projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
block: add bio_start_io_acct_time() to control start_time
[linux-2.6-block.git] / include / net / xfrm.h
CommitLineData
b2441318 1/* SPDX-License-Identifier: GPL-2.0 */
1da177e4
LT		 2#ifndef _NET_XFRM_H
3#define _NET_XFRM_H
4
aabc9761 5#include <linux/compiler.h>
1da177e4
LT		 6#include <linux/xfrm.h>
7#include <linux/spinlock.h>
8#include <linux/list.h>
9#include <linux/skbuff.h>
14c85021 10#include <linux/socket.h>
1da177e4 11#include <linux/pfkeyv2.h>
5794708f 12#include <linux/ipsec.h>
1da177e4 13#include <linux/in6.h>
4a3e2f71 14#include <linux/mutex.h>
ab5f5e8b 15#include <linux/audit.h>
5a0e3ad6 16#include <linux/slab.h>
88755e9c 17#include <linux/refcount.h>
c6d1b26a 18#include <linux/sockptr.h>
1da177e4
LT		 19
20#include <net/sock.h>
21#include <net/dst.h>
436a0a40 22#include <net/ip.h>
1da177e4
LT		 23#include <net/route.h>
24#include <net/ipv6.h>
25#include <net/ip6_fib.h>
fe1a5f03 26#include <net/flow.h>
f203b76d 27#include <net/gro_cells.h>
9e0d57fd
YP		 28
29#include <linux/interrupt.h>
30
558f82ef
MN		 31#ifdef CONFIG_XFRM_STATISTICS
32#include <net/snmp.h>
33#endif
1da177e4 34
d3d6dd3a
MN		 35#define XFRM_PROTO_ESP 50
36#define XFRM_PROTO_AH 51
37#define XFRM_PROTO_COMP 108
38#define XFRM_PROTO_IPIP 4
39#define XFRM_PROTO_IPV6 41
40#define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41#define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
42
fa9921e4 43#define XFRM_ALIGN4(len) (((len) + 3) & ~3)
1da177e4 44#define XFRM_ALIGN8(len) (((len) + 7) & ~7)
b59f45d0
HX		 45#define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
d3d6dd3a
MN		 47#define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
ffdb5211
IT		 49#define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
1da177e4 51
558f82ef 52#ifdef CONFIG_XFRM_STATISTICS
59c9940e 53#define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
558f82ef 54#else
59c9940e 55#define XFRM_INC_STATS(net, field) ((void)(net))
558f82ef
MN		 56#endif
57
1da177e4
LT		 58
59/* Organization of SPD aka "XFRM rules"
60 ------------------------------------
61
62 Basic objects:
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
67
68 SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 (To be compatible with existing pfkeyv2 implementations,
70 many rules with priority of 0x7fffffff are allowed to exist and
71 such rules are ordered in an unpredictable way, thanks to bsd folks.)
72
73 Lookup is plain linear search until the first match with selector.
74
75 If "action" is "block", then we prohibit the flow, otherwise:
76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 described by templates xfrm_tmpl. Each template is resolved
79 to a complete xfrm_state (see below) and we pack bundle of transformations
80 to a dst_entry returned to requestor.
81
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
85 |---. child .-> NULL
86
87 Bundles are cached at xrfm_policy struct (field ->bundles).
88
89
90 Resolution of xrfm_tmpl
91 -----------------------
92 Template contains:
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 Q: allow to resolve security gateway?
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
100 Q: ealgos, aalgos, calgos. What a mess...
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
103 flow id?
104
105 Having this template we search through SAD searching for entries
106 with appropriate mode/proto/algo, permitted by selector.
107 If no appropriate entry found, it is requested from key manager.
108
109 PROBLEMS:
110 Q: How to find all the bundles referring to a physical path for
111 PMTU discovery? Seems, dst should contain list of all parents...
112 and enter to infinite locking hierarchy disaster.
113 No! It is easier, we will not search for them, let them find us.
114 We add genid to each dst plus pointer to genid of raw IP route,
115 pmtu disc will update pmtu on raw IP route and increase its genid.
116 dst_check() will see this for top level and trigger resyncing
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
118 */
119
12a169e7
HX		 120struct xfrm_state_walk {
121 struct list_head all;
122 u8 state;
d3623099
ND		 123 u8 dying;
124 u8 proto;
12a169e7 125 u32 seq;
870a2df4 126 struct xfrm_address_filter *filter;
12a169e7
HX		 127};
128
d77e38e6
SK		 129struct xfrm_state_offload {
130 struct net_device *dev;
e1b539bd 131 netdevice_tracker dev_tracker;
bdfd2d1f 132 struct net_device *real_dev;
d77e38e6
SK		 133 unsigned long offload_handle;
134 unsigned int num_exthdrs;
135 u8 flags;
136};
137
c9500d7b
FW		 138struct xfrm_mode {
139 u8 encap;
140 u8 family;
141 u8 flags;
142};
143
144/* Flags for xfrm_mode. */
145enum {
146 XFRM_MODE_FLAG_TUNNEL = 1,
147};
148
cfc61c59
FW		 149enum xfrm_replay_mode {
150 XFRM_REPLAY_MODE_LEGACY,
151 XFRM_REPLAY_MODE_BMP,
152 XFRM_REPLAY_MODE_ESN,
153};
154
1da177e4 155/* Full description of state of transformer. */
fd2c3ef7 156struct xfrm_state {
0c5c9fb5 157 possible_net_t xs_net;
abb81c4f 158 union {
12a169e7 159 struct hlist_node gclist;
abb81c4f
HX		 160 struct hlist_node bydst;
161 };
8f126e37
DM		 162 struct hlist_node bysrc;
163 struct hlist_node byspi;
fe9f1d87 164 struct hlist_node byseq;
1da177e4 165
88755e9c 166 refcount_t refcnt;
1da177e4
LT		 167 spinlock_t lock;
168
169 struct xfrm_id id;
170 struct xfrm_selector sel;
bf825f81 171 struct xfrm_mark mark;
7e652640 172 u32 if_id;
35d2856b 173 u32 tfcpad;
1da177e4 174
9d4a706d
DM		 175 u32 genid;
176
12a169e7
HX		 177 /* Key manager bits */
178 struct xfrm_state_walk km;
1da177e4
LT		 179
180 /* Parameters of this state. */
181 struct {
182 u32 reqid;
183 u8 mode;
184 u8 replay_window;
185 u8 aalgo, ealgo, calgo;
186 u8 flags;
