6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/err.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
26 #include <linux/cache.h>
27 #include <linux/audit.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #include "xfrm_hash.h"
37 DEFINE_MUTEX(xfrm_cfg_mutex);
38 EXPORT_SYMBOL(xfrm_cfg_mutex);
40 static DEFINE_SPINLOCK(xfrm_policy_sk_bundle_lock);
41 static struct dst_entry *xfrm_policy_sk_bundles;
42 static DEFINE_RWLOCK(xfrm_policy_lock);
44 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
45 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
47 static struct kmem_cache *xfrm_dst_cache __read_mostly;
49 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
50 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
51 static void xfrm_init_pmtu(struct dst_entry *dst);
52 static int stale_bundle(struct dst_entry *dst);
53 static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
54 const struct flowi *fl, int family);
57 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
61 __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
63 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
64 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
65 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
66 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
67 (fl->proto == sel->proto || !sel->proto) &&
68 (fl->oif == sel->ifindex || !sel->ifindex);
72 __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
74 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
75 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
76 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
77 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
78 (fl->proto == sel->proto || !sel->proto) &&
79 (fl->oif == sel->ifindex || !sel->ifindex);
82 int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
83 unsigned short family)
87 return __xfrm4_selector_match(sel, fl);
89 return __xfrm6_selector_match(sel, fl);
94 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
95 const xfrm_address_t *saddr,
96 const xfrm_address_t *daddr,
99 struct xfrm_policy_afinfo *afinfo;
100 struct dst_entry *dst;
102 afinfo = xfrm_policy_get_afinfo(family);
103 if (unlikely(afinfo == NULL))
104 return ERR_PTR(-EAFNOSUPPORT);
106 dst = afinfo->dst_lookup(net, tos, saddr, daddr);
108 xfrm_policy_put_afinfo(afinfo);
113 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, int tos,
114 xfrm_address_t *prev_saddr,
115 xfrm_address_t *prev_daddr,
118 struct net *net = xs_net(x);
119 xfrm_address_t *saddr = &x->props.saddr;
120 xfrm_address_t *daddr = &x->id.daddr;
121 struct dst_entry *dst;
123 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
127 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
132 dst = __xfrm_dst_lookup(net, tos, saddr, daddr, family);
135 if (prev_saddr != saddr)
136 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
137 if (prev_daddr != daddr)
138 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
144 static inline unsigned long make_jiffies(long secs)
146 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
147 return MAX_SCHEDULE_TIMEOUT-1;
152 static void xfrm_policy_timer(unsigned long data)
154 struct xfrm_policy *xp = (struct xfrm_policy*)data;
155 unsigned long now = get_seconds();
156 long next = LONG_MAX;
160 read_lock(&xp->lock);
162 if (unlikely(xp->walk.dead))
165 dir = xfrm_policy_id2dir(xp->index);
167 if (xp->lft.hard_add_expires_seconds) {
168 long tmo = xp->lft.hard_add_expires_seconds +
169 xp->curlft.add_time - now;
175 if (xp->lft.hard_use_expires_seconds) {
176 long tmo = xp->lft.hard_use_expires_seconds +
177 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
183 if (xp->lft.soft_add_expires_seconds) {
184 long tmo = xp->lft.soft_add_expires_seconds +
185 xp->curlft.add_time - now;
188 tmo = XFRM_KM_TIMEOUT;
193 if (xp->lft.soft_use_expires_seconds) {
194 long tmo = xp->lft.soft_use_expires_seconds +
195 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
198 tmo = XFRM_KM_TIMEOUT;
205 km_policy_expired(xp, dir, 0, 0);
206 if (next != LONG_MAX &&
207 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
211 read_unlock(&xp->lock);
216 read_unlock(&xp->lock);
217 if (!xfrm_policy_delete(xp, dir))
218 km_policy_expired(xp, dir, 1, 0);
222 static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo)
224 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
226 if (unlikely(pol->walk.dead))
234 static int xfrm_policy_flo_check(struct flow_cache_object *flo)
236 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
238 return !pol->walk.dead;
241 static void xfrm_policy_flo_delete(struct flow_cache_object *flo)
243 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo));
246 static const struct flow_cache_ops xfrm_policy_fc_ops = {
247 .get = xfrm_policy_flo_get,
248 .check = xfrm_policy_flo_check,
249 .delete = xfrm_policy_flo_delete,
252 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
256 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
258 struct xfrm_policy *policy;
260 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
263 write_pnet(&policy->xp_net, net);
264 INIT_LIST_HEAD(&policy->walk.all);
265 INIT_HLIST_NODE(&policy->bydst);
266 INIT_HLIST_NODE(&policy->byidx);
267 rwlock_init(&policy->lock);
268 atomic_set(&policy->refcnt, 1);
269 setup_timer(&policy->timer, xfrm_policy_timer,
270 (unsigned long)policy);
271 policy->flo.ops = &xfrm_policy_fc_ops;
275 EXPORT_SYMBOL(xfrm_policy_alloc);
277 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
279 void xfrm_policy_destroy(struct xfrm_policy *policy)
281 BUG_ON(!policy->walk.dead);
283 if (del_timer(&policy->timer))
286 security_xfrm_policy_free(policy->security);
289 EXPORT_SYMBOL(xfrm_policy_destroy);
291 /* Rule must be locked. Release descentant resources, announce
292 * entry dead. The rule must be unlinked from lists to the moment.
295 static void xfrm_policy_kill(struct xfrm_policy *policy)
297 policy->walk.dead = 1;
299 atomic_inc(&policy->genid);
301 if (del_timer(&policy->timer))
302 xfrm_pol_put(policy);
304 xfrm_pol_put(policy);
307 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
309 static inline unsigned int idx_hash(struct net *net, u32 index)
311 return __idx_hash(index, net->xfrm.policy_idx_hmask);
314 static struct hlist_head *policy_hash_bysel(struct net *net,
315 const struct xfrm_selector *sel,
316 unsigned short family, int dir)
318 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
319 unsigned int hash = __sel_hash(sel, family, hmask);
321 return (hash == hmask + 1 ?
