1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
23 #include <net/route.h>
25 #include <net/ip6_fib.h>
27 #include <net/gro_cells.h>
29 #include <linux/interrupt.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
54 #define XFRM_ADD_STATS(net, field, val) SNMP_ADD_STATS((net)->mib.xfrm_statistics, field, val)
56 #define XFRM_INC_STATS(net, field) ((void)(net))
57 #define XFRM_ADD_STATS(net, field, val) ((void)(net))
61 /* Organization of SPD aka "XFRM rules"
62 ------------------------------------
65 - policy rule, struct xfrm_policy (=SPD entry)
66 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
67 - instance of a transformer, struct xfrm_state (=SA)
68 - template to clone xfrm_state, struct xfrm_tmpl
70 SPD is plain linear list of xfrm_policy rules, ordered by priority.
71 (To be compatible with existing pfkeyv2 implementations,
72 many rules with priority of 0x7fffffff are allowed to exist and
73 such rules are ordered in an unpredictable way, thanks to bsd folks.)
75 Lookup is plain linear search until the first match with selector.
77 If "action" is "block", then we prohibit the flow, otherwise:
78 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
79 policy entry has list of up to XFRM_MAX_DEPTH transformations,
80 described by templates xfrm_tmpl. Each template is resolved
81 to a complete xfrm_state (see below) and we pack bundle of transformations
82 to a dst_entry returned to requestor.
84 dst -. xfrm .-> xfrm_state #1
85 |---. child .-> dst -. xfrm .-> xfrm_state #2
86 |---. child .-> dst -. xfrm .-> xfrm_state #3
89 Bundles are cached at xrfm_policy struct (field ->bundles).
92 Resolution of xrfm_tmpl
93 -----------------------
95 1. ->mode Mode: transport or tunnel
96 2. ->id.proto Protocol: AH/ESP/IPCOMP
97 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
98 Q: allow to resolve security gateway?
99 4. ->id.spi If not zero, static SPI.
100 5. ->saddr Local tunnel endpoint, ignored for transport mode.
101 6. ->algos List of allowed algos. Plain bitmask now.
102 Q: ealgos, aalgos, calgos. What a mess...
103 7. ->share Sharing mode.
104 Q: how to implement private sharing mode? To add struct sock* to
107 Having this template we search through SAD searching for entries
108 with appropriate mode/proto/algo, permitted by selector.
109 If no appropriate entry found, it is requested from key manager.
112 Q: How to find all the bundles referring to a physical path for
113 PMTU discovery? Seems, dst should contain list of all parents...
114 and enter to infinite locking hierarchy disaster.
115 No! It is easier, we will not search for them, let them find us.
116 We add genid to each dst plus pointer to genid of raw IP route,
117 pmtu disc will update pmtu on raw IP route and increase its genid.
118 dst_check() will see this for top level and trigger resyncing
119 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
122 struct xfrm_state_walk {
123 struct list_head all;
128 struct xfrm_address_filter *filter;
132 XFRM_DEV_OFFLOAD_IN = 1,
133 XFRM_DEV_OFFLOAD_OUT,
134 XFRM_DEV_OFFLOAD_FWD,
138 XFRM_DEV_OFFLOAD_UNSPECIFIED,
139 XFRM_DEV_OFFLOAD_CRYPTO,
140 XFRM_DEV_OFFLOAD_PACKET,
144 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1,
147 struct xfrm_dev_offload {
148 struct net_device *dev;
149 netdevice_tracker dev_tracker;
150 struct net_device *real_dev;
151 unsigned long offload_handle;
163 /* Flags for xfrm_mode. */
165 XFRM_MODE_FLAG_TUNNEL = 1,
168 enum xfrm_replay_mode {
169 XFRM_REPLAY_MODE_LEGACY,
170 XFRM_REPLAY_MODE_BMP,
171 XFRM_REPLAY_MODE_ESN,
174 /* Full description of state of transformer. */
176 possible_net_t xs_net;
178 struct hlist_node gclist;
179 struct hlist_node bydst;
181 struct hlist_node bysrc;
182 struct hlist_node byspi;
183 struct hlist_node byseq;
189 struct xfrm_selector sel;
190 struct xfrm_mark mark;
196 /* Key manager bits */
197 struct xfrm_state_walk km;
199 /* Parameters of this state. */
204 u8 aalgo, ealgo, calgo;
207 xfrm_address_t saddr;
211 struct xfrm_mark smark;
214 struct xfrm_lifetime_cfg lft;
216 /* Data for transformer */
217 struct xfrm_algo_auth *aalg;
218 struct xfrm_algo *ealg;
219 struct xfrm_algo *calg;
220 struct xfrm_algo_aead *aead;
223 /* mapping change rate limiting */
224 __be16 new_mapping_sport;
225 u32 new_mapping; /* seconds */
226 u32 mapping_maxage; /* seconds for input SA */
228 /* Data for encapsulator */
229 struct xfrm_encap_tmpl *encap;
230 struct sock __rcu *encap_sk;
232 /* Data for care-of address */
233 xfrm_address_t *coaddr;
235 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
236 struct xfrm_state *tunnel;
238 /* If a tunnel, number of users + 1 */
239 atomic_t tunnel_users;
241 /* State for replay detection */
242 struct xfrm_replay_state replay;
243 struct xfrm_replay_state_esn *replay_esn;
245 /* Replay detection state at the time we sent the last notification */
