667 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1668 unsigned short family);
1670 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1671 int n, unsigned short family)
1675 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1676 int n, unsigned short family)
1681 struct xfrmk_sadinfo {
1682 u32 sadhcnt; /* current hash bkts */
1683 u32 sadhmcnt; /* max allowed hash bkts */
1684 u32 sadcnt; /* current running count */
1687 struct xfrmk_spdinfo {
1698 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num);
1699 int xfrm_state_delete(struct xfrm_state *x);
1700 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1701 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1702 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1704 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1705 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1706 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1707 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack);
1708 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1709 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
1710 struct netlink_ext_ack *extack);
1711 int xfrm_init_state(struct xfrm_state *x);
1712 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1713 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1714 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1715 int (*finish)(struct net *, struct sock *,
1717 int xfrm_trans_queue(struct sk_buff *skb,
1718 int (*finish)(struct net *, struct sock *,
1720 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1721 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1723 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1724 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1727 void xfrm_local_error(struct sk_buff *skb, int mtu);
1728 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1730 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1731 int xfrm4_rcv(struct sk_buff *skb);
1733 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1735 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1736 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1737 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1738 return xfrm_input(skb, nexthdr, spi, 0);
1741 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1742 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1743 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1744 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1745 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1746 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1747 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1749 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1751 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1752 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1753 int xfrm6_rcv(struct sk_buff *skb);
1754 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1755 xfrm_address_t *saddr, u8 proto);
1756 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1757 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1758 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1759 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1760 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1761 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1762 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1763 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1766 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1767 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1768 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1769 struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1770 struct sk_buff *skb);
1771 struct sk_buff *xfrm6_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1772 struct sk_buff *skb);
1773 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1776 static inline int xfrm_user_policy(struct sock *sk, int optname,
1777 sockptr_t optval, int optlen)
1779 return -ENOPROTOOPT;
1783 struct dst_entry *__xfrm_dst_lookup(int family, const struct xfrm_dst_lookup_params *params);
1785 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1787 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1788 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1789 int (*func)(struct xfrm_policy *, int, int, void*),
1791 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1792 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1793 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1794 const struct xfrm_mark *mark,
1795 u32 if_id, u8 type, int dir,
1796 struct xfrm_selector *sel,
1797 struct xfrm_sec_ctx *ctx, int delete,
1799 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1800 const struct xfrm_mark *mark, u32 if_id,
1801 u8 type, int dir, u32 id, int delete,
1803 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1804 void xfrm_policy_hash_rebuild(struct net *net);
1805 u32 xfrm_get_acqseq(void);
1806 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
1807 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
1808 struct netlink_ext_ack *extack);
1809 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1810 u8 mode, u32 reqid, u32 if_id, u32 pcpu_num, u8 proto,
1811 const xfrm_address_t *daddr,
1812 const xfrm_address_t *saddr, int create,
1813 unsigned short family);
1814 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1816 #ifdef CONFIG_XFRM_MIGRATE
1817 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1818 const struct xfrm_migrate *m, int num_bundles,
1819 const struct xfrm_kmaddress *k,
1820 const struct xfrm_encap_tmpl *encap);
1821 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1823 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1824 struct xfrm_migrate *m,
1825 struct xfrm_encap_tmpl *encap);
1826 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1827 struct xfrm_migrate *m, int num_bundles,
1828 struct xfrm_kmaddress *k, struct net *net,
1829 struct xfrm_encap_tmpl *encap, u32 if_id,
1830 struct netlink_ext_ack *extack);
1833 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1834 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1835 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1836 xfrm_address_t *addr);
1838 void xfrm_input_init(void);
1839 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1841 void xfrm_probe_algs(void);
1842 int xfrm_count_pfkey_auth_supported(void);
1843 int xfrm_count_pfkey_enc_supported(void);
1844 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1845 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1846 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1847 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1848 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1849 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1850 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1851 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1852 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1855 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1856 const xfrm_address_t *b)
1858 return ipv6_addr_equal((const struct in6_addr *)a,
1859 (const struct in6_addr *)b);
1862 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1863 const xfrm_address_t *b,
1869 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1871 return xfrm6_addr_equal(a, b);
1875 static inline int xfrm_policy_id2dir(u32 index)