322 &net->xfrm.policy_inexact[dir] :
323 net->xfrm.policy_bydst[dir].table + hash);
326 static struct hlist_head *policy_hash_direct(struct net *net,
327 const xfrm_address_t *daddr,
328 const xfrm_address_t *saddr,
329 unsigned short family, int dir)
331 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
332 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
334 return net->xfrm.policy_bydst[dir].table + hash;
337 static void xfrm_dst_hash_transfer(struct hlist_head *list,
338 struct hlist_head *ndsttable,
339 unsigned int nhashmask)
341 struct hlist_node *entry, *tmp, *entry0 = NULL;
342 struct xfrm_policy *pol;
346 hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) {
349 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
350 pol->family, nhashmask);
353 hlist_add_head(&pol->bydst, ndsttable+h);
359 hlist_add_after(entry0, &pol->bydst);
363 if (!hlist_empty(list)) {
369 static void xfrm_idx_hash_transfer(struct hlist_head *list,
370 struct hlist_head *nidxtable,
371 unsigned int nhashmask)
373 struct hlist_node *entry, *tmp;
374 struct xfrm_policy *pol;
376 hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) {
379 h = __idx_hash(pol->index, nhashmask);
380 hlist_add_head(&pol->byidx, nidxtable+h);
384 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
386 return ((old_hmask + 1) << 1) - 1;
389 static void xfrm_bydst_resize(struct net *net, int dir)
391 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
392 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
393 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
394 struct hlist_head *odst = net->xfrm.policy_bydst[dir].table;
395 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
401 write_lock_bh(&xfrm_policy_lock);
403 for (i = hmask; i >= 0; i--)
404 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
406 net->xfrm.policy_bydst[dir].table = ndst;
407 net->xfrm.policy_bydst[dir].hmask = nhashmask;
409 write_unlock_bh(&xfrm_policy_lock);
411 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
414 static void xfrm_byidx_resize(struct net *net, int total)
416 unsigned int hmask = net->xfrm.policy_idx_hmask;
417 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
418 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
419 struct hlist_head *oidx = net->xfrm.policy_byidx;
420 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
426 write_lock_bh(&xfrm_policy_lock);
428 for (i = hmask; i >= 0; i--)
429 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
431 net->xfrm.policy_byidx = nidx;
432 net->xfrm.policy_idx_hmask = nhashmask;
434 write_unlock_bh(&xfrm_policy_lock);
436 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
439 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
441 unsigned int cnt = net->xfrm.policy_count[dir];
442 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
447 if ((hmask + 1) < xfrm_policy_hashmax &&
454 static inline int xfrm_byidx_should_resize(struct net *net, int total)
456 unsigned int hmask = net->xfrm.policy_idx_hmask;
458 if ((hmask + 1) < xfrm_policy_hashmax &&
465 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
467 read_lock_bh(&xfrm_policy_lock);
468 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
469 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
470 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
471 si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
472 si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
473 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
474 si->spdhcnt = net->xfrm.policy_idx_hmask;
475 si->spdhmcnt = xfrm_policy_hashmax;
476 read_unlock_bh(&xfrm_policy_lock);
478 EXPORT_SYMBOL(xfrm_spd_getinfo);
480 static DEFINE_MUTEX(hash_resize_mutex);
481 static void xfrm_hash_resize(struct work_struct *work)
483 struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
486 mutex_lock(&hash_resize_mutex);
489 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
490 if (xfrm_bydst_should_resize(net, dir, &total))
491 xfrm_bydst_resize(net, dir);
493 if (xfrm_byidx_should_resize(net, total))
494 xfrm_byidx_resize(net, total);
496 mutex_unlock(&hash_resize_mutex);
499 /* Generate new index... KAME seems to generate them ordered by cost
500 * of an absolute inpredictability of ordering of rules. This will not pass. */
501 static u32 xfrm_gen_index(struct net *net, int dir)
503 static u32 idx_generator;
506 struct hlist_node *entry;
507 struct hlist_head *list;
508 struct xfrm_policy *p;
512 idx = (idx_generator | dir);
516 list = net->xfrm.policy_byidx + idx_hash(net, idx);
518 hlist_for_each_entry(p, entry, list, byidx) {
519 if (p->index == idx) {
529 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
531 u32 *p1 = (u32 *) s1;
532 u32 *p2 = (u32 *) s2;
533 int len = sizeof(struct xfrm_selector) / sizeof(u32);
536 for (i = 0; i < len; i++) {
544 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
546 struct net *net = xp_net(policy);
547 struct xfrm_policy *pol;
548 struct xfrm_policy *delpol;
549 struct hlist_head *chain;
550 struct hlist_node *entry, *newpos;
551 u32 mark = policy->mark.v & policy->mark.m;
553 write_lock_bh(&xfrm_policy_lock);
554 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
557 hlist_for_each_entry(pol, entry, chain, bydst) {
558 if (pol->type == policy->type &&
559 !selector_cmp(&pol->selector, &policy->selector) &&
560 (mark & pol->mark.m) == pol->mark.v &&
561 xfrm_sec_ctx_match(pol->security, policy->security) &&
564 write_unlock_bh(&xfrm_policy_lock);
568 if (policy->priority > pol->priority)
570 } else if (policy->priority >= pol->priority) {
571 newpos = &pol->bydst;
578 hlist_add_after(newpos, &policy->bydst);
580 hlist_add_head(&policy->bydst, chain);
581 xfrm_pol_hold(policy);
582 net->xfrm.policy_count[dir]++;
583 atomic_inc(&flow_cache_genid);
585 __xfrm_policy_unlink(delpol, dir);
586 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
587 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
588 policy->curlft.add_time = get_seconds();
589 policy->curlft.use_time = 0;
590 if (!mod_timer(&policy->timer, jiffies + HZ))
591 xfrm_pol_hold(policy);
592 list_add(&policy->walk.all, &net->xfrm.policy_all);
593 write_unlock_bh(&xfrm_policy_lock);
596 xfrm_policy_kill(delpol);
597 else if (xfrm_bydst_should_resize(net, dir, NULL))
598 schedule_work(&net->xfrm.policy_hash_work);
602 EXPORT_SYMBOL(xfrm_policy_insert);
604 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
605 int dir, struct xfrm_selector *sel,
606 struct xfrm_sec_ctx *ctx, int delete,
609 struct xfrm_policy *pol, *ret;
610 struct hlist_head *chain;
611 struct hlist_node *entry;
614 write_lock_bh(&xfrm_policy_lock);
615 chain = policy_hash_bysel(net, sel, sel->family, dir);
617 hlist_for_each_entry(pol, entry, chain, bydst) {
618 if (pol->type == type &&
619 (mark & pol->mark.m) == pol->mark.v &&
620 !selector_cmp(sel, &pol->selector) &&
621 xfrm_sec_ctx_match(ctx, pol->security)) {
624 *err = security_xfrm_policy_delete(
627 write_unlock_bh(&xfrm_policy_lock);
630 __xfrm_policy_unlink(pol, dir);
636 write_unlock_bh(&xfrm_policy_lock);
639 xfrm_policy_kill(ret);
642 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
644 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
645 int dir, u32 id, int delete, int *err)
647 struct xfrm_policy *pol, *ret;
648 struct hlist_head *chain;
649 struct hlist_node *entry;
652 if (xfrm_policy_id2dir(id) != dir)
656 write_lock_bh(&xfrm_policy_lock);
657 chain = net->xfrm.policy_byidx + idx_hash(net, id);
659 hlist_for_each_entry(pol, entry, chain, byidx) {
660 if (pol->type == type && pol->index == id &&
661 (mark & pol->mark.m) == pol->mark.v) {
664 *err = security_xfrm_policy_delete(
667 write_unlock_bh(&xfrm_policy_lock);
670 __xfrm_policy_unlink(pol, dir);