246 struct xfrm_replay_state preplay;
247 struct xfrm_replay_state_esn *preplay_esn;
249 /* replay detection mode */
250 enum xfrm_replay_mode repl_mode;
251 /* internal flag that only holds state for delayed aevent at the
256 /* Replay detection notification settings */
260 /* Replay detection notification timer */
261 struct timer_list rtimer;
264 struct xfrm_stats stats;
266 struct xfrm_lifetime_cur curlft;
267 struct hrtimer mtimer;
269 struct xfrm_dev_offload xso;
271 /* used to fix curlft->add_time when changing date */
277 struct page_frag xfrag;
279 /* Reference to data common to all the instances of this
281 const struct xfrm_type *type;
282 struct xfrm_mode inner_mode;
283 struct xfrm_mode inner_mode_iaf;
284 struct xfrm_mode outer_mode;
286 const struct xfrm_type_offload *type_offload;
288 /* Security context */
289 struct xfrm_sec_ctx *security;
291 /* Private data of this transformer, format is opaque,
292 * interpreted by xfrm_type methods. */
297 static inline struct net *xs_net(struct xfrm_state *x)
299 return read_pnet(&x->xs_net);
302 /* xflags - make enum if more show up */
303 #define XFRM_TIME_DEFER 1
304 #define XFRM_SOFT_EXPIRE 2
315 /* callback structure passed from either netlink or pfkey */
331 struct xfrm_if_decode_session_result {
337 bool (*decode_session)(struct sk_buff *skb,
338 unsigned short family,
339 struct xfrm_if_decode_session_result *res);
342 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
343 void xfrm_if_unregister_cb(void);
348 struct xfrm_policy_afinfo {
349 struct dst_ops *dst_ops;
350 struct dst_entry *(*dst_lookup)(struct net *net,
352 const xfrm_address_t *saddr,
353 const xfrm_address_t *daddr,
355 int (*get_saddr)(struct net *net, int oif,
356 xfrm_address_t *saddr,
357 xfrm_address_t *daddr,
359 int (*fill_dst)(struct xfrm_dst *xdst,
360 struct net_device *dev,
361 const struct flowi *fl);
362 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
365 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
366 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
367 void km_policy_notify(struct xfrm_policy *xp, int dir,
368 const struct km_event *c);
369 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
372 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
373 struct xfrm_policy *pol);
374 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
375 int __xfrm_state_delete(struct xfrm_state *x);
377 struct xfrm_state_afinfo {
381 const struct xfrm_type_offload *type_offload_esp;
383 const struct xfrm_type *type_esp;
384 const struct xfrm_type *type_ipip;
385 const struct xfrm_type *type_ipip6;
386 const struct xfrm_type *type_comp;
387 const struct xfrm_type *type_ah;
388 const struct xfrm_type *type_routing;
389 const struct xfrm_type *type_dstopts;
391 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
392 int (*transport_finish)(struct sk_buff *skb,
394 void (*local_error)(struct sk_buff *skb, u32 mtu);
397 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
398 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
399 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
400 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
402 struct xfrm_input_afinfo {
405 int (*callback)(struct sk_buff *skb, u8 protocol,
409 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
410 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
412 void xfrm_flush_gc(void);
413 void xfrm_state_delete_tunnel(struct xfrm_state *x);
416 struct module *owner;
419 #define XFRM_TYPE_NON_FRAGMENT 1
420 #define XFRM_TYPE_REPLAY_PROT 2
421 #define XFRM_TYPE_LOCAL_COADDR 4
422 #define XFRM_TYPE_REMOTE_COADDR 8
424 int (*init_state)(struct xfrm_state *x,
425 struct netlink_ext_ack *extack);
426 void (*destructor)(struct xfrm_state *);
427 int (*input)(struct xfrm_state *, struct sk_buff *skb);
428 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
429 int (*reject)(struct xfrm_state *, struct sk_buff *,
430 const struct flowi *);
433 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
434 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
436 struct xfrm_type_offload {
437 struct module *owner;
439 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
440 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
441 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
444 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
445 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
447 static inline int xfrm_af2proto(unsigned int family)
459 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
461 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
462 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
463 return &x->inner_mode;
465 return &x->inner_mode_iaf;
469 /* id in template is interpreted as:
470 * daddr - destination of tunnel, may be zero for transport mode.
471 * spi - zero to acquire spi. Not zero if spi is static, then
472 * daddr must be fixed too.