187 u16 family;
188 xfrm_address_t saddr;
189 int header_len;
190 int trailer_len;
a947b0a9 191 u32 extra_flags;
9b42c1f1 192 struct xfrm_mark smark;
1da177e4
LT		 193 } props;
194
195 struct xfrm_lifetime_cfg lft;
196
197 /* Data for transformer */
4447bb33 198 struct xfrm_algo_auth *aalg;
1da177e4
LT		 199 struct xfrm_algo *ealg;
200 struct xfrm_algo *calg;
1a6509d9 201 struct xfrm_algo_aead *aead;
69b0137f 202 const char *geniv;
1da177e4 203
4e484b3e
AA		 204 /* mapping change rate limiting */
205 __be16 new_mapping_sport;
206 u32 new_mapping; /* seconds */
207 u32 mapping_maxage; /* seconds for input SA */
208
1da177e4
LT		 209 /* Data for encapsulator */
210 struct xfrm_encap_tmpl *encap;
e27cca96 211 struct sock __rcu *encap_sk;
1da177e4 212
060f02a3
NT		 213 /* Data for care-of address */
214 xfrm_address_t *coaddr;
215
1da177e4
LT		 216 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
217 struct xfrm_state *tunnel;
218
219 /* If a tunnel, number of users + 1 */
220 atomic_t tunnel_users;
221
222 /* State for replay detection */
223 struct xfrm_replay_state replay;
9736acf3 224 struct xfrm_replay_state_esn *replay_esn;
1da177e4 225
f8cd5488
JHS		 226 /* Replay detection state at the time we sent the last notification */
227 struct xfrm_replay_state preplay;
9736acf3 228 struct xfrm_replay_state_esn *preplay_esn;
f8cd5488 229
cfc61c59
FW		 230 /* replay detection mode */
231 enum xfrm_replay_mode repl_mode;
2717096a
JHS		 232 /* internal flag that only holds state for delayed aevent at the
233 * moment
234 */
235 u32 xflags;
236
f8cd5488
JHS		 237 /* Replay detection notification settings */
238 u32 replay_maxage;
239 u32 replay_maxdiff;
240
241 /* Replay detection notification timer */
242 struct timer_list rtimer;
243
1da177e4
LT		 244 /* Statistics */
245 struct xfrm_stats stats;
246
247 struct xfrm_lifetime_cur curlft;
671422b2 248 struct hrtimer mtimer;
1da177e4 249
d77e38e6
SK		 250 struct xfrm_state_offload xso;
251
e3c0d047
FD		 252 /* used to fix curlft->add_time when changing date */
253 long saved_tmo;
254
9afaca05 255 /* Last used time */
03dc7a35 256 time64_t lastused;
9afaca05 257
cac2661c
SK		 258 struct page_frag xfrag;
259
1da177e4
LT		 260 /* Reference to data common to all the instances of this
261 * transformer. */
533cb5b0 262 const struct xfrm_type *type;
c9500d7b
FW		 263 struct xfrm_mode inner_mode;
264 struct xfrm_mode inner_mode_iaf;
265 struct xfrm_mode outer_mode;
1da177e4 266
9d389d7f
SK		 267 const struct xfrm_type_offload *type_offload;
268
df71837d
TJ		 269 /* Security context */
270 struct xfrm_sec_ctx *security;
271
1da177e4
LT		 272 /* Private data of this transformer, format is opaque,
273 * interpreted by xfrm_type methods. */
274 void *data;
275};
276
673c09be
AD		 277static inline struct net *xs_net(struct xfrm_state *x)
278{
279 return read_pnet(&x->xs_net);
280}
281
2717096a
JHS		 282/* xflags - make enum if more show up */
283#define XFRM_TIME_DEFER 1
e3c0d047 284#define XFRM_SOFT_EXPIRE 2
2717096a 285
1da177e4
LT		 286enum {
287 XFRM_STATE_VOID,
288 XFRM_STATE_ACQ,
289 XFRM_STATE_VALID,
290 XFRM_STATE_ERROR,
291 XFRM_STATE_EXPIRED,
292 XFRM_STATE_DEAD
293};
294
26b15dad 295/* callback structure passed from either netlink or pfkey */
fd2c3ef7 296struct km_event {
bf08867f
HX		 297 union {
298 u32 hard;
299 u32 proto;
300 u32 byid;
f8cd5488 301 u32 aevent;
f7b6983f 302 u32 type;
bf08867f
HX		 303 } data;
304
26b15dad 305 u32 seq;
15e47304 306 u32 portid;
26b15dad 307 u32 event;
7067802e 308 struct net *net;
26b15dad
JHS		 309};
310
f203b76d 311struct xfrm_if_cb {
025c65e1
MW		 312 struct xfrm_if *(*decode_session)(struct sk_buff *skb,
313 unsigned short family);
f203b76d
SK		 314};
315
316void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
317void xfrm_if_unregister_cb(void);
318
25ee3286 319struct net_device;
1da177e4
LT		 320struct xfrm_type;
321struct xfrm_dst;
322struct xfrm_policy_afinfo {
1da177e4 323 struct dst_ops *dst_ops;
42a7b32b
DA		 324 struct dst_entry *(*dst_lookup)(struct net *net,
325 int tos, int oif,
5e6b930f 326 const xfrm_address_t *saddr,
077fbac4
LC		 327 const xfrm_address_t *daddr,
328 u32 mark);
42a7b32b
DA		 329 int (*get_saddr)(struct net *net, int oif,
330 xfrm_address_t *saddr,
077fbac4
LC		 331 xfrm_address_t *daddr,
332 u32 mark);
25ee3286 333 int (*fill_dst)(struct xfrm_dst *xdst,
87c1e12b 334 struct net_device *dev,
0c7b3eef 335 const struct flowi *fl);
2774c131 336 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
1da177e4
LT		 337};
338
a2817d8b
FW		 339int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
340void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
d511337a
JP		 341void km_policy_notify(struct xfrm_policy *xp, int dir,
342 const struct km_event *c);
343void km_state_notify(struct xfrm_state *x, const struct km_event *c);
1da177e4
LT		 344
345struct xfrm_tmpl;
d511337a
JP		 346int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
347 struct xfrm_policy *pol);
348void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
349int __xfrm_state_delete(struct xfrm_state *x);
53bc6b4d 350
1da177e4 351struct xfrm_state_afinfo {
4c203b04
FW		 352 u8 family;
353 u8 proto;
4f518e80
FW		 354
355 const struct xfrm_type_offload *type_offload_esp;
356
357 const struct xfrm_type *type_esp;
358 const struct xfrm_type *type_ipip;
359 const struct xfrm_type *type_ipip6;
360 const struct xfrm_type *type_comp;
361 const struct xfrm_type *type_ah;
362 const struct xfrm_type *type_routing;
363 const struct xfrm_type *type_dstopts;
9d389d7f 364
ede2059d 365 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
716062fd
HX		 366 int (*transport_finish)(struct sk_buff *skb,
367 int async);