676 write_unlock_bh(&xfrm_policy_lock);
679 xfrm_policy_kill(ret);
682 EXPORT_SYMBOL(xfrm_policy_byid);
684 #ifdef CONFIG_SECURITY_NETWORK_XFRM
686 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
690 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
691 struct xfrm_policy *pol;
692 struct hlist_node *entry;
695 hlist_for_each_entry(pol, entry,
696 &net->xfrm.policy_inexact[dir], bydst) {
697 if (pol->type != type)
699 err = security_xfrm_policy_delete(pol->security);
701 xfrm_audit_policy_delete(pol, 0,
702 audit_info->loginuid,
703 audit_info->sessionid,
708 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
709 hlist_for_each_entry(pol, entry,
710 net->xfrm.policy_bydst[dir].table + i,
712 if (pol->type != type)
714 err = security_xfrm_policy_delete(
717 xfrm_audit_policy_delete(pol, 0,
718 audit_info->loginuid,
719 audit_info->sessionid,
730 xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
736 int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
738 int dir, err = 0, cnt = 0;
740 write_lock_bh(&xfrm_policy_lock);
742 err = xfrm_policy_flush_secctx_check(net, type, audit_info);
746 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
747 struct xfrm_policy *pol;
748 struct hlist_node *entry;
752 hlist_for_each_entry(pol, entry,
753 &net->xfrm.policy_inexact[dir], bydst) {
754 if (pol->type != type)
756 __xfrm_policy_unlink(pol, dir);
757 write_unlock_bh(&xfrm_policy_lock);
760 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
761 audit_info->sessionid,
764 xfrm_policy_kill(pol);
766 write_lock_bh(&xfrm_policy_lock);
770 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
772 hlist_for_each_entry(pol, entry,
773 net->xfrm.policy_bydst[dir].table + i,
775 if (pol->type != type)
777 __xfrm_policy_unlink(pol, dir);
778 write_unlock_bh(&xfrm_policy_lock);
781 xfrm_audit_policy_delete(pol, 1,
782 audit_info->loginuid,
783 audit_info->sessionid,
785 xfrm_policy_kill(pol);
787 write_lock_bh(&xfrm_policy_lock);
796 write_unlock_bh(&xfrm_policy_lock);
799 EXPORT_SYMBOL(xfrm_policy_flush);
801 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
802 int (*func)(struct xfrm_policy *, int, int, void*),
805 struct xfrm_policy *pol;
806 struct xfrm_policy_walk_entry *x;
809 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
810 walk->type != XFRM_POLICY_TYPE_ANY)
813 if (list_empty(&walk->walk.all) && walk->seq != 0)
816 write_lock_bh(&xfrm_policy_lock);
817 if (list_empty(&walk->walk.all))
818 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
820 x = list_entry(&walk->walk.all, struct xfrm_policy_walk_entry, all);
821 list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
824 pol = container_of(x, struct xfrm_policy, walk);
825 if (walk->type != XFRM_POLICY_TYPE_ANY &&
826 walk->type != pol->type)
828 error = func(pol, xfrm_policy_id2dir(pol->index),
831 list_move_tail(&walk->walk.all, &x->all);
836 if (walk->seq == 0) {
840 list_del_init(&walk->walk.all);
842 write_unlock_bh(&xfrm_policy_lock);
845 EXPORT_SYMBOL(xfrm_policy_walk);
847 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
849 INIT_LIST_HEAD(&walk->walk.all);
854 EXPORT_SYMBOL(xfrm_policy_walk_init);
856 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk)
858 if (list_empty(&walk->walk.all))
861 write_lock_bh(&xfrm_policy_lock);
862 list_del(&walk->walk.all);
863 write_unlock_bh(&xfrm_policy_lock);
865 EXPORT_SYMBOL(xfrm_policy_walk_done);
868 * Find policy to apply to this flow.
870 * Returns 0 if policy found, else an -errno.
872 static int xfrm_policy_match(const struct xfrm_policy *pol,
873 const struct flowi *fl,
874 u8 type, u16 family, int dir)
876 const struct xfrm_selector *sel = &pol->selector;
877 int match, ret = -ESRCH;
879 if (pol->family != family ||
880 (fl->mark & pol->mark.m) != pol->mark.v ||
884 match = xfrm_selector_match(sel, fl, family);
886 ret = security_xfrm_policy_lookup(pol->security, fl->secid,
892 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
893 const struct flowi *fl,
897 struct xfrm_policy *pol, *ret;
898 const xfrm_address_t *daddr, *saddr;
899 struct hlist_node *entry;
900 struct hlist_head *chain;
903 daddr = xfrm_flowi_daddr(fl, family);
904 saddr = xfrm_flowi_saddr(fl, family);
905 if (unlikely(!daddr || !saddr))
908 read_lock_bh(&xfrm_policy_lock);
909 chain = policy_hash_direct(net, daddr, saddr, family, dir);
911 hlist_for_each_entry(pol, entry, chain, bydst) {
912 err = xfrm_policy_match(pol, fl, type, family, dir);
922 priority = ret->priority;
926 chain = &net->xfrm.policy_inexact[dir];
927 hlist_for_each_entry(pol, entry, chain, bydst) {
928 err = xfrm_policy_match(pol, fl, type, family, dir);
936 } else if (pol->priority < priority) {
944 read_unlock_bh(&xfrm_policy_lock);
949 static struct xfrm_policy *
950 __xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
952 #ifdef CONFIG_XFRM_SUB_POLICY
953 struct xfrm_policy *pol;
955 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
959 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
962 static struct flow_cache_object *
963 xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
964 u8 dir, struct flow_cache_object *old_obj, void *ctx)
966 struct xfrm_policy *pol;
969 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo));
971 pol = __xfrm_policy_lookup(net, fl, family, dir);
972 if (IS_ERR_OR_NULL(pol))
973 return ERR_CAST(pol);
975 /* Resolver returns two references:
976 * one for cache and one for caller of flow_cache_lookup() */
982 static inline int policy_to_flow_dir(int dir)
984 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
985 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
986 XFRM_POLICY_FWD == FLOW_DIR_FWD)
992 case XFRM_POLICY_OUT:
994 case XFRM_POLICY_FWD:
999 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1000 const struct flowi *fl)
1002 struct xfrm_policy *pol;
1004 read_lock_bh(&xfrm_policy_lock);
1005 if ((pol = sk->sk_policy[dir]) != NULL) {
1006 int match = xfrm_selector_match(&pol->selector, fl,
1011 if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
1015 err = security_xfrm_policy_lookup(pol->security,
1017 policy_to_flow_dir(dir));
1020 else if (err == -ESRCH)
1028 read_unlock_bh(&xfrm_policy_lock);
1032 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
1034 struct net *net = xp_net(pol);
1035 struct hlist_head *chain = policy_hash_bysel(net, &pol->selector,
1038 list_add(&pol->walk.all, &net->xfrm.policy_all);
1039 hlist_add_head(&pol->bydst, chain);
1040 hlist_add_head(&pol->byidx, net->xfrm.policy_byidx+idx_hash(net, pol->index));
1041 net->xfrm.policy_count[dir]++;
1044 if (xfrm_bydst_should_resize(net, dir, NULL))
1045 schedule_work(&net->xfrm.policy_hash_work);
1048 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1051 struct net *net = xp_net(pol);
1053 if (hlist_unhashed(&pol->bydst))
1056 hlist_del(&pol->bydst);
1057 hlist_del(&pol->byidx);
1058 list_del(&pol->walk.all);
1059 net->xfrm.policy_count[dir]--;
1064 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1066 write_lock_bh(&xfrm_policy_lock);
1067 pol = __xfrm_policy_unlink(pol, dir);
1068 write_unlock_bh(&xfrm_policy_lock);
1070 xfrm_policy_kill(pol);
1075 EXPORT_SYMBOL(xfrm_policy_delete);
1077 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1079 struct net *net = xp_net(pol);
1080 struct xfrm_policy *old_pol;
1082 #ifdef CONFIG_XFRM_SUB_POLICY
1083 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
1087 write_lock_bh(&xfrm_policy_lock);
1088 old_pol = sk->sk_policy[dir];
1089 sk->sk_policy[dir] = pol;
1091 pol->curlft.add_time = get_seconds();
1092 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir);
1093 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1096 /* Unlinking succeeds always. This is the only function
1097 * allowed to delete or replace socket policy.