473 * proto - AH/ESP/IPCOMP
477 /* Source address of tunnel. Ignored, if it is not a tunnel. */
478 xfrm_address_t saddr;
480 unsigned short encap_family;
484 /* Mode: transport, tunnel etc. */
487 /* Sharing mode: unique, this session only, this user only etc. */
490 /* May skip this transfomration if no SA is found */
493 /* Skip aalgos/ealgos/calgos checks. */
496 /* Bit mask of algos allowed for acquisition */
502 #define XFRM_MAX_DEPTH 6
503 #define XFRM_MAX_OFFLOAD_DEPTH 1
505 struct xfrm_policy_walk_entry {
506 struct list_head all;
510 struct xfrm_policy_walk {
511 struct xfrm_policy_walk_entry walk;
516 struct xfrm_policy_queue {
517 struct sk_buff_head hold_queue;
518 struct timer_list hold_timer;
519 unsigned long timeout;
523 possible_net_t xp_net;
524 struct hlist_node bydst;
525 struct hlist_node byidx;
527 /* This lock only affects elements except for entry. */
531 struct timer_list timer;
537 struct xfrm_mark mark;
538 struct xfrm_selector selector;
539 struct xfrm_lifetime_cfg lft;
540 struct xfrm_lifetime_cur curlft;
541 struct xfrm_policy_walk_entry walk;
542 struct xfrm_policy_queue polq;
549 struct xfrm_sec_ctx *security;
550 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
551 struct hlist_node bydst_inexact_list;
554 struct xfrm_dev_offload xdo;
557 static inline struct net *xp_net(const struct xfrm_policy *xp)
559 return read_pnet(&xp->xp_net);
562 struct xfrm_kmaddress {
563 xfrm_address_t local;
564 xfrm_address_t remote;
569 struct xfrm_migrate {
570 xfrm_address_t old_daddr;
571 xfrm_address_t old_saddr;
572 xfrm_address_t new_daddr;
573 xfrm_address_t new_saddr;
582 #define XFRM_KM_TIMEOUT 30
584 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
585 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
587 /* default aevent timeout in units of 100ms */
588 #define XFRM_AE_ETIME 10
589 /* Async Event timer multiplier */
590 #define XFRM_AE_ETH_M 10
591 /* default seq threshold size */
592 #define XFRM_AE_SEQT_SIZE 2
595 struct list_head list;
596 int (*notify)(struct xfrm_state *x, const struct km_event *c);
597 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
598 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
599 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
600 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
601 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
602 int (*migrate)(const struct xfrm_selector *sel,
604 const struct xfrm_migrate *m,
606 const struct xfrm_kmaddress *k,
607 const struct xfrm_encap_tmpl *encap);
608 bool (*is_alive)(const struct km_event *c);
611 void xfrm_register_km(struct xfrm_mgr *km);
612 void xfrm_unregister_km(struct xfrm_mgr *km);
614 struct xfrm_tunnel_skb_cb {
616 struct inet_skb_parm h4;
617 struct inet6_skb_parm h6;
621 struct ip_tunnel *ip4;
626 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
629 * This structure is used for the duration where packets are being
630 * transformed by IPsec. As soon as the packet leaves IPsec the
631 * area beyond the generic IP part may be overwritten.
634 struct xfrm_tunnel_skb_cb header;
636 /* Sequence number for replay protection. */
649 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
652 * This structure is used by the afinfo prepare_input/prepare_output functions
653 * to transmit header information to the mode input/output functions.
655 struct xfrm_mode_skb_cb {
656 struct xfrm_tunnel_skb_cb header;
658 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
662 /* IP header length (excluding options or extension headers). */
665 /* TOS for IPv4, class for IPv6. */
668 /* TTL for IPv4, hop limitfor IPv6. */
671 /* Protocol for IPv4, NH for IPv6. */
674 /* Option length for IPv4, zero for IPv6. */
677 /* Used by IPv6 only, zero for IPv4. */
681 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
684 * This structure is used by the input processing to locate the SPI and
685 * related information.