628e341f 368 void (*local_error)(struct sk_buff *skb, u32 mtu);
1da177e4
LT		 369};
370
d511337a
JP		 371int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
372int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
373struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
711059b9 374struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
1da177e4 375
2f32b51b 376struct xfrm_input_afinfo {
1475ee0a
XL		 377 u8 family;
378 bool is_ipip;
2f32b51b
SK		 379 int (*callback)(struct sk_buff *skb, u8 protocol,
380 int err);
381};
382
960fdfde
FW		 383int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
384int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
2f32b51b 385
b48c05ab 386void xfrm_flush_gc(void);
d511337a 387void xfrm_state_delete_tunnel(struct xfrm_state *x);
1da177e4 388
fd2c3ef7 389struct xfrm_type {
1da177e4 390 struct module *owner;
a6337463 391 u8 proto;
392 u8 flags;
1b5c2299 393#define XFRM_TYPE_NON_FRAGMENT 1
436a0a40 394#define XFRM_TYPE_REPLAY_PROT 2
f04e7e8d
HX		 395#define XFRM_TYPE_LOCAL_COADDR 4
396#define XFRM_TYPE_REMOTE_COADDR 8
1da177e4 397
72cb6962 398 int (*init_state)(struct xfrm_state *x);
1da177e4 399 void (*destructor)(struct xfrm_state *);
e695633e 400 int (*input)(struct xfrm_state *, struct sk_buff *skb);
1da177e4 401 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
8f029de2
DM		 402 int (*reject)(struct xfrm_state *, struct sk_buff *,
403 const struct flowi *);
1da177e4
LT		 404};
405
d511337a 406int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
4f518e80 407void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
1da177e4 408
9d389d7f 409struct xfrm_type_offload {
9d389d7f
SK		 410 struct module *owner;
411 u8 proto;
412 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
413 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
414 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
415};
416
417int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
4f518e80 418void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
9d389d7f 419
df9dcb45
KM		 420static inline int xfrm_af2proto(unsigned int family)
421{
422 switch(family) {
423 case AF_INET:
424 return IPPROTO_IPIP;
425 case AF_INET6:
426 return IPPROTO_IPV6;
427 default:
428 return 0;
429 }
430}
431
4c145dce 432static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
df9dcb45
KM		 433{
434 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
435 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
c9500d7b 436 return &x->inner_mode;
df9dcb45 437 else
c9500d7b 438 return &x->inner_mode_iaf;
df9dcb45
KM		 439}
440
fd2c3ef7 441struct xfrm_tmpl {
1da177e4
LT		 442/* id in template is interpreted as:
443 * daddr - destination of tunnel, may be zero for transport mode.
444 * spi - zero to acquire spi. Not zero if spi is static, then
445 * daddr must be fixed too.
446 * proto - AH/ESP/IPCOMP
447 */
448 struct xfrm_id id;
449
450/* Source address of tunnel. Ignored, if it is not a tunnel. */
451 xfrm_address_t saddr;
452
76b3f055
MK		 453 unsigned short encap_family;
454
a6337463 455 u32 reqid;
1da177e4 456
7e49e6de 457/* Mode: transport, tunnel etc. */
a6337463 458 u8 mode;
1da177e4
LT		 459
460/* Sharing mode: unique, this session only, this user only etc. */
a6337463 461 u8 share;
1da177e4
LT		 462
463/* May skip this transfomration if no SA is found */
a6337463 464 u8 optional;
1da177e4 465
c5d18e98 466/* Skip aalgos/ealgos/calgos checks. */
a6337463 467 u8 allalgs;
c5d18e98 468
1da177e4 469/* Bit mask of algos allowed for acquisition */
a6337463 470 u32 aalgos;
471 u32 ealgos;
472 u32 calgos;
1da177e4
LT		 473};
474
622dc828 475#define XFRM_MAX_DEPTH 6
54ef207a 476#define XFRM_MAX_OFFLOAD_DEPTH 1
1da177e4 477
12a169e7
HX		 478struct xfrm_policy_walk_entry {
479 struct list_head all;
480 u8 dead;
481};
482
483struct xfrm_policy_walk {
484 struct xfrm_policy_walk_entry walk;
485 u8 type;
486 u32 seq;
487};
488
a0073fe1
SK		 489struct xfrm_policy_queue {
490 struct sk_buff_head hold_queue;
491 struct timer_list hold_timer;
492 unsigned long timeout;
493};
494
fd2c3ef7 495struct xfrm_policy {
0c5c9fb5 496 possible_net_t xp_net;
2518c7c2
DM		 497 struct hlist_node bydst;
498 struct hlist_node byidx;
1da177e4
LT		 499
500 /* This lock only affects elements except for entry. */
501 rwlock_t lock;
850a6212 502 refcount_t refcnt;
6be3b0db 503 u32 pos;
1da177e4
LT		 504 struct timer_list timer;
505
80c802f3 506 atomic_t genid;
1da177e4
LT		 507 u32 priority;
508 u32 index;
7e652640 509 u32 if_id;
bf825f81 510 struct xfrm_mark mark;
1da177e4
LT		 511 struct xfrm_selector selector;
512 struct xfrm_lifetime_cfg lft;
513 struct xfrm_lifetime_cur curlft;
12a169e7 514 struct xfrm_policy_walk_entry walk;
a0073fe1 515 struct xfrm_policy_queue polq;
9cf545eb 516 bool bydst_reinsert;
46ca5f5d
ACM		 517 u8 type;
518 u8 action;
519 u8 flags;
46ca5f5d 520 u8 xfrm_nr;
12a169e7 521 u16 family;
df71837d 522 struct xfrm_sec_ctx *security;
1da177e4 523 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
24969fac 524 struct hlist_node bydst_inexact_list;
56f04730 525 struct rcu_head rcu;
1da177e4
LT		 526};
527
63eb23f5 528static inline struct net *xp_net(const struct xfrm_policy *xp)
0331b1f3
AD		 529{
530 return read_pnet(&xp->xp_net);
531}
532
13c1d189
AE		 533struct xfrm_kmaddress {
534 xfrm_address_t local;
535 xfrm_address_t remote;
536 u32 reserved;
537 u16 family;
538};
539
80c9abaa
SS		 540struct xfrm_migrate {
541 xfrm_address_t old_daddr;
542 xfrm_address_t old_saddr;
543 xfrm_address_t new_daddr;
544 xfrm_address_t new_saddr;
545 u8 proto;
546 u8 mode;
547 u16 reserved;
548 u32 reqid;
549 u16 old_family;
550 u16 new_family;
551};
552
f8cd5488 553#define XFRM_KM_TIMEOUT 30
f8cd5488