1099 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1100 write_unlock_bh(&xfrm_policy_lock);
1103 xfrm_policy_kill(old_pol);
1108 static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1110 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1113 newp->selector = old->selector;
1114 if (security_xfrm_policy_clone(old->security,
1117 return NULL; /* ENOMEM */
1119 newp->lft = old->lft;
1120 newp->curlft = old->curlft;
1121 newp->mark = old->mark;
1122 newp->action = old->action;
1123 newp->flags = old->flags;
1124 newp->xfrm_nr = old->xfrm_nr;
1125 newp->index = old->index;
1126 newp->type = old->type;
1127 memcpy(newp->xfrm_vec, old->xfrm_vec,
1128 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1129 write_lock_bh(&xfrm_policy_lock);
1130 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
1131 write_unlock_bh(&xfrm_policy_lock);
1137 int __xfrm_sk_clone_policy(struct sock *sk)
1139 struct xfrm_policy *p0 = sk->sk_policy[0],
1140 *p1 = sk->sk_policy[1];
1142 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
1143 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
1145 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
1151 xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1152 unsigned short family)
1155 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1157 if (unlikely(afinfo == NULL))
1159 err = afinfo->get_saddr(net, local, remote);
1160 xfrm_policy_put_afinfo(afinfo);
1164 /* Resolve list of templates for the flow, given policy. */
1167 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1168 struct xfrm_state **xfrm, unsigned short family)
1170 struct net *net = xp_net(policy);
1173 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
1174 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
1177 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
1178 struct xfrm_state *x;
1179 xfrm_address_t *remote = daddr;
1180 xfrm_address_t *local = saddr;
1181 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
1183 if (tmpl->mode == XFRM_MODE_TUNNEL ||
1184 tmpl->mode == XFRM_MODE_BEET) {
1185 remote = &tmpl->id.daddr;
1186 local = &tmpl->saddr;
1187 if (xfrm_addr_any(local, tmpl->encap_family)) {
1188 error = xfrm_get_saddr(net, &tmp, remote, tmpl->encap_family);
1195 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
1197 if (x && x->km.state == XFRM_STATE_VALID) {
1204 error = (x->km.state == XFRM_STATE_ERROR ?
1208 else if (error == -ESRCH)
1211 if (!tmpl->optional)
1217 for (nx--; nx>=0; nx--)
1218 xfrm_state_put(xfrm[nx]);
1223 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1224 struct xfrm_state **xfrm, unsigned short family)
1226 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1227 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
1233 for (i = 0; i < npols; i++) {
1234 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
1239 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
1247 /* found states are sorted for outbound processing */
1249 xfrm_state_sort(xfrm, tpp, cnx, family);
1254 for (cnx--; cnx>=0; cnx--)
1255 xfrm_state_put(tpp[cnx]);
1260 /* Check that the bundle accepts the flow and its components are
1264 static inline int xfrm_get_tos(const struct flowi *fl, int family)
1266 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1272 tos = afinfo->get_tos(fl);
1274 xfrm_policy_put_afinfo(afinfo);
1279 static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo)
1281 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1282 struct dst_entry *dst = &xdst->u.dst;
1284 if (xdst->route == NULL) {
1285 /* Dummy bundle - if it has xfrms we were not
1286 * able to build bundle as template resolution failed.
1287 * It means we need to try again resolving. */
1288 if (xdst->num_xfrms > 0)
1292 if (stale_bundle(dst))
1300 static int xfrm_bundle_flo_check(struct flow_cache_object *flo)
1302 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1303 struct dst_entry *dst = &xdst->u.dst;
1307 if (stale_bundle(dst))
1313 static void xfrm_bundle_flo_delete(struct flow_cache_object *flo)
1315 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1316 struct dst_entry *dst = &xdst->u.dst;
1321 static const struct flow_cache_ops xfrm_bundle_fc_ops = {
1322 .get = xfrm_bundle_flo_get,
1323 .check = xfrm_bundle_flo_check,
1324 .delete = xfrm_bundle_flo_delete,
1327 static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1329 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1330 struct dst_ops *dst_ops;
1331 struct xfrm_dst *xdst;
1334 return ERR_PTR(-EINVAL);
1338 dst_ops = &net->xfrm.xfrm4_dst_ops;
1340 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1342 dst_ops = &net->xfrm.xfrm6_dst_ops;
1348 xdst = dst_alloc(dst_ops, 0);
1349 xfrm_policy_put_afinfo(afinfo);
1352 xdst->flo.ops = &xfrm_bundle_fc_ops;
1354 xdst = ERR_PTR(-ENOBUFS);
1359 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1362 struct xfrm_policy_afinfo *afinfo =
1363 xfrm_policy_get_afinfo(dst->ops->family);
1369 err = afinfo->init_path(path, dst, nfheader_len);
1371 xfrm_policy_put_afinfo(afinfo);
1376 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1377 const struct flowi *fl)
1379 struct xfrm_policy_afinfo *afinfo =
1380 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
1386 err = afinfo->fill_dst(xdst, dev, fl);
1388 xfrm_policy_put_afinfo(afinfo);
1394 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
1395 * all the metrics... Shortly, bundle a bundle.
1398 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1399 struct xfrm_state **xfrm, int nx,
1400 const struct flowi *fl,
1401 struct dst_entry *dst)
1403 struct net *net = xp_net(policy);
1404 unsigned long now = jiffies;
1405 struct net_device *dev;
1406 struct dst_entry *dst_prev = NULL;
1407 struct dst_entry *dst0 = NULL;
1411 int nfheader_len = 0;
1412 int trailer_len = 0;
1414 int family = policy->selector.family;
1415 xfrm_address_t saddr, daddr;
1417 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
1419 tos = xfrm_get_tos(fl, family);
1426 for (; i < nx; i++) {
1427 struct xfrm_dst *xdst = xfrm_alloc_dst(net, family);
1428 struct dst_entry *dst1 = &xdst->u.dst;
1430 err = PTR_ERR(xdst);
1439 dst_prev->child = dst_clone(dst1);
1440 dst1->flags |= DST_NOHASH;
1444 dst_copy_metrics(dst1, dst);
1446 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1447 family = xfrm[i]->props.family;
1448 dst = xfrm_dst_lookup(xfrm[i], tos, &saddr, &daddr,
1456 dst1->xfrm = xfrm[i];
1457 xdst->xfrm_genid = xfrm[i]->genid;
1459 dst1->obsolete = -1;
1460 dst1->flags |= DST_HOST;
1461 dst1->lastuse = now;
1463 dst1->input = dst_discard;
1464 dst1->output = xfrm[i]->outer_mode->afinfo->output;
1466 dst1->next = dst_prev;
1469 header_len += xfrm[i]->props.header_len;
1470 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
1471 nfheader_len += xfrm[i]->props.header_len;
1472 trailer_len += xfrm[i]->props.trailer_len;
1475 dst_prev->child = dst;
1483 /* Copy neighbour for reachability confirmation */
1484 dst0->neighbour = neigh_clone(dst->neighbour);
1486 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
1487 xfrm_init_pmtu(dst_prev);
1489 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1490 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1492 err = xfrm_fill_dst(xdst, dev, fl);
1496 dst_prev->header_len = header_len;
1497 dst_prev->trailer_len = trailer_len;
1498 header_len -= xdst->u.dst.xfrm->props.header_len;
1499 trailer_len -= xdst->u.dst.xfrm->props.trailer_len;
1507 xfrm_state_put(xfrm[i]);
1511 dst0 = ERR_PTR(err);
1516 xfrm_dst_alloc_copy(void **target, const void *src, int size)
1519 *target = kmalloc(size, GFP_ATOMIC);
1523 memcpy(*target, src, size);
1528 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
1530 #ifdef CONFIG_XFRM_SUB_POLICY
1531 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1532 return xfrm_dst_alloc_copy((void **)&(xdst->partner),
1540 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
1542 #ifdef CONFIG_XFRM_SUB_POLICY
1543 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1544 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