687 struct xfrm_spi_skb_cb {
688 struct xfrm_tunnel_skb_cb header;
690 unsigned int daddroff;
695 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
697 #ifdef CONFIG_AUDITSYSCALL
698 static inline struct audit_buffer *xfrm_audit_start(const char *op)
700 struct audit_buffer *audit_buf = NULL;
702 if (audit_enabled == AUDIT_OFF)
704 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
705 AUDIT_MAC_IPSEC_EVENT);
706 if (audit_buf == NULL)
708 audit_log_format(audit_buf, "op=%s", op);
712 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
713 struct audit_buffer *audit_buf)
715 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
716 audit_get_loginuid(current) :
718 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
721 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
722 audit_log_task_context(audit_buf);
725 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
726 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
728 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
729 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
730 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
731 struct sk_buff *skb);
732 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
734 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
735 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
737 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
741 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
746 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
751 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
756 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
761 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
766 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
767 struct sk_buff *skb, __be32 net_seq)
771 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
776 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
777 __be32 net_spi, __be32 net_seq)
781 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
782 struct sk_buff *skb, u8 proto)
785 #endif /* CONFIG_AUDITSYSCALL */
787 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
789 if (likely(policy != NULL))
790 refcount_inc(&policy->refcnt);
793 void xfrm_policy_destroy(struct xfrm_policy *policy);
795 static inline void xfrm_pol_put(struct xfrm_policy *policy)
797 if (refcount_dec_and_test(&policy->refcnt))
798 xfrm_policy_destroy(policy);
801 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
804 for (i = npols - 1; i >= 0; --i)
805 xfrm_pol_put(pols[i]);
808 void __xfrm_state_destroy(struct xfrm_state *, bool);
810 static inline void __xfrm_state_put(struct xfrm_state *x)
812 refcount_dec(&x->refcnt);
815 static inline void xfrm_state_put(struct xfrm_state *x)
817 if (refcount_dec_and_test(&x->refcnt))
818 __xfrm_state_destroy(x, false);
821 static inline void xfrm_state_put_sync(struct xfrm_state *x)
823 if (refcount_dec_and_test(&x->refcnt))
824 __xfrm_state_destroy(x, true);
827 static inline void xfrm_state_hold(struct xfrm_state *x)
829 refcount_inc(&x->refcnt);
832 static inline bool addr_match(const void *token1, const void *token2,
833 unsigned int prefixlen)
835 const __be32 *a1 = token1;
836 const __be32 *a2 = token2;
840 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
841 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
844 if (memcmp(a1, a2, pdw << 2))
850 mask = htonl((0xffffffff) << (32 - pbi));
852 if ((a1[pdw] ^ a2[pdw]) & mask)
859 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
861 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
862 if (sizeof(long) == 4 && prefixlen == 0)
864 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
868 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
871 switch(fl->flowi_proto) {
874 case IPPROTO_UDPLITE:
876 port = uli->ports.sport;
880 port = htons(uli->icmpt.type);
883 port = htons(uli->mht.type);
886 port = htons(ntohl(uli->gre_key) >> 16);
895 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
898 switch(fl->flowi_proto) {
901 case IPPROTO_UDPLITE:
903 port = uli->ports.dport;
907 port = htons(uli->icmpt.code);
910 port = htons(ntohl(uli->gre_key) & 0xffff);
918 bool xfrm_selector_match(const struct xfrm_selector *sel,
919 const struct flowi *fl, unsigned short family);
921 #ifdef CONFIG_SECURITY_NETWORK_XFRM
922 /* If neither has a context --> match
923 * Otherwise, both must have a context and the sids, doi, alg must match
925 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
927 return ((!s1 && !s2) ||
929 (s1->ctx_sid == s2->ctx_sid) &&
930 (s1->ctx_doi == s2->ctx_doi) &&
931 (s1->ctx_alg == s2->ctx_alg)));
934 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
940 /* A struct encoding bundle of transformations to apply to some set of flow.
942 * xdst->child points to the next element of bundle.
943 * dst->xfrm points to an instanse of transformer.
945 * Due to unfortunate limitations of current routing cache, which we
946 * have no time to fix, it mirrors struct rtable and bound to the same
947 * routing key, including saddr,daddr. However, we can have many of
948 * bundles differing by session id. All the bundles grow from a parent
953 struct dst_entry dst;
957 struct dst_entry *route;
958 struct dst_entry *child;
959 struct dst_entry *path;
960 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
961 int num_pols, num_xfrms;
964 u32 route_mtu_cached;
965 u32 child_mtu_cached;
970 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
973 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
974 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
979 return (struct dst_entry *) dst;
982 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
985 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
986 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
994 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
999 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
1001 xfrm_pols_put(xdst->pols, xdst->num_pols);
1002 dst_release(xdst->route);
1003 if (likely(xdst->u.dst.xfrm))
1004 xfrm_state_put(xdst->u.dst.xfrm);
1008 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
1010 struct xfrm_if_parms {
1011 int link; /* ifindex of underlying L2 interface */
1012 u32 if_id; /* interface identifyer */
1017 struct xfrm_if __rcu *next; /* next interface in list */
1018 struct net_device *dev; /* virtual device associated with interface */
1019 struct net *net; /* netns for packet i/o */
1020 struct xfrm_if_parms p; /* interface parms */
1022 struct gro_cells gro_cells;
1025 struct xfrm_offload {
1026 /* Output sequence number for replay protection on offloading. */
1033 #define SA_DELETE_REQ 1
1034 #define CRYPTO_DONE 2
1035 #define CRYPTO_NEXT_DONE 4
1036 #define CRYPTO_FALLBACK 8
1037 #define XFRM_GSO_SEGMENT 16
1040 #define XFRM_DEV_RESUME 128
1041 #define XFRM_XMIT 256
1044 #define CRYPTO_SUCCESS 1
1045 #define CRYPTO_GENERIC_ERROR 2
1046 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1047 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1048 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1049 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1050 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1051 #define CRYPTO_INVALID_PROTOCOL 128
1053 /* Used to keep whole l2 header for transport mode GRO */
1065 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1066 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1069 struct sec_path *secpath_set(struct sk_buff *skb);
1072 secpath_reset(struct sk_buff *skb)
1075 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1080 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1084 return addr->a4 == 0;
1086 return ipv6_addr_any(&addr->in6);
1092 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1094 return (tmpl->saddr.a4 &&
1095 tmpl->saddr.a4 != x->props.saddr.a4);
1099 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1101 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1102 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1106 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1110 return __xfrm4_state_addr_cmp(tmpl, x);
1112 return __xfrm6_state_addr_cmp(tmpl, x);
1118 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1120 struct sec_path *sp = skb_sec_path(skb);
1122 return sp->xvec[sp->len - 1];
1126 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1129 struct sec_path *sp = skb_sec_path(skb);
1131 if (!sp || !sp->olen || sp->len != sp->olen)
1134 return &sp->ovec[sp->olen - 1];
1141 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1142 unsigned short family);
1144 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1147 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1148 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1153 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1154 int dir, unsigned short family)
1156 if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1157 /* same dst may be used for traffic originating from
1158 * devices with different policy settings.