JHS		 554/* what happened */
555#define XFRM_REPLAY_UPDATE XFRM_AE_CR
556#define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
557
558/* default aevent timeout in units of 100ms */
559#define XFRM_AE_ETIME 10
560/* Async Event timer multiplier */
561#define XFRM_AE_ETH_M 10
562/* default seq threshold size */
563#define XFRM_AE_SEQT_SIZE 2
1da177e4 564
fd2c3ef7 565struct xfrm_mgr {
1da177e4 566 struct list_head list;
214e005b 567 int (*notify)(struct xfrm_state *x, const struct km_event *c);
65e0736b 568 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
cb969f07 569 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
5d36b180 570 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
214e005b 571 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
db983c11 572 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
183cad12
DM		 573 int (*migrate)(const struct xfrm_selector *sel,
574 u8 dir, u8 type,
575 const struct xfrm_migrate *m,
576 int num_bundles,
8bafd730
AA		 577 const struct xfrm_kmaddress *k,
578 const struct xfrm_encap_tmpl *encap);
0f24558e 579 bool (*is_alive)(const struct km_event *c);
1da177e4
LT		 580};
581
d511337a
JP		 582int xfrm_register_km(struct xfrm_mgr *km);
583int xfrm_unregister_km(struct xfrm_mgr *km);
1da177e4 584
70be6c91
SK		 585struct xfrm_tunnel_skb_cb {
586 union {
587 struct inet_skb_parm h4;
588 struct inet6_skb_parm h6;
589 } header;
590
591 union {
592 struct ip_tunnel *ip4;
593 struct ip6_tnl *ip6;
594 } tunnel;
595};
596
597#define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
598
436a0a40
HX		 599/*
600 * This structure is used for the duration where packets are being
601 * transformed by IPsec. As soon as the packet leaves IPsec the
602 * area beyond the generic IP part may be overwritten.
603 */
604struct xfrm_skb_cb {
70be6c91 605 struct xfrm_tunnel_skb_cb header;
436a0a40
HX		 606
607 /* Sequence number for replay protection. */
b318e0e4 608 union {
1ce3644a
SK		 609 struct {
610 __u32 low;
611 __u32 hi;
612 } output;
613 struct {
614 __be32 low;
615 __be32 hi;
616 } input;
b318e0e4 617 } seq;
436a0a40
HX		 618};
619
620#define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
621
36cf9acf
HX		 622/*
623 * This structure is used by the afinfo prepare_input/prepare_output functions
624 * to transmit header information to the mode input/output functions.
625 */
626struct xfrm_mode_skb_cb {
70be6c91 627 struct xfrm_tunnel_skb_cb header;
36cf9acf
HX		 628
629 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
630 __be16 id;
631 __be16 frag_off;
632
732c8bd5
HX		 633 /* IP header length (excluding options or extension headers). */
634 u8 ihl;
635
36cf9acf
HX		 636 /* TOS for IPv4, class for IPv6. */
637 u8 tos;
638
639 /* TTL for IPv4, hop limitfor IPv6. */
640 u8 ttl;
641
642 /* Protocol for IPv4, NH for IPv6. */
643 u8 protocol;
644
732c8bd5
HX		 645 /* Option length for IPv4, zero for IPv6. */
646 u8 optlen;
647
36cf9acf
HX		 648 /* Used by IPv6 only, zero for IPv4. */
649 u8 flow_lbl[3];
650};
651
652#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
653
716062fd
HX		 654/*
655 * This structure is used by the input processing to locate the SPI and
656 * related information.
657 */
658struct xfrm_spi_skb_cb {
70be6c91 659 struct xfrm_tunnel_skb_cb header;
716062fd 660
716062fd 661 unsigned int daddroff;
2fcb45b6 662 unsigned int family;
7785bba2 663 __be32 seq;
716062fd
HX		 664};
665
666#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
667
c9204d9c 668#ifdef CONFIG_AUDITSYSCALL
afeb14b4 669static inline struct audit_buffer *xfrm_audit_start(const char *op)
ab5f5e8b
JL		 670{
671 struct audit_buffer *audit_buf = NULL;
ab5f5e8b 672
f7859590 673 if (audit_enabled == AUDIT_OFF)
afeb14b4 674 return NULL;
cdfb6b34 675 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
afeb14b4 676 AUDIT_MAC_IPSEC_EVENT);
ab5f5e8b
JL		 677 if (audit_buf == NULL)
678 return NULL;
afeb14b4
PM		 679 audit_log_format(audit_buf, "op=%s", op);
680 return audit_buf;
681}
ab5f5e8b 682
2e71029e 683static inline void xfrm_audit_helper_usrinfo(bool task_valid,
afeb14b4
PM		 684 struct audit_buffer *audit_buf)
685{
2e71029e
TH		 686 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
687 audit_get_loginuid(current) :
688 INVALID_UID);
689 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
f0b75216 690 AUDIT_SID_UNSET;
2e71029e
TH		 691
692 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
f1370cc4 693 audit_log_task_context(audit_buf);
ab5f5e8b
JL		 694}
695
2e71029e
TH		 696void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
697void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
698 bool task_valid);
699void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
700void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
d511337a
JP		 701void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
702 struct sk_buff *skb);
703void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
704 __be32 net_seq);
705void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
706void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
707 __be32 net_seq);
708void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
709 u8 proto);
c9204d9c 710#else
41fef0ee
MS		 711
712static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2e71029e 713 bool task_valid)
41fef0ee
MS		 714{
715}
716
717static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2e71029e 718 bool task_valid)
41fef0ee
MS		 719{
720}
721
722static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
2e71029e 723 bool task_valid)
41fef0ee
MS		 724{
725}
726
727static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2e71029e 728 bool task_valid)
41fef0ee
MS		 729{
730}
731