1550 static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1551 struct xfrm_policy **pols,
1552 int *num_pols, int *num_xfrms)
1556 if (*num_pols == 0 || !pols[0]) {
1561 if (IS_ERR(pols[0]))
1562 return PTR_ERR(pols[0]);
1564 *num_xfrms = pols[0]->xfrm_nr;
1566 #ifdef CONFIG_XFRM_SUB_POLICY
1567 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
1568 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1569 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
1570 XFRM_POLICY_TYPE_MAIN,
1574 if (IS_ERR(pols[1])) {
1575 xfrm_pols_put(pols, *num_pols);
1576 return PTR_ERR(pols[1]);
1579 (*num_xfrms) += pols[1]->xfrm_nr;
1583 for (i = 0; i < *num_pols; i++) {
1584 if (pols[i]->action != XFRM_POLICY_ALLOW) {
1594 static struct xfrm_dst *
1595 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1596 const struct flowi *fl, u16 family,
1597 struct dst_entry *dst_orig)
1599 struct net *net = xp_net(pols[0]);
1600 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1601 struct dst_entry *dst;
1602 struct xfrm_dst *xdst;
1605 /* Try to instantiate a bundle */
1606 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
1608 if (err != 0 && err != -EAGAIN)
1609 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1610 return ERR_PTR(err);
1613 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
1615 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1616 return ERR_CAST(dst);
1619 xdst = (struct xfrm_dst *)dst;
1620 xdst->num_xfrms = err;
1622 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1624 err = xfrm_dst_update_origin(dst, fl);
1625 if (unlikely(err)) {
1627 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1628 return ERR_PTR(err);
1631 xdst->num_pols = num_pols;
1632 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1633 xdst->policy_genid = atomic_read(&pols[0]->genid);
1638 static struct flow_cache_object *
1639 xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
1640 struct flow_cache_object *oldflo, void *ctx)
1642 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
1643 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1644 struct xfrm_dst *xdst, *new_xdst;
1645 int num_pols = 0, num_xfrms = 0, i, err, pol_dead;
1647 /* Check if the policies from old bundle are usable */
1650 xdst = container_of(oldflo, struct xfrm_dst, flo);
1651 num_pols = xdst->num_pols;
1652 num_xfrms = xdst->num_xfrms;
1654 for (i = 0; i < num_pols; i++) {
1655 pols[i] = xdst->pols[i];
1656 pol_dead |= pols[i]->walk.dead;
1659 dst_free(&xdst->u.dst);
1667 /* Resolve policies to use if we couldn't get them from
1668 * previous cache entry */
1671 pols[0] = __xfrm_policy_lookup(net, fl, family, dir);
1672 err = xfrm_expand_policies(fl, family, pols,
1673 &num_pols, &num_xfrms);
1679 goto make_dummy_bundle;
1682 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, dst_orig);
1683 if (IS_ERR(new_xdst)) {
1684 err = PTR_ERR(new_xdst);
1688 goto make_dummy_bundle;
1689 dst_hold(&xdst->u.dst);
1691 } else if (new_xdst == NULL) {
1694 goto make_dummy_bundle;
1695 xdst->num_xfrms = 0;
1696 dst_hold(&xdst->u.dst);
1700 /* Kill the previous bundle */
1702 /* The policies were stolen for newly generated bundle */
1704 dst_free(&xdst->u.dst);
1707 /* Flow cache does not have reference, it dst_free()'s,
1708 * but we do need to return one reference for original caller */
1709 dst_hold(&new_xdst->u.dst);
1710 return &new_xdst->flo;
1713 /* We found policies, but there's no bundles to instantiate:
1714 * either because the policy blocks, has no transformations or
1715 * we could not build template (no xfrm_states).*/
1716 xdst = xfrm_alloc_dst(net, family);
1718 xfrm_pols_put(pols, num_pols);
1719 return ERR_CAST(xdst);
1721 xdst->num_pols = num_pols;
1722 xdst->num_xfrms = num_xfrms;
1723 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1725 dst_hold(&xdst->u.dst);
1729 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1732 dst_free(&xdst->u.dst);
1734 xfrm_pols_put(pols, num_pols);
1735 return ERR_PTR(err);
1738 /* Main function: finds/creates a bundle for given flow.
1740 * At the moment we eat a raw IP route. Mostly to speed up lookups
1741 * on interfaces with disabled IPsec.
1743 int __xfrm_lookup(struct net *net, struct dst_entry **dst_p,
1744 const struct flowi *fl,
1745 struct sock *sk, int flags)
1747 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1748 struct flow_cache_object *flo;
1749 struct xfrm_dst *xdst;
1750 struct dst_entry *dst, *dst_orig = *dst_p, *route;
1751 u16 family = dst_orig->ops->family;
1752 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1753 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
1760 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
1762 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1763 err = xfrm_expand_policies(fl, family, pols,
1764 &num_pols, &num_xfrms);
1769 if (num_xfrms <= 0) {
1770 drop_pols = num_pols;
1774 xdst = xfrm_resolve_and_create_bundle(
1778 xfrm_pols_put(pols, num_pols);
1779 err = PTR_ERR(xdst);
1781 } else if (xdst == NULL) {
1783 drop_pols = num_pols;
1787 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1788 xdst->u.dst.next = xfrm_policy_sk_bundles;
1789 xfrm_policy_sk_bundles = &xdst->u.dst;
1790 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
1792 route = xdst->route;
1797 /* To accelerate a bit... */
1798 if ((dst_orig->flags & DST_NOXFRM) ||
1799 !net->xfrm.policy_count[XFRM_POLICY_OUT])
1802 flo = flow_cache_lookup(net, fl, family, dir,
1803 xfrm_bundle_lookup, dst_orig);
1810 xdst = container_of(flo, struct xfrm_dst, flo);
1812 num_pols = xdst->num_pols;
1813 num_xfrms = xdst->num_xfrms;
1814 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy*) * num_pols);
1815 route = xdst->route;
1819 if (route == NULL && num_xfrms > 0) {
1820 /* The only case when xfrm_bundle_lookup() returns a
1821 * bundle with null route, is when the template could
1822 * not be resolved. It means policies are there, but
1823 * bundle could not be created, since we don't yet
1824 * have the xfrm_state's. We need to wait for KM to
1825 * negotiate new SA's or bail out with error.*/
1826 if (net->xfrm.sysctl_larval_drop) {
1827 /* EREMOTE tells the caller to generate
1828 * a one-shot blackhole route. */
1830 xfrm_pols_put(pols, drop_pols);
1831 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1834 if (flags & XFRM_LOOKUP_WAIT) {
1835 DECLARE_WAITQUEUE(wait, current);
1837 add_wait_queue(&net->xfrm.km_waitq, &wait);
1838 set_current_state(TASK_INTERRUPTIBLE);
1840 set_current_state(TASK_RUNNING);
1841 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1843 if (!signal_pending(current)) {
1852 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1860 if ((flags & XFRM_LOOKUP_ICMP) &&
1861 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
1866 for (i = 0; i < num_pols; i++)
1867 pols[i]->curlft.use_time = get_seconds();
1869 if (num_xfrms < 0) {
1870 /* Prohibit the flow */
1871 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1874 } else if (num_xfrms > 0) {
1875 /* Flow transformed */
1877 dst_release(dst_orig);
1879 /* Flow passes untransformed */
1883 xfrm_pols_put(pols, drop_pols);
1887 if (!(flags & XFRM_LOOKUP_ICMP))
1893 dst_release(dst_orig);
1895 xfrm_pols_put(pols, drop_pols);
1898 EXPORT_SYMBOL(__xfrm_lookup);
1900 int xfrm_lookup(struct net *net, struct dst_entry **dst_p,
1901 const struct flowi *fl,
1902 struct sock *sk, int flags)
1904 int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
1906 if (err == -EREMOTE) {
1907 dst_release(*dst_p);
1914 EXPORT_SYMBOL(xfrm_lookup);
1917 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
1919 struct xfrm_state *x;
1921 if (!skb->sp || idx < 0 || idx >= skb->sp->len)
1923 x = skb->sp->xvec[idx];
1924 if (!x->type->reject)
1926 return x->type->reject(x, skb, fl);
1929 /* When skb is transformed back to its "native" form, we have to
1930 * check policy restrictions. At the moment we make this in maximally
1931 * stupid way. Shame on me. :-) Of course, connected sockets must
1932 * have policy cached at them.