1160 return IPCB(skb)->flags & IPSKB_NOPOLICY;
1162 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1165 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1166 struct sk_buff *skb,
1167 unsigned int family, int reverse)
1169 struct net *net = dev_net(skb->dev);
1170 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1171 struct xfrm_offload *xo = xfrm_offload(skb);
1172 struct xfrm_state *x;
1174 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1175 return __xfrm_policy_check(sk, ndir, skb, family);
1178 x = xfrm_input_state(skb);
1179 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1180 return (xo->flags & CRYPTO_DONE) &&
1181 (xo->status & CRYPTO_SUCCESS);
1184 return __xfrm_check_nopolicy(net, skb, dir) ||
1185 __xfrm_check_dev_nopolicy(skb, dir, family) ||
1186 __xfrm_policy_check(sk, ndir, skb, family);
1189 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1191 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1194 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1196 return xfrm_policy_check(sk, dir, skb, AF_INET);
1199 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1201 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1204 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1205 struct sk_buff *skb)
1207 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1210 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1211 struct sk_buff *skb)
1213 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1216 int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1217 unsigned int family, int reverse);
1219 static inline int xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1220 unsigned int family)
1222 return __xfrm_decode_session(net, skb, fl, family, 0);
1225 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1227 unsigned int family)
1229 return __xfrm_decode_session(net, skb, fl, family, 1);
1232 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1234 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1236 struct net *net = dev_net(skb->dev);
1238 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1239 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1242 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1243 __xfrm_route_forward(skb, family);
1246 static inline int xfrm4_route_forward(struct sk_buff *skb)
1248 return xfrm_route_forward(skb, AF_INET);
1251 static inline int xfrm6_route_forward(struct sk_buff *skb)
1253 return xfrm_route_forward(skb, AF_INET6);
1256 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1258 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1260 if (!sk_fullsock(osk))
1262 sk->sk_policy[0] = NULL;
1263 sk->sk_policy[1] = NULL;
1264 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1265 return __xfrm_sk_clone_policy(sk, osk);
1269 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1271 static inline void xfrm_sk_free_policy(struct sock *sk)
1273 struct xfrm_policy *pol;
1275 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1276 if (unlikely(pol != NULL)) {
1277 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1278 sk->sk_policy[0] = NULL;
1280 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1281 if (unlikely(pol != NULL)) {
1282 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1283 sk->sk_policy[1] = NULL;
1289 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1290 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1291 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1292 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1293 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1297 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1301 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1305 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1307 unsigned int family)
1311 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1312 struct sk_buff *skb)
1316 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1317 struct sk_buff *skb)
1324 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1328 return (xfrm_address_t *)&fl->u.ip4.daddr;
1330 return (xfrm_address_t *)&fl->u.ip6.daddr;
1336 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1340 return (xfrm_address_t *)&fl->u.ip4.saddr;
1342 return (xfrm_address_t *)&fl->u.ip6.saddr;
1348 void xfrm_flowi_addr_get(const struct flowi *fl,
1349 xfrm_address_t *saddr, xfrm_address_t *daddr,
1350 unsigned short family)
1354 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1355 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1358 saddr->in6 = fl->u.ip6.saddr;
1359 daddr->in6 = fl->u.ip6.daddr;
1364 static __inline__ int
1365 __xfrm4_state_addr_check(const struct xfrm_state *x,
1366 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1368 if (daddr->a4 == x->id.daddr.a4 &&
1369 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1374 static __inline__ int
1375 __xfrm6_state_addr_check(const struct xfrm_state *x,
1376 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1378 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1379 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1380 ipv6_addr_any((struct in6_addr *)saddr) ||
1381 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1386 static __inline__ int
1387 xfrm_state_addr_check(const struct xfrm_state *x,
1388 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1389 unsigned short family)
1393 return __xfrm4_state_addr_check(x, daddr, saddr);
1395 return __xfrm6_state_addr_check(x, daddr, saddr);
1400 static __inline__ int
1401 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1402 unsigned short family)
1406 return __xfrm4_state_addr_check(x,
1407 (const xfrm_address_t *)&fl->u.ip4.daddr,
1408 (const xfrm_address_t *)&fl->u.ip4.saddr);
1410 return __xfrm6_state_addr_check(x,
1411 (const xfrm_address_t *)&fl->u.ip6.daddr,
1412 (const xfrm_address_t *)&fl->u.ip6.saddr);
1417 static inline int xfrm_state_kern(const struct xfrm_state *x)
1419 return atomic_read(&x->tunnel_users);
1422 static inline bool xfrm_id_proto_valid(u8 proto)
1428 #if IS_ENABLED(CONFIG_IPV6)
1429 case IPPROTO_ROUTING:
1430 case IPPROTO_DSTOPTS:
1438 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1439 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1441 return (!userproto || proto == userproto ||
1442 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1443 proto == IPPROTO_ESP ||
1444 proto == IPPROTO_COMP)));
1448 * xfrm algorithm information