732static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
733 struct sk_buff *skb)
734{
735}
736
9fdc4883
SK		 737static inline void xfrm_audit_state_replay(struct xfrm_state *x,
738 struct sk_buff *skb, __be32 net_seq)
739{
740}
741
41fef0ee
MS		 742static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
743 u16 family)
744{
745}
746
747static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
748 __be32 net_spi, __be32 net_seq)
749{
750}
751
752static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
753 struct sk_buff *skb, u8 proto)
754{
755}
c9204d9c 756#endif /* CONFIG_AUDITSYSCALL */
161a09e7 757
1da177e4
LT		 758static inline void xfrm_pol_hold(struct xfrm_policy *policy)
759{
760 if (likely(policy != NULL))
850a6212 761 refcount_inc(&policy->refcnt);
1da177e4
LT		 762}
763
d511337a 764void xfrm_policy_destroy(struct xfrm_policy *policy);
1da177e4
LT		 765
766static inline void xfrm_pol_put(struct xfrm_policy *policy)
767{
850a6212 768 if (refcount_dec_and_test(&policy->refcnt))
64c31b3f 769 xfrm_policy_destroy(policy);
1da177e4
LT		 770}
771
4e81bb83
MN		 772static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
773{
774 int i;
775 for (i = npols - 1; i >= 0; --i)
776 xfrm_pol_put(pols[i]);
777}
4e81bb83 778
f75a2804 779void __xfrm_state_destroy(struct xfrm_state *, bool);
1da177e4 780
21380b81
HX		 781static inline void __xfrm_state_put(struct xfrm_state *x)
782{
88755e9c 783 refcount_dec(&x->refcnt);
21380b81
HX		 784}
785
1da177e4
LT		 786static inline void xfrm_state_put(struct xfrm_state *x)
787{
88755e9c 788 if (refcount_dec_and_test(&x->refcnt))
f75a2804
CW		 789 __xfrm_state_destroy(x, false);
790}
791
792static inline void xfrm_state_put_sync(struct xfrm_state *x)
793{
794 if (refcount_dec_and_test(&x->refcnt))
795 __xfrm_state_destroy(x, true);
1da177e4
LT		 796}
797
798static inline void xfrm_state_hold(struct xfrm_state *x)
799{
88755e9c 800 refcount_inc(&x->refcnt);
1da177e4
LT		 801}
802
1744a8fe 803static inline bool addr_match(const void *token1, const void *token2,
e1b0048e 804 unsigned int prefixlen)
1da177e4 805{
1744a8fe
DM		 806 const __be32 *a1 = token1;
807 const __be32 *a2 = token2;
e1b0048e
AD		 808 unsigned int pdw;
809 unsigned int pbi;
1da177e4 810
a6337463 811 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
1da177e4
LT		 812 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
813
814 if (pdw)
815 if (memcmp(a1, a2, pdw << 2))
1744a8fe 816 return false;
1da177e4
LT		 817
818 if (pbi) {
5f19343f 819 __be32 mask;
1da177e4
LT		 820
821 mask = htonl((0xffffffff) << (32 - pbi));
822
823 if ((a1[pdw] ^ a2[pdw]) & mask)
1744a8fe 824 return false;
1da177e4
LT		 825 }
826
1744a8fe 827 return true;
1da177e4
LT		 828}
829
26bff940
AD		 830static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
831{
832 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
6c786bcb 833 if (sizeof(long) == 4 && prefixlen == 0)
26bff940 834 return true;
6c786bcb 835 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
26bff940
AD		 836}
837
1da177e4 838static __inline__
6281dcc9 839__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
1da177e4 840{
f9d07e41 841 __be16 port;
1d28f42c 842 switch(fl->flowi_proto) {
1da177e4
LT		 843 case IPPROTO_TCP:
844 case IPPROTO_UDP:
ba4e58ec 845 case IPPROTO_UDPLITE:
1da177e4 846 case IPPROTO_SCTP:
6281dcc9 847 port = uli->ports.sport;
1da177e4
LT		 848 break;
849 case IPPROTO_ICMP:
850 case IPPROTO_ICMPV6:
6281dcc9 851 port = htons(uli->icmpt.type);
1da177e4 852 break;
2ce4272a 853 case IPPROTO_MH:
6281dcc9 854 port = htons(uli->mht.type);
2ce4272a 855 break;
cc9ff19d 856 case IPPROTO_GRE:
6281dcc9 857 port = htons(ntohl(uli->gre_key) >> 16);
cc9ff19d 858 break;
1da177e4
LT		 859 default:
860 port = 0; /*XXX*/
861 }
862 return port;
863}
864
865static __inline__
6281dcc9 866__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
1da177e4 867{
f9d07e41 868 __be16 port;
1d28f42c 869 switch(fl->flowi_proto) {
1da177e4
LT		 870 case IPPROTO_TCP:
871 case IPPROTO_UDP:
ba4e58ec 872 case IPPROTO_UDPLITE:
1da177e4 873 case IPPROTO_SCTP:
6281dcc9 874 port = uli->ports.dport;
1da177e4
LT		 875 break;
876 case IPPROTO_ICMP:
877 case IPPROTO_ICMPV6:
6281dcc9 878 port = htons(uli->icmpt.code);
1da177e4 879 break;
cc9ff19d 880 case IPPROTO_GRE:
6281dcc9 881 port = htons(ntohl(uli->gre_key) & 0xffff);
cc9ff19d 882 break;
1da177e4
LT		 883 default:
884 port = 0; /*XXX*/
885 }
886 return port;
887}
888
d511337a
JP		 889bool xfrm_selector_match(const struct xfrm_selector *sel,
890 const struct flowi *fl, unsigned short family);
1da177e4 891
df71837d
TJ		 892#ifdef CONFIG_SECURITY_NETWORK_XFRM
893/* If neither has a context --> match
894 * Otherwise, both must have a context and the sids, doi, alg must match
895 */
bc9b35ad 896static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
df71837d
TJ		 897{
898 return ((!s1 && !s2) ||
899 (s1 && s2 &&
900 (s1->ctx_sid == s2->ctx_sid) &&
901 (s1->ctx_doi == s2->ctx_doi) &&
902 (s1->ctx_alg == s2->ctx_alg)));
903}
904#else
bc9b35ad 905static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
df71837d 906{
bc9b35ad 907 return true;
df71837d
TJ		 908}
909#endif
910
1da177e4
LT		 911/* A struct encoding bundle of transformations to apply to some set of flow.
912 *
b6ca8bd5 913 * xdst->child points to the next element of bundle.
1da177e4
LT		 914 * dst->xfrm points to an instanse of transformer.
915 *
916 * Due to unfortunate limitations of current routing cache, which we
917 * have no time to fix, it mirrors struct rtable and bound to the same
918 * routing key, including saddr,daddr. However, we can have many of
919 * bundles differing by session id. All the bundles grow from a parent
920 * policy rule.