1936 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1937 unsigned short family)
1939 if (xfrm_state_kern(x))
1940 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
1941 return x->id.proto == tmpl->id.proto &&
1942 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
1943 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
1944 x->props.mode == tmpl->mode &&
1945 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
1946 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
1947 !(x->props.mode != XFRM_MODE_TRANSPORT &&
1948 xfrm_state_addr_cmp(tmpl, x, family));
1952 * 0 or more than 0 is returned when validation is succeeded (either bypass
1953 * because of optional transport mode, or next index of the mathced secpath
1954 * state with the template.
1955 * -1 is returned when no matching template is found.
1956 * Otherwise "-2 - errored_index" is returned.
1959 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
1960 unsigned short family)
1964 if (tmpl->optional) {
1965 if (tmpl->mode == XFRM_MODE_TRANSPORT)
1969 for (; idx < sp->len; idx++) {
1970 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
1972 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
1981 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1982 unsigned int family, int reverse)
1984 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1987 if (unlikely(afinfo == NULL))
1988 return -EAFNOSUPPORT;
1990 afinfo->decode_session(skb, fl, reverse);
1991 err = security_xfrm_decode_session(skb, &fl->secid);
1992 xfrm_policy_put_afinfo(afinfo);
1995 EXPORT_SYMBOL(__xfrm_decode_session);
1997 static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
1999 for (; k < sp->len; k++) {
2000 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
2009 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
2010 unsigned short family)
2012 struct net *net = dev_net(skb->dev);
2013 struct xfrm_policy *pol;
2014 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2023 reverse = dir & ~XFRM_POLICY_MASK;
2024 dir &= XFRM_POLICY_MASK;
2025 fl_dir = policy_to_flow_dir(dir);
2027 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) {
2028 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
2032 nf_nat_decode_session(skb, &fl, family);
2034 /* First, check used SA against their selectors. */
2038 for (i=skb->sp->len-1; i>=0; i--) {
2039 struct xfrm_state *x = skb->sp->xvec[i];
2040 if (!xfrm_selector_match(&x->sel, &fl, family)) {
2041 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
2048 if (sk && sk->sk_policy[dir]) {
2049 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
2051 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2057 struct flow_cache_object *flo;
2059 flo = flow_cache_lookup(net, &fl, family, fl_dir,
2060 xfrm_policy_lookup, NULL);
2061 if (IS_ERR_OR_NULL(flo))
2062 pol = ERR_CAST(flo);
2064 pol = container_of(flo, struct xfrm_policy, flo);
2068 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2073 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
2074 xfrm_secpath_reject(xerr_idx, skb, &fl);
2075 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
2081 pol->curlft.use_time = get_seconds();
2085 #ifdef CONFIG_XFRM_SUB_POLICY
2086 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
2087 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
2091 if (IS_ERR(pols[1])) {
2092 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2095 pols[1]->curlft.use_time = get_seconds();
2101 if (pol->action == XFRM_POLICY_ALLOW) {
2102 struct sec_path *sp;
2103 static struct sec_path dummy;
2104 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
2105 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
2106 struct xfrm_tmpl **tpp = tp;
2110 if ((sp = skb->sp) == NULL)
2113 for (pi = 0; pi < npols; pi++) {
2114 if (pols[pi] != pol &&
2115 pols[pi]->action != XFRM_POLICY_ALLOW) {
2116 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2119 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
2120 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
2123 for (i = 0; i < pols[pi]->xfrm_nr; i++)
2124 tpp[ti++] = &pols[pi]->xfrm_vec[i];
2128 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
2132 /* For each tunnel xfrm, find the first matching tmpl.
2133 * For each tmpl before that, find corresponding xfrm.
2134 * Order is _important_. Later we will implement
2135 * some barriers, but at the moment barriers
2136 * are implied between each two transformations.
2138 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
2139 k = xfrm_policy_ok(tpp[i], sp, k, family);
2142 /* "-2 - errored_index" returned */
2144 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2149 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
2150 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2154 xfrm_pols_put(pols, npols);
2157 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2160 xfrm_secpath_reject(xerr_idx, skb, &fl);
2162 xfrm_pols_put(pols, npols);
2165 EXPORT_SYMBOL(__xfrm_policy_check);
2167 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2169 struct net *net = dev_net(skb->dev);
2171 struct dst_entry *dst;
2174 if (xfrm_decode_session(skb, &fl, family) < 0) {
2175 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
2182 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
2183 skb_dst_set(skb, dst);
2186 EXPORT_SYMBOL(__xfrm_route_forward);
2188 /* Optimize later using cookies and generation ids. */
2190 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2192 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
2193 * to "-1" to force all XFRM destinations to get validated by
2194 * dst_ops->check on every use. We do this because when a
2195 * normal route referenced by an XFRM dst is obsoleted we do
2196 * not go looking around for all parent referencing XFRM dsts
2197 * so that we can invalidate them. It is just too much work.
2198 * Instead we make the checks here on every use. For example:
2200 * XFRM dst A --> IPv4 dst X
2202 * X is the "xdst->route" of A (X is also the "dst->path" of A
2203 * in this example). If X is marked obsolete, "A" will not
2204 * notice. That's what we are validating here via the
2205 * stale_bundle() check.
2207 * When a policy's bundle is pruned, we dst_free() the XFRM
2208 * dst which causes it's ->obsolete field to be set to a
2209 * positive non-zero integer. If an XFRM dst has been pruned
2210 * like this, we want to force a new route lookup.