1450 struct xfrm_algo_aead_info {
1455 struct xfrm_algo_auth_info {
1460 struct xfrm_algo_encr_info {
1466 struct xfrm_algo_comp_info {
1470 struct xfrm_algo_desc {
1474 u8 pfkey_supported:1;
1476 struct xfrm_algo_aead_info aead;
1477 struct xfrm_algo_auth_info auth;
1478 struct xfrm_algo_encr_info encr;
1479 struct xfrm_algo_comp_info comp;
1481 struct sadb_alg desc;
1484 /* XFRM protocol handlers. */
1485 struct xfrm4_protocol {
1486 int (*handler)(struct sk_buff *skb);
1487 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1489 int (*cb_handler)(struct sk_buff *skb, int err);
1490 int (*err_handler)(struct sk_buff *skb, u32 info);
1492 struct xfrm4_protocol __rcu *next;
1496 struct xfrm6_protocol {
1497 int (*handler)(struct sk_buff *skb);
1498 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1500 int (*cb_handler)(struct sk_buff *skb, int err);
1501 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1502 u8 type, u8 code, int offset, __be32 info);
1504 struct xfrm6_protocol __rcu *next;
1508 /* XFRM tunnel handlers. */
1509 struct xfrm_tunnel {
1510 int (*handler)(struct sk_buff *skb);
1511 int (*cb_handler)(struct sk_buff *skb, int err);
1512 int (*err_handler)(struct sk_buff *skb, u32 info);
1514 struct xfrm_tunnel __rcu *next;
1518 struct xfrm6_tunnel {
1519 int (*handler)(struct sk_buff *skb);
1520 int (*cb_handler)(struct sk_buff *skb, int err);
1521 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1522 u8 type, u8 code, int offset, __be32 info);
1523 struct xfrm6_tunnel __rcu *next;
1527 void xfrm_init(void);
1528 void xfrm4_init(void);
1529 int xfrm_state_init(struct net *net);
1530 void xfrm_state_fini(struct net *net);
1531 void xfrm4_state_init(void);
1532 void xfrm4_protocol_init(void);
1534 int xfrm6_init(void);
1535 void xfrm6_fini(void);
1536 int xfrm6_state_init(void);
1537 void xfrm6_state_fini(void);
1538 int xfrm6_protocol_init(void);
1539 void xfrm6_protocol_fini(void);
1541 static inline int xfrm6_init(void)
1545 static inline void xfrm6_fini(void)
1551 #ifdef CONFIG_XFRM_STATISTICS
1552 int xfrm_proc_init(struct net *net);
1553 void xfrm_proc_fini(struct net *net);
1556 int xfrm_sysctl_init(struct net *net);
1557 #ifdef CONFIG_SYSCTL
1558 void xfrm_sysctl_fini(struct net *net);
1560 static inline void xfrm_sysctl_fini(struct net *net)
1565 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1566 struct xfrm_address_filter *filter);
1567 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1568 int (*func)(struct xfrm_state *, int, void*), void *);
1569 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1570 struct xfrm_state *xfrm_state_alloc(struct net *net);
1571 void xfrm_state_free(struct xfrm_state *x);
1572 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1573 const xfrm_address_t *saddr,
1574 const struct flowi *fl,
1575 struct xfrm_tmpl *tmpl,
1576 struct xfrm_policy *pol, int *err,
1577 unsigned short family, u32 if_id);
1578 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1579 xfrm_address_t *daddr,
1580 xfrm_address_t *saddr,
1581 unsigned short family,
1582 u8 mode, u8 proto, u32 reqid);
1583 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1584 unsigned short family);
1585 int xfrm_state_check_expire(struct xfrm_state *x);
1586 void xfrm_state_update_stats(struct net *net);
1587 #ifdef CONFIG_XFRM_OFFLOAD
1588 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x)
1590 struct xfrm_dev_offload *xdo = &x->xso;
1591 struct net_device *dev = xdo->dev;
1593 if (dev && dev->xfrmdev_ops &&
1594 dev->xfrmdev_ops->xdo_dev_state_update_stats)
1595 dev->xfrmdev_ops->xdo_dev_state_update_stats(x);
1599 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x) {}
1601 void xfrm_state_insert(struct xfrm_state *x);
1602 int xfrm_state_add(struct xfrm_state *x);
1603 int xfrm_state_update(struct xfrm_state *x);
1604 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1605 const xfrm_address_t *daddr, __be32 spi,
1606 u8 proto, unsigned short family);
1607 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1608 const xfrm_address_t *daddr,
1609 const xfrm_address_t *saddr,
1611 unsigned short family);
1612 #ifdef CONFIG_XFRM_SUB_POLICY
1613 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1614 unsigned short family);
1615 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1616 unsigned short family);
1618 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1619 int n, unsigned short family)
1623 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1624 int n, unsigned short family)
1629 struct xfrmk_sadinfo {
1630 u32 sadhcnt; /* current hash bkts */
1631 u32 sadhmcnt; /* max allowed hash bkts */
1632 u32 sadcnt; /* current running count */
1635 struct xfrmk_spdinfo {
1646 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1647 int xfrm_state_delete(struct xfrm_state *x);
1648 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1649 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1650 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1652 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1653 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1654 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1655 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack);
1656 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1657 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
1658 struct netlink_ext_ack *extack);
1659 int xfrm_init_state(struct xfrm_state *x);
1660 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1661 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1662 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1663 int (*finish)(struct net *, struct sock *,
1665 int xfrm_trans_queue(struct sk_buff *skb,
1666 int (*finish)(struct net *, struct sock *,
1668 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1669 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1671 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1672 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1675 void xfrm_local_error(struct sk_buff *skb, int mtu);
1676 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1678 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1679 int xfrm4_rcv(struct sk_buff *skb);
1681 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1683 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1684 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1685 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1686 return xfrm_input(skb, nexthdr, spi, 0);