1881 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1882 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1883 void xfrm_replay_notify(struct xfrm_state *x, int event);
1884 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1885 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1887 static inline int xfrm_aevent_is_on(struct net *net)
1893 nlsk = rcu_dereference(net->xfrm.nlsk);
1895 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1900 static inline int xfrm_acquire_is_on(struct net *net)
1906 nlsk = rcu_dereference(net->xfrm.nlsk);
1908 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1915 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1917 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1920 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1922 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1925 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1927 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1930 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1932 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1935 #ifdef CONFIG_XFRM_MIGRATE
1936 static inline int xfrm_replay_clone(struct xfrm_state *x,
1937 struct xfrm_state *orig)
1940 x->replay_esn = kmemdup(orig->replay_esn,
1941 xfrm_replay_state_esn_len(orig->replay_esn),
1945 x->preplay_esn = kmemdup(orig->preplay_esn,
1946 xfrm_replay_state_esn_len(orig->preplay_esn),
1948 if (!x->preplay_esn)
1954 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1956 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1960 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1962 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1965 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1967 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1970 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1973 for (i = 0; i < n; i++)
1974 xfrm_state_put(*(states + i));
1977 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1980 for (i = 0; i < n; i++)
1981 xfrm_state_delete(*(states + i));
1985 void __init xfrm_dev_init(void);
1987 #ifdef CONFIG_XFRM_OFFLOAD
1988 void xfrm_dev_resume(struct sk_buff *skb);
1989 void xfrm_dev_backlog(struct softnet_data *sd);
1990 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1991 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1992 struct xfrm_user_offload *xuo,
1993 struct netlink_ext_ack *extack);
1994 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
1995 struct xfrm_user_offload *xuo, u8 dir,
1996 struct netlink_ext_ack *extack);
1997 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1998 void xfrm_dev_state_delete(struct xfrm_state *x);
1999 void xfrm_dev_state_free(struct xfrm_state *x);
2001 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2003 struct xfrm_dev_offload *xso = &x->xso;
2004 struct net_device *dev = READ_ONCE(xso->dev);
2006 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn)
2007 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
2010 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2012 struct xfrm_state *x = dst->xfrm;
2013 struct xfrm_dst *xdst;
2015 if (!x || !x->type_offload)
2018 xdst = (struct xfrm_dst *) dst;
2019 if (!x->xso.offload_handle && !xdst->child->xfrm)
2021 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
2028 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2030 struct xfrm_dev_offload *xdo = &x->xdo;
2031 struct net_device *dev = xdo->dev;
2033 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete)
2034 dev->xfrmdev_ops->xdo_dev_policy_delete(x);
2037 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2039 struct xfrm_dev_offload *xdo = &x->xdo;
2040 struct net_device *dev = xdo->dev;
2042 if (dev && dev->xfrmdev_ops) {
2043 if (dev->xfrmdev_ops->xdo_dev_policy_free)
2044 dev->xfrmdev_ops->xdo_dev_policy_free(x);
2046 netdev_put(dev, &xdo->dev_tracker);
2050 static inline void xfrm_dev_resume(struct sk_buff *skb)
2054 static inline void xfrm_dev_backlog(struct softnet_data *sd)
2058 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
2063 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack)
2068 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
2072 static inline void xfrm_dev_state_free(struct xfrm_state *x)
2076 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
2077 struct xfrm_user_offload *xuo, u8 dir,
2078 struct netlink_ext_ack *extack)
2083 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2087 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2091 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
2096 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2100 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2106 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
2108 if (attrs[XFRMA_MARK])
2109 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
2116 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
2121 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
2125 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
2127 struct xfrm_mark *m = &x->props.smark;
2129 return (m->v & m->m) | (mark & ~m->m);
2132 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2137 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2141 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2142 unsigned int family)
2144 bool tunnel = false;
2148 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2152 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2156 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2162 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2163 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2165 struct xfrm_translator {
2166 /* Allocate frag_list and put compat translation there */
2167 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2169 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2170 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2171 int maxtype, const struct nla_policy *policy,
2172 struct netlink_ext_ack *extack);
2174 /* Translate 32-bit user_policy from sockptr */
2175 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2177 struct module *owner;
2180 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2181 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2182 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2183 extern struct xfrm_translator *xfrm_get_translator(void);
2184 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2186 static inline struct xfrm_translator *xfrm_get_translator(void)
2190 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2195 #if IS_ENABLED(CONFIG_IPV6)
2196 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2200 if (!sk || sk->sk_family != AF_INET6)
2203 proto = sk->sk_protocol;
2204 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2205 return inet6_test_bit(DONTFRAG, sk);
2211 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
2212 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))
2214 extern struct metadata_dst __percpu *xfrm_bpf_md_dst;
2216 int register_xfrm_interface_bpf(void);
2220 static inline int register_xfrm_interface_bpf(void)
2227 #if IS_ENABLED(CONFIG_DEBUG_INFO_BTF)
2228 int register_xfrm_state_bpf(void);
2230 static inline int register_xfrm_state_bpf(void)
2236 int xfrm_nat_keepalive_init(unsigned short family);
2237 void xfrm_nat_keepalive_fini(unsigned short family);
2238 int xfrm_nat_keepalive_net_init(struct net *net);
2239 int xfrm_nat_keepalive_net_fini(struct net *net);
2240 void xfrm_nat_keepalive_state_updated(struct xfrm_state *x);
2242 #endif /* _NET_XFRM_H */
projects / J-linux.git / blob