2212 if (dst->obsolete < 0 && !stale_bundle(dst))
2218 static int stale_bundle(struct dst_entry *dst)
2220 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC);
2223 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
2225 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
2226 dst->dev = dev_net(dev)->loopback_dev;
2231 EXPORT_SYMBOL(xfrm_dst_ifdown);
2233 static void xfrm_link_failure(struct sk_buff *skb)
2235 /* Impossible. Such dst must be popped before reaches point of failure. */
2238 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2241 if (dst->obsolete) {
2249 static void __xfrm_garbage_collect(struct net *net)
2251 struct dst_entry *head, *next;
2255 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
2256 head = xfrm_policy_sk_bundles;
2257 xfrm_policy_sk_bundles = NULL;
2258 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
2267 static void xfrm_init_pmtu(struct dst_entry *dst)
2270 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2271 u32 pmtu, route_mtu_cached;
2273 pmtu = dst_mtu(dst->child);
2274 xdst->child_mtu_cached = pmtu;
2276 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
2278 route_mtu_cached = dst_mtu(xdst->route);
2279 xdst->route_mtu_cached = route_mtu_cached;
2281 if (pmtu > route_mtu_cached)
2282 pmtu = route_mtu_cached;
2284 dst_metric_set(dst, RTAX_MTU, pmtu);
2285 } while ((dst = dst->next));
2288 /* Check that the bundle accepts the flow and its components are
2292 static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2293 const struct flowi *fl, int family)
2295 struct dst_entry *dst = &first->u.dst;
2296 struct xfrm_dst *last;
2299 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2300 (dst->dev && !netif_running(dst->dev)))
2302 #ifdef CONFIG_XFRM_SUB_POLICY
2304 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2306 if (first->partner &&
2307 !xfrm_selector_match(first->partner, fl, family))
2315 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2317 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2320 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2322 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2324 if (xdst->xfrm_genid != dst->xfrm->genid)
2326 if (xdst->num_pols > 0 &&
2327 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2330 mtu = dst_mtu(dst->child);
2331 if (xdst->child_mtu_cached != mtu) {
2333 xdst->child_mtu_cached = mtu;
2336 if (!dst_check(xdst->route, xdst->route_cookie))
2338 mtu = dst_mtu(xdst->route);
2339 if (xdst->route_mtu_cached != mtu) {
2341 xdst->route_mtu_cached = mtu;
2345 } while (dst->xfrm);
2350 mtu = last->child_mtu_cached;
2354 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2355 if (mtu > last->route_mtu_cached)
2356 mtu = last->route_mtu_cached;
2357 dst_metric_set(dst, RTAX_MTU, mtu);
2362 last = (struct xfrm_dst *)last->u.dst.next;
2363 last->child_mtu_cached = mtu;
2369 static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
2371 return dst_metric_advmss(dst->path);
2374 static unsigned int xfrm_default_mtu(const struct dst_entry *dst)
2376 return dst_mtu(dst->path);
2379 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2383 if (unlikely(afinfo == NULL))
2385 if (unlikely(afinfo->family >= NPROTO))
2386 return -EAFNOSUPPORT;
2387 write_lock_bh(&xfrm_policy_afinfo_lock);
2388 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
2391 struct dst_ops *dst_ops = afinfo->dst_ops;
2392 if (likely(dst_ops->kmem_cachep == NULL))
2393 dst_ops->kmem_cachep = xfrm_dst_cache;
2394 if (likely(dst_ops->check == NULL))
2395 dst_ops->check = xfrm_dst_check;
2396 if (likely(dst_ops->default_advmss == NULL))
2397 dst_ops->default_advmss = xfrm_default_advmss;
2398 if (likely(dst_ops->default_mtu == NULL))
2399 dst_ops->default_mtu = xfrm_default_mtu;
2400 if (likely(dst_ops->negative_advice == NULL))
2401 dst_ops->negative_advice = xfrm_negative_advice;
2402 if (likely(dst_ops->link_failure == NULL))
2403 dst_ops->link_failure = xfrm_link_failure;
2404 if (likely(afinfo->garbage_collect == NULL))
2405 afinfo->garbage_collect = __xfrm_garbage_collect;
2406 xfrm_policy_afinfo[afinfo->family] = afinfo;
2408 write_unlock_bh(&xfrm_policy_afinfo_lock);
2412 struct dst_ops *xfrm_dst_ops;
2414 switch (afinfo->family) {
2416 xfrm_dst_ops = &net->xfrm.xfrm4_dst_ops;
2418 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2420 xfrm_dst_ops = &net->xfrm.xfrm6_dst_ops;
2426 *xfrm_dst_ops = *afinfo->dst_ops;
2432 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
2434 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
2437 if (unlikely(afinfo == NULL))
2439 if (unlikely(afinfo->family >= NPROTO))
2440 return -EAFNOSUPPORT;
2441 write_lock_bh(&xfrm_policy_afinfo_lock);
2442 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
2443 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
2446 struct dst_ops *dst_ops = afinfo->dst_ops;
2447 xfrm_policy_afinfo[afinfo->family] = NULL;
2448 dst_ops->kmem_cachep = NULL;
2449 dst_ops->check = NULL;
2450 dst_ops->negative_advice = NULL;
2451 dst_ops->link_failure = NULL;
2452 afinfo->garbage_collect = NULL;
2455 write_unlock_bh(&xfrm_policy_afinfo_lock);
2458 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
2460 static void __net_init xfrm_dst_ops_init(struct net *net)
2462 struct xfrm_policy_afinfo *afinfo;
2464 read_lock_bh(&xfrm_policy_afinfo_lock);
2465 afinfo = xfrm_policy_afinfo[AF_INET];
2467 net->xfrm.xfrm4_dst_ops = *afinfo->dst_ops;
2468 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2469 afinfo = xfrm_policy_afinfo[AF_INET6];
2471 net->xfrm.xfrm6_dst_ops = *afinfo->dst_ops;
2473 read_unlock_bh(&xfrm_policy_afinfo_lock);
2476 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
2478 struct xfrm_policy_afinfo *afinfo;
2479 if (unlikely(family >= NPROTO))
2481 read_lock(&xfrm_policy_afinfo_lock);
2482 afinfo = xfrm_policy_afinfo[family];
2483 if (unlikely(!afinfo))
2484 read_unlock(&xfrm_policy_afinfo_lock);
2488 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
2490 read_unlock(&xfrm_policy_afinfo_lock);
2493 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
2495 struct net_device *dev = ptr;
2499 __xfrm_garbage_collect(dev_net(dev));
2504 static struct notifier_block xfrm_dev_notifier = {
2505 .notifier_call = xfrm_dev_event,
2508 #ifdef CONFIG_XFRM_STATISTICS
2509 static int __net_init xfrm_statistics_init(struct net *net)
2513 if (snmp_mib_init((void __percpu **)net->mib.xfrm_statistics,
2514 sizeof(struct linux_xfrm_mib),
2515 __alignof__(struct linux_xfrm_mib)) < 0)
2517 rv = xfrm_proc_init(net);
2519 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2523 static void xfrm_statistics_fini(struct net *net)
2525 xfrm_proc_fini(net);
2526 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2529 static int __net_init xfrm_statistics_init(struct net *net)
2534 static void xfrm_statistics_fini(struct net *net)
2539 static int __net_init xfrm_policy_init(struct net *net)
2541 unsigned int hmask, sz;
2544 if (net_eq(net, &init_net))
2545 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
2546 sizeof(struct xfrm_dst),
2547 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2551 sz = (hmask+1) * sizeof(struct hlist_head);
2553 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
2554 if (!net->xfrm.policy_byidx)
2556 net->xfrm.policy_idx_hmask = hmask;
2558 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2559 struct xfrm_policy_hash *htab;
2561 net->xfrm.policy_count[dir] = 0;
2562 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
2564 htab = &net->xfrm.policy_bydst[dir];
2565 htab->table = xfrm_hash_alloc(sz);
2568 htab->hmask = hmask;
2571 INIT_LIST_HEAD(&net->xfrm.policy_all);
2572 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
2573 if (net_eq(net, &init_net))
2574 register_netdevice_notifier(&xfrm_dev_notifier);
2578 for (dir--; dir >= 0; dir--) {
2579 struct xfrm_policy_hash *htab;
2581 htab = &net->xfrm.policy_bydst[dir];
2582 xfrm_hash_free(htab->table, sz);
2584 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2589 static void xfrm_policy_fini(struct net *net)
2591 struct xfrm_audit audit_info;
2595 flush_work(&net->xfrm.policy_hash_work);
2596 #ifdef CONFIG_XFRM_SUB_POLICY
2597 audit_info.loginuid = -1;
2598 audit_info.sessionid = -1;