1689 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1690 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1691 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1692 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1693 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1694 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1695 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1697 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1699 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1700 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1701 int xfrm6_rcv(struct sk_buff *skb);
1702 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1703 xfrm_address_t *saddr, u8 proto);
1704 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1705 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1706 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1707 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1708 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1709 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1710 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1711 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1714 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1715 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1716 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1717 struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1718 struct sk_buff *skb);
1719 struct sk_buff *xfrm6_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1720 struct sk_buff *skb);
1721 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1724 static inline int xfrm_user_policy(struct sock *sk, int optname,
1725 sockptr_t optval, int optlen)
1727 return -ENOPROTOOPT;
1731 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1732 const xfrm_address_t *saddr,
1733 const xfrm_address_t *daddr,
1734 int family, u32 mark);
1736 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1738 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1739 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1740 int (*func)(struct xfrm_policy *, int, int, void*),
1742 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1743 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1744 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1745 const struct xfrm_mark *mark,
1746 u32 if_id, u8 type, int dir,
1747 struct xfrm_selector *sel,
1748 struct xfrm_sec_ctx *ctx, int delete,
1750 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1751 const struct xfrm_mark *mark, u32 if_id,
1752 u8 type, int dir, u32 id, int delete,
1754 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1755 void xfrm_policy_hash_rebuild(struct net *net);
1756 u32 xfrm_get_acqseq(void);
1757 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
1758 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
1759 struct netlink_ext_ack *extack);
1760 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1761 u8 mode, u32 reqid, u32 if_id, u8 proto,
1762 const xfrm_address_t *daddr,
1763 const xfrm_address_t *saddr, int create,
1764 unsigned short family);
1765 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1767 #ifdef CONFIG_XFRM_MIGRATE
1768 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1769 const struct xfrm_migrate *m, int num_bundles,
1770 const struct xfrm_kmaddress *k,
1771 const struct xfrm_encap_tmpl *encap);
1772 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1774 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1775 struct xfrm_migrate *m,
1776 struct xfrm_encap_tmpl *encap);
1777 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1778 struct xfrm_migrate *m, int num_bundles,
1779 struct xfrm_kmaddress *k, struct net *net,
1780 struct xfrm_encap_tmpl *encap, u32 if_id,
1781 struct netlink_ext_ack *extack);
1784 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1785 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1786 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1787 xfrm_address_t *addr);
1789 void xfrm_input_init(void);
1790 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1792 void xfrm_probe_algs(void);
1793 int xfrm_count_pfkey_auth_supported(void);
1794 int xfrm_count_pfkey_enc_supported(void);
1795 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1796 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1797 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1798 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1799 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1800 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1801 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1802 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1803 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1806 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1807 const xfrm_address_t *b)
1809 return ipv6_addr_equal((const struct in6_addr *)a,
1810 (const struct in6_addr *)b);
1813 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1814 const xfrm_address_t *b,
1820 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1822 return xfrm6_addr_equal(a, b);
1826 static inline int xfrm_policy_id2dir(u32 index)
1832 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1833 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1834 void xfrm_replay_notify(struct xfrm_state *x, int event);
1835 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1836 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1838 static inline int xfrm_aevent_is_on(struct net *net)
1844 nlsk = rcu_dereference(net->xfrm.nlsk);
1846 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1851 static inline int xfrm_acquire_is_on(struct net *net)
1857 nlsk = rcu_dereference(net->xfrm.nlsk);
1859 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1866 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1868 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1871 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1873 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1876 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1878 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1881 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1883 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1886 #ifdef CONFIG_XFRM_MIGRATE
1887 static inline int xfrm_replay_clone(struct xfrm_state *x,