921 */
fd2c3ef7 922struct xfrm_dst {
1da177e4 923 union {
1da177e4
LT		 924 struct dst_entry dst;
925 struct rtable rt;
926 struct rt6_info rt6;
927 } u;
928 struct dst_entry *route;
b6ca8bd5 929 struct dst_entry *child;
0f6c480f 930 struct dst_entry *path;
80c802f3
TT		 931 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
932 int num_pols, num_xfrms;
80c802f3
TT		 933 u32 xfrm_genid;
934 u32 policy_genid;
1da177e4
LT		 935 u32 route_mtu_cached;
936 u32 child_mtu_cached;
92d63dec
HY		 937 u32 route_cookie;
938 u32 path_cookie;
1da177e4
LT		 939};
940
0f6c480f
DM		 941static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
942{
943#ifdef CONFIG_XFRM
101dde42 944 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
0f6c480f
DM		 945 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
946
947 return xdst->path;
948 }
949#endif
950 return (struct dst_entry *) dst;
951}
952
b92cf4aa
DM		 953static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
954{
955#ifdef CONFIG_XFRM
101dde42 956 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
b6ca8bd5
DM		 957 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
958 return xdst->child;
959 }
b92cf4aa
DM		 960#endif
961 return NULL;
962}
963
def8b4fa 964#ifdef CONFIG_XFRM
45b018be
DM		 965static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
966{
b6ca8bd5 967 xdst->child = child;
45b018be
DM		 968}
969
aabc9761
HX		 970static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
971{
80c802f3 972 xfrm_pols_put(xdst->pols, xdst->num_pols);
aabc9761
HX		 973 dst_release(xdst->route);
974 if (likely(xdst->u.dst.xfrm))
975 xfrm_state_put(xdst->u.dst.xfrm);
976}
def8b4fa 977#endif
aabc9761 978
d511337a 979void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
aabc9761 980
f203b76d 981struct xfrm_if_parms {
f203b76d
SK		 982 int link; /* ifindex of underlying L2 interface */
983 u32 if_id; /* interface identifyer */
984};
985
986struct xfrm_if {
987 struct xfrm_if __rcu *next; /* next interface in list */
988 struct net_device *dev; /* virtual device associated with interface */
f203b76d
SK		 989 struct net *net; /* netns for packet i/o */
990 struct xfrm_if_parms p; /* interface parms */
991
992 struct gro_cells gro_cells;
993};
994
54ef207a
SK		 995struct xfrm_offload {
996 /* Output sequence number for replay protection on offloading. */
997 struct {
998 __u32 low;
999 __u32 hi;
1000 } seq;
1001
1002 __u32 flags;
1003#define SA_DELETE_REQ 1
1004#define CRYPTO_DONE 2
1005#define CRYPTO_NEXT_DONE 4
1006#define CRYPTO_FALLBACK 8
1007#define XFRM_GSO_SEGMENT 16
1008#define XFRM_GRO 32
47ebcc0b 1009#define XFRM_ESP_NO_TRAILER 64
f53c7239 1010#define XFRM_DEV_RESUME 128
94579ac3 1011#define XFRM_XMIT 256
54ef207a
SK		 1012
1013 __u32 status;
1014#define CRYPTO_SUCCESS 1
1015#define CRYPTO_GENERIC_ERROR 2
1016#define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1017#define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1018#define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1019#define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1020#define CRYPTO_INVALID_PACKET_SYNTAX 64
1021#define CRYPTO_INVALID_PROTOCOL 128
1022
1023 __u8 proto;
fa453523 1024 __u8 inner_ipproto;
54ef207a
SK		 1025};
1026
fd2c3ef7 1027struct sec_path {
1da177e4 1028 int len;
54ef207a
SK		 1029 int olen;
1030
dbe5b4aa 1031 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
54ef207a 1032 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1da177e4
LT		 1033};
1034
0ca64da1 1035struct sec_path *secpath_set(struct sk_buff *skb);
1da177e4
LT		 1036
1037static inline void
1038secpath_reset(struct sk_buff *skb)
1039{
1040#ifdef CONFIG_XFRM
4165079b 1041 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1da177e4
LT		 1042#endif
1043}
1044
a1e59abf 1045static inline int
6cc32961 1046xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
a1e59abf
PM		 1047{
1048 switch (family) {
1049 case AF_INET:
1050 return addr->a4 == 0;
1051 case AF_INET6:
15e318bd 1052 return ipv6_addr_any(&addr->in6);
a1e59abf
PM		 1053 }
1054 return 0;
1055}
1056
1da177e4 1057static inline int
21eddb5c 1058__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1da177e4
LT		 1059{
1060 return (tmpl->saddr.a4 &&
1061 tmpl->saddr.a4 != x->props.saddr.a4);
1062}
1063
1064static inline int
21eddb5c 1065__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1da177e4
LT		 1066{
1067 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
ff88b30c 1068 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1da177e4
LT		 1069}
1070
1071static inline int
21eddb5c 1072xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1da177e4
LT		 1073{
1074 switch (family) {
1075 case AF_INET:
1076 return __xfrm4_state_addr_cmp(tmpl, x);
1077 case AF_INET6:
1078 return __xfrm6_state_addr_cmp(tmpl, x);
1079 }
1080 return !0;
1081}
1082
1083#ifdef CONFIG_XFRM
2d151d39
SK		 1084static inline bool
1085xfrm_default_allow(struct net *net, int dir)
1086{
1087 u8 def = net->xfrm.policy_default;
1088
1089 switch (dir) {
1090 case XFRM_POLICY_IN:
1091 return def & XFRM_POL_DEFAULT_IN ? false : true;
1092 case XFRM_POLICY_OUT:
1093 return def & XFRM_POL_DEFAULT_OUT ? false : true;
1094 case XFRM_POLICY_FWD:
1095 return def & XFRM_POL_DEFAULT_FWD ? false : true;
1096 }
1097 return false;
1098}
1099
d511337a
JP		 1100int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1101 unsigned short family);
1da177e4 1102
d5422efe
HX		 1103static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1104 struct sk_buff *skb,
1105 unsigned int family, int reverse)
1da177e4 1106{
f6e1e25d 1107 struct net *net = dev_net(skb->dev);
d5422efe
HX		 1108 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1109
1da177e4 1110 if (sk && sk->sk_policy[XFRM_POLICY_IN])
d5422efe 1111 return __xfrm_policy_check(sk, ndir, skb, family);
4e81bb83 1112
2d151d39
SK		 1113 if (xfrm_default_allow(net, dir))
1114 return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1115 (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
1116 __xfrm_policy_check(sk, ndir, skb, family);
1117 else
1118 return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
1119 __xfrm_policy_check(sk, ndir, skb, family);
d5422efe
HX		 1120}
1121