2599 audit_info.secid = 0;
2600 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2602 audit_info.loginuid = -1;
2603 audit_info.sessionid = -1;
2604 audit_info.secid = 0;
2605 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2607 WARN_ON(!list_empty(&net->xfrm.policy_all));
2609 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2610 struct xfrm_policy_hash *htab;
2612 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
2614 htab = &net->xfrm.policy_bydst[dir];
2615 sz = (htab->hmask + 1);
2616 WARN_ON(!hlist_empty(htab->table));
2617 xfrm_hash_free(htab->table, sz);
2620 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
2621 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
2622 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2625 static int __net_init xfrm_net_init(struct net *net)
2629 rv = xfrm_statistics_init(net);
2631 goto out_statistics;
2632 rv = xfrm_state_init(net);
2635 rv = xfrm_policy_init(net);
2638 xfrm_dst_ops_init(net);
2639 rv = xfrm_sysctl_init(net);
2645 xfrm_policy_fini(net);
2647 xfrm_state_fini(net);
2649 xfrm_statistics_fini(net);
2654 static void __net_exit xfrm_net_exit(struct net *net)
2656 xfrm_sysctl_fini(net);
2657 xfrm_policy_fini(net);
2658 xfrm_state_fini(net);
2659 xfrm_statistics_fini(net);
2662 static struct pernet_operations __net_initdata xfrm_net_ops = {
2663 .init = xfrm_net_init,
2664 .exit = xfrm_net_exit,
2667 void __init xfrm_init(void)
2669 register_pernet_subsys(&xfrm_net_ops);
2673 #ifdef CONFIG_AUDITSYSCALL
2674 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2675 struct audit_buffer *audit_buf)
2677 struct xfrm_sec_ctx *ctx = xp->security;
2678 struct xfrm_selector *sel = &xp->selector;
2681 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2682 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2684 switch(sel->family) {
2686 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
2687 if (sel->prefixlen_s != 32)
2688 audit_log_format(audit_buf, " src_prefixlen=%d",
2690 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
2691 if (sel->prefixlen_d != 32)
2692 audit_log_format(audit_buf, " dst_prefixlen=%d",
2696 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
2697 if (sel->prefixlen_s != 128)
2698 audit_log_format(audit_buf, " src_prefixlen=%d",
2700 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
2701 if (sel->prefixlen_d != 128)
2702 audit_log_format(audit_buf, " dst_prefixlen=%d",
2708 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2709 uid_t auid, u32 sessionid, u32 secid)
2711 struct audit_buffer *audit_buf;
2713 audit_buf = xfrm_audit_start("SPD-add");
2714 if (audit_buf == NULL)
2716 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2717 audit_log_format(audit_buf, " res=%u", result);
2718 xfrm_audit_common_policyinfo(xp, audit_buf);
2719 audit_log_end(audit_buf);
2721 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2723 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2724 uid_t auid, u32 sessionid, u32 secid)
2726 struct audit_buffer *audit_buf;
2728 audit_buf = xfrm_audit_start("SPD-delete");
2729 if (audit_buf == NULL)
2731 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2732 audit_log_format(audit_buf, " res=%u", result);
2733 xfrm_audit_common_policyinfo(xp, audit_buf);
2734 audit_log_end(audit_buf);
2736 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2739 #ifdef CONFIG_XFRM_MIGRATE
2740 static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
2741 const struct xfrm_selector *sel_tgt)
2743 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2744 if (sel_tgt->family == sel_cmp->family &&
2745 xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr,
2746 sel_cmp->family) == 0 &&
2747 xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr,
2748 sel_cmp->family) == 0 &&
2749 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
2750 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
2754 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
2761 static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
2764 struct xfrm_policy *pol, *ret = NULL;
2765 struct hlist_node *entry;
2766 struct hlist_head *chain;
2769 read_lock_bh(&xfrm_policy_lock);
2770 chain = policy_hash_direct(&init_net, &sel->daddr, &sel->saddr, sel->family, dir);
2771 hlist_for_each_entry(pol, entry, chain, bydst) {
2772 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2773 pol->type == type) {
2775 priority = ret->priority;
2779 chain = &init_net.xfrm.policy_inexact[dir];
2780 hlist_for_each_entry(pol, entry, chain, bydst) {
2781 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2782 pol->type == type &&
2783 pol->priority < priority) {
2792 read_unlock_bh(&xfrm_policy_lock);
2797 static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
2801 if (t->mode == m->mode && t->id.proto == m->proto &&
2802 (m->reqid == 0 || t->reqid == m->reqid)) {
2804 case XFRM_MODE_TUNNEL:
2805 case XFRM_MODE_BEET:
2806 if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr,
2807 m->old_family) == 0 &&
2808 xfrm_addr_cmp(&t->saddr, &m->old_saddr,
2809 m->old_family) == 0) {
2813 case XFRM_MODE_TRANSPORT:
2814 /* in case of transport mode, template does not store
2815 any IP addresses, hence we just compare mode and
2826 /* update endpoint address(es) of template(s) */
2827 static int xfrm_policy_migrate(struct xfrm_policy *pol,
2828 struct xfrm_migrate *m, int num_migrate)
2830 struct xfrm_migrate *mp;
2833 write_lock_bh(&pol->lock);
2834 if (unlikely(pol->walk.dead)) {
2835 /* target policy has been deleted */
2836 write_unlock_bh(&pol->lock);
2840 for (i = 0; i < pol->xfrm_nr; i++) {
2841 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
2842 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
2845 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
2846 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
2848 /* update endpoints */
2849 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
2850 sizeof(pol->xfrm_vec[i].id.daddr));
2851 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
2852 sizeof(pol->xfrm_vec[i].saddr));
2853 pol->xfrm_vec[i].encap_family = mp->new_family;
2855 atomic_inc(&pol->genid);
2859 write_unlock_bh(&pol->lock);
2867 static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
2871 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
2874 for (i = 0; i < num_migrate; i++) {
2875 if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr,
2876 m[i].old_family) == 0) &&
2877 (xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr,
2878 m[i].old_family) == 0))
2880 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
2881 xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
2884 /* check if there is any duplicated entry */
2885 for (j = i + 1; j < num_migrate; j++) {
2886 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
2887 sizeof(m[i].old_daddr)) &&
2888 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
2889 sizeof(m[i].old_saddr)) &&
2890 m[i].proto == m[j].proto &&
2891 m[i].mode == m[j].mode &&
2892 m[i].reqid == m[j].reqid &&
2893 m[i].old_family == m[j].old_family)
2901 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2902 struct xfrm_migrate *m, int num_migrate,
2903 struct xfrm_kmaddress *k)
2905 int i, err, nx_cur = 0, nx_new = 0;
2906 struct xfrm_policy *pol = NULL;
2907 struct xfrm_state *x, *xc;
2908 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
2909 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
2910 struct xfrm_migrate *mp;
2912 if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
2915 /* Stage 1 - find policy */
2916 if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) {
2921 /* Stage 2 - find and update state(s) */
2922 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
2923 if ((x = xfrm_migrate_state_find(mp))) {
2926 if ((xc = xfrm_state_migrate(x, mp))) {
2936 /* Stage 3 - update policy */
2937 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
2940 /* Stage 4 - delete old state(s) */
2942 xfrm_states_put(x_cur, nx_cur);
2943 xfrm_states_delete(x_cur, nx_cur);
2946 /* Stage 5 - announce */
2947 km_migrate(sel, dir, type, m, num_migrate, k);
2959 xfrm_states_put(x_cur, nx_cur);
2961 xfrm_states_delete(x_new, nx_new);
2965 EXPORT_SYMBOL(xfrm_migrate);
Code Review / linux-2.6.git / blob