1888 struct xfrm_state *orig)
1891 x->replay_esn = kmemdup(orig->replay_esn,
1892 xfrm_replay_state_esn_len(orig->replay_esn),
1896 x->preplay_esn = kmemdup(orig->preplay_esn,
1897 xfrm_replay_state_esn_len(orig->preplay_esn),
1899 if (!x->preplay_esn)
1905 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1907 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1911 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1913 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1916 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1918 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1921 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1924 for (i = 0; i < n; i++)
1925 xfrm_state_put(*(states + i));
1928 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1931 for (i = 0; i < n; i++)
1932 xfrm_state_delete(*(states + i));
1936 void __init xfrm_dev_init(void);
1938 #ifdef CONFIG_XFRM_OFFLOAD
1939 void xfrm_dev_resume(struct sk_buff *skb);
1940 void xfrm_dev_backlog(struct softnet_data *sd);
1941 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1942 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1943 struct xfrm_user_offload *xuo,
1944 struct netlink_ext_ack *extack);
1945 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
1946 struct xfrm_user_offload *xuo, u8 dir,
1947 struct netlink_ext_ack *extack);
1948 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1950 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1952 struct xfrm_dev_offload *xso = &x->xso;
1954 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1955 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1958 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1960 struct xfrm_state *x = dst->xfrm;
1961 struct xfrm_dst *xdst;
1963 if (!x || !x->type_offload)
1966 xdst = (struct xfrm_dst *) dst;
1967 if (!x->xso.offload_handle && !xdst->child->xfrm)
1969 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1976 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1978 struct xfrm_dev_offload *xso = &x->xso;
1981 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1984 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1986 struct xfrm_dev_offload *xso = &x->xso;
1987 struct net_device *dev = xso->dev;
1989 if (dev && dev->xfrmdev_ops) {
1990 if (dev->xfrmdev_ops->xdo_dev_state_free)
1991 dev->xfrmdev_ops->xdo_dev_state_free(x);
1993 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
1994 netdev_put(dev, &xso->dev_tracker);
1998 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2000 struct xfrm_dev_offload *xdo = &x->xdo;
2001 struct net_device *dev = xdo->dev;
2003 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete)
2004 dev->xfrmdev_ops->xdo_dev_policy_delete(x);
2007 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2009 struct xfrm_dev_offload *xdo = &x->xdo;
2010 struct net_device *dev = xdo->dev;
2012 if (dev && dev->xfrmdev_ops) {
2013 if (dev->xfrmdev_ops->xdo_dev_policy_free)
2014 dev->xfrmdev_ops->xdo_dev_policy_free(x);
2016 netdev_put(dev, &xdo->dev_tracker);
2020 static inline void xfrm_dev_resume(struct sk_buff *skb)
2024 static inline void xfrm_dev_backlog(struct softnet_data *sd)
2028 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
2033 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack)
2038 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
2042 static inline void xfrm_dev_state_free(struct xfrm_state *x)
2046 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
2047 struct xfrm_user_offload *xuo, u8 dir,
2048 struct netlink_ext_ack *extack)
2053 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2057 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2061 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
2066 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2070 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2076 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
2078 if (attrs[XFRMA_MARK])
2079 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
2086 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
2091 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
2095 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
2097 struct xfrm_mark *m = &x->props.smark;
2099 return (m->v & m->m) | (mark & ~m->m);
2102 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2107 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2111 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2112 unsigned int family)
2114 bool tunnel = false;
2118 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2122 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2126 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2132 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2133 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2135 struct xfrm_translator {
2136 /* Allocate frag_list and put compat translation there */
2137 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2139 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2140 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2141 int maxtype, const struct nla_policy *policy,
2142 struct netlink_ext_ack *extack);
2144 /* Translate 32-bit user_policy from sockptr */
2145 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2147 struct module *owner;
2150 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2151 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2152 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2153 extern struct xfrm_translator *xfrm_get_translator(void);
2154 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2156 static inline struct xfrm_translator *xfrm_get_translator(void)
2160 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2165 #if IS_ENABLED(CONFIG_IPV6)
2166 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2170 if (!sk || sk->sk_family != AF_INET6)
2173 proto = sk->sk_protocol;
2174 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2175 return inet6_test_bit(DONTFRAG, sk);
2181 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
2182 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))
2184 extern struct metadata_dst __percpu *xfrm_bpf_md_dst;
2186 int register_xfrm_interface_bpf(void);
2190 static inline int register_xfrm_interface_bpf(void)
2197 #if IS_ENABLED(CONFIG_DEBUG_INFO_BTF)
2198 int register_xfrm_state_bpf(void);
2200 static inline int register_xfrm_state_bpf(void)
2206 #endif /* _NET_XFRM_H */
projects / linux.git / blob