1122static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1123{
1124 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1da177e4
LT		 1125}
1126
1127static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1128{
1129 return xfrm_policy_check(sk, dir, skb, AF_INET);
1130}
1131
1132static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1133{
1134 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1135}
1136
d5422efe
HX		 1137static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1138 struct sk_buff *skb)
1139{
1140 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1141}
1142
1143static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1144 struct sk_buff *skb)
1145{
1146 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1147}
1148
d511337a
JP		 1149int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1150 unsigned int family, int reverse);
d5422efe
HX		 1151
1152static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1153 unsigned int family)
1154{
1155 return __xfrm_decode_session(skb, fl, family, 0);
1156}
1157
1158static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1159 struct flowi *fl,
1160 unsigned int family)
1161{
1162 return __xfrm_decode_session(skb, fl, family, 1);
1163}
1164
d511337a 1165int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1da177e4
LT		 1166
1167static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1168{
99a66657
AD		 1169 struct net *net = dev_net(skb->dev);
1170
ec3bb890 1171 if (xfrm_default_allow(net, XFRM_POLICY_OUT))
2d151d39
SK		 1172 return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1173 (skb_dst(skb)->flags & DST_NOXFRM) ||
1174 __xfrm_route_forward(skb, family);
1175 else
1176 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1177 __xfrm_route_forward(skb, family);
1da177e4
LT		 1178}
1179
1180static inline int xfrm4_route_forward(struct sk_buff *skb)
1181{
1182 return xfrm_route_forward(skb, AF_INET);
1183}
1184
1185static inline int xfrm6_route_forward(struct sk_buff *skb)
1186{
1187 return xfrm_route_forward(skb, AF_INET6);
1188}
1189
d188ba86 1190int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1da177e4 1191
d188ba86 1192static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1da177e4 1193{
d188ba86
ED		 1194 sk->sk_policy[0] = NULL;
1195 sk->sk_policy[1] = NULL;
1196 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1197 return __xfrm_sk_clone_policy(sk, osk);
1da177e4
LT		 1198 return 0;
1199}
1200
d511337a 1201int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1da177e4
LT		 1202
1203static inline void xfrm_sk_free_policy(struct sock *sk)
1204{
d188ba86
ED		 1205 struct xfrm_policy *pol;
1206
1207 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1208 if (unlikely(pol != NULL)) {
1209 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1da177e4
LT		 1210 sk->sk_policy[0] = NULL;
1211 }
d188ba86
ED		 1212 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1213 if (unlikely(pol != NULL)) {
1214 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1da177e4
LT		 1215 sk->sk_policy[1] = NULL;
1216 }
1217}
1218
1219#else
1220
1221static inline void xfrm_sk_free_policy(struct sock *sk) {}
d188ba86 1222static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
82695b30
SH		 1223static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1224static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1da177e4 1225static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
82695b30
SH		 1226{
1227 return 1;
1228}
1da177e4
LT		 1229static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1230{
1231 return 1;
1232}
1233static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1234{
1235 return 1;
1236}
d5422efe
HX		 1237static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1238 struct flowi *fl,
1239 unsigned int family)
1240{
1241 return -ENOSYS;
1242}
1243static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1244 struct sk_buff *skb)
1245{
1246 return 1;
1247}
1248static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1249 struct sk_buff *skb)
1250{
1251 return 1;
1252}
1da177e4
LT		 1253#endif
1254
1255static __inline__
e8a4e377 1256xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1da177e4
LT		 1257{
1258 switch (family){
1259 case AF_INET:
7e1dc7b6 1260 return (xfrm_address_t *)&fl->u.ip4.daddr;
1da177e4 1261 case AF_INET6:
7e1dc7b6 1262 return (xfrm_address_t *)&fl->u.ip6.daddr;
1da177e4
LT		 1263 }
1264 return NULL;
1265}
1266
1267static __inline__
e8a4e377 1268xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1da177e4
LT		 1269{
1270 switch (family){
1271 case AF_INET:
7e1dc7b6 1272 return (xfrm_address_t *)&fl->u.ip4.saddr;
1da177e4 1273 case AF_INET6:
7e1dc7b6 1274 return (xfrm_address_t *)&fl->u.ip6.saddr;
1da177e4
LT		 1275 }
1276 return NULL;
1277}
1278
9bb182a7 1279static __inline__
e8a4e377 1280void xfrm_flowi_addr_get(const struct flowi *fl,
9bb182a7
YH		 1281 xfrm_address_t *saddr, xfrm_address_t *daddr,
1282 unsigned short family)
1283{
1284 switch(family) {
1285 case AF_INET:
7e1dc7b6
DM		 1286 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1287 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
9bb182a7
YH		 1288 break;
1289 case AF_INET6:
15e318bd
JB		 1290 saddr->in6 = fl->u.ip6.saddr;
1291 daddr->in6 = fl->u.ip6.daddr;
9bb182a7
YH		 1292 break;
1293 }
1294}
1295
1da177e4 1296static __inline__ int
f8848067
DM		 1297__xfrm4_state_addr_check(const struct xfrm_state *x,
1298 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1da177e4
LT		 1299{
1300 if (daddr->a4 == x->id.daddr.a4 &&
1301 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1302 return 1;
1303 return 0;
1304}
1305
1306static __inline__ int
f8848067
DM		 1307__xfrm6_state_addr_check(const struct xfrm_state *x,
1308 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1da177e4 1309{
ff88b30c
YH		 1310 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1311 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
82695b30 1312 ipv6_addr_any((struct in6_addr *)saddr) ||
1da177e4
LT		 1313 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1314 return 1;
1315 return 0;
1316}
1317
1318static __inline__ int
f8848067
DM		 1319xfrm_state_addr_check(const struct xfrm_state *x,
1320 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1da177e4
LT		 1321 unsigned short family)
1322{
1323 switch (family) {
1324 case AF_INET:
1325 return __xfrm4_state_addr_check(x, daddr, saddr);
1326 case AF_INET6:
1327 return __xfrm6_state_addr_check(x, daddr, saddr);
1328 }
1329 return 0;
1330}
1331
e53820de 1332static __inline__ int
f8848067 1333xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
e53820de
MN		 1334 unsigned short family)
1335{
1336 switch (family) {
1337 case AF_INET:
1338 return __xfrm4_state_addr_check(x,
7e1dc7b6
DM		 1339 (const xfrm_address_t *)&fl->u.ip4.daddr,
1340 (const xfrm_address_t *)&fl->u.ip4.saddr);
e53820de
MN		 1341 case AF_INET6:
1342 return __xfrm6_state_addr_check(x,
7e1dc7b6
DM		 1343 (const xfrm_address_t *)&fl->u.ip6.daddr,
1344 (const xfrm_address_t *)&fl->u.ip6.saddr);
e53820de
MN		 1345 }
1346 return 0;
1347}
1348
f8848067 1349static inline int xfrm_state_kern(const struct xfrm_state *x)
1da177e4
LT		 1350{
1351 return atomic_read(&x->tunnel_users);
1352}
1353
dbb2483b
CW		 1354static inline bool xfrm_id_proto_valid(u8 proto)
1355{
1356 switch (proto) {
1357 case IPPROTO_AH:
1358 case IPPROTO_ESP:
1359 case IPPROTO_COMP:
1360#if IS_ENABLED(CONFIG_IPV6)
1361 case IPPROTO_ROUTING:
1362 case IPPROTO_DSTOPTS:
1363#endif
1364 return true;
1365 default:
1366 return false;
1367 }
1368}
1369
1370/* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
5794708f
MN		 1371static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1372{
dc00a525
MN		 1373 return (!userproto || proto == userproto ||
1374 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1375 proto == IPPROTO_ESP ||
1376 proto == IPPROTO_COMP)));
5794708f
MN		 1377}
1378
1da177e4
LT		 1379/*
1380 * xfrm algorithm information
1381 */
1a6509d9 1382struct xfrm_algo_aead_info {
165ecc63 1383 char *geniv;
1a6509d9
HX		 1384 u16 icv_truncbits;
1385};
1386
1da177e4
LT		 1387struct xfrm_algo_auth_info {
1388 u16 icv_truncbits;
1389 u16 icv_fullbits;
1390};
1391
1392struct xfrm_algo_encr_info {
165ecc63 1393 char *geniv;
1da177e4
LT		 1394 u16 blockbits;
1395 u16 defkeybits;
1396};
1397
1398struct xfrm_algo_comp_info {
1399 u16 threshold;
1400};
1401
1402struct xfrm_algo_desc {
1403 char *name;
04ff1260 1404 char *compat;
1da177e4 1405 u8 available:1;
7e50f84c 1406 u8 pfkey_supported:1;
1da177e4 1407 union {
1a6509d9 1408 struct xfrm_algo_aead_info aead;
1da177e4
LT		 1409 struct xfrm_algo_auth_info auth;
1410 struct xfrm_algo_encr_info encr;
1411 struct xfrm_algo_comp_info comp;
1412 } uinfo;
1413 struct sadb_alg desc;
1414};
1415
3328715e
SK		 1416/* XFRM protocol handlers. */
1417struct xfrm4_protocol {
1418 int (*handler)(struct sk_buff *skb);
1419 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1420 int encap_type);
1421 int (*cb_handler)(struct sk_buff *skb, int err);
1422 int (*err_handler)(struct sk_buff *skb, u32 info);
1423
1424 struct xfrm4_protocol __rcu *next;
1425 int priority;
1426};
1427
7e14ea15 1428struct xfrm6_protocol {
1da177e4 1429 int (*handler)(struct sk_buff *skb);
0146dca7
SD		 1430 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1431 int encap_type);
7e14ea15
SK		 1432 int (*cb_handler)(struct sk_buff *skb, int err);
1433 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1434 u8 type, u8 code, int offset, __be32 info);
d2acc347 1435
7e14ea15 1436 struct xfrm6_protocol __rcu *next;
d2acc347 1437 int priority;
1da177e4
LT		 1438};
1439
1da177e4
LT		 1440/* XFRM tunnel handlers. */
1441struct xfrm_tunnel {
aba82695 1442 int (*handler)(struct sk_buff *skb);
6df2db5d 1443 int (*cb_handler)(struct sk_buff *skb, int err);
a6337463 1444 int (*err_handler)(struct sk_buff *skb, u32 info);
d2acc347 1445
b33eab08 1446 struct xfrm_tunnel __rcu *next;
aba82695
FD		 1447 int priority;
1448};
1449
1da177e4 1450struct xfrm6_tunnel {
d2acc347 1451 int (*handler)(struct sk_buff *skb);
86afc703 1452 int (*cb_handler)(struct sk_buff *skb, int err);
d2acc347 1453 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
d5fdd6ba 1454 u8 type, u8 code, int offset, __be32 info);
6f0bcf15 1455 struct xfrm6_tunnel __rcu *next;
d2acc347 1456 int priority;
1da177e4
LT		 1457};
1458
d511337a
JP		 1459void xfrm_init(void);
1460void xfrm4_init(void);
1461int xfrm_state_init(struct net *net);
1462void xfrm_state_fini(struct net *net);
1463void xfrm4_state_init(void);
2f32b51b 1464void xfrm4_protocol_init(void);
c35b7e72 1465#ifdef CONFIG_XFRM
d511337a
JP		 1466int xfrm6_init(void);
1467void xfrm6_fini(void);
1468int xfrm6_state_init(void);
1469void xfrm6_state_fini(void);
7e14ea15
SK		 1470int xfrm6_protocol_init(void);
1471void xfrm6_protocol_fini(void);
c35b7e72
DL		 1472#else
1473static inline int xfrm6_init(void)
1474{
1475 return 0;
1476}
1477static inline void xfrm6_fini(void)
1478{
1479 ;
1480}
1481#endif
1da177e4 1482
558f82ef 1483#ifdef CONFIG_XFRM_STATISTICS
d511337a
JP		 1484int xfrm_proc_init(struct net *net);
1485void xfrm_proc_fini(struct net *net);
558f82ef
MN		 1486#endif
1487
d511337a 1488int xfrm_sysctl_init(struct net *net);
b27aeadb 1489#ifdef CONFIG_SYSCTL
d511337a 1490void xfrm_sysctl_fini(struct net *net);
b27aeadb
AD		 1491#else
1492static inline void xfrm_sysctl_fini(struct net *net)
1493{
1494}
1495#endif
1496
d3623099 1497void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
870a2df4 1498 struct xfrm_address_filter *filter);
d511337a
JP		 1499int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1500 int (*func)(struct xfrm_state *, int, void*), void *);
283bc9f3 1501void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
d511337a 1502struct xfrm_state *xfrm_state_alloc(struct net *net);
4a135e53 1503void xfrm_state_free(struct xfrm_state *x);
d511337a
JP		 1504struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1505 const xfrm_address_t *saddr,
1506 const struct flowi *fl,
1507 struct xfrm_tmpl *tmpl,
1508 struct xfrm_policy *pol, int *err,
bc56b334 1509 unsigned short family, u32 if_id);
7e652640 1510struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
d511337a
JP		 1511 xfrm_address_t *daddr,
1512 xfrm_address_t *saddr,
1513 unsigned short family,
1514 u8 mode, u8 proto, u32 reqid);
c454997e
FD		 1515struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1516 unsigned short family);
d511337a
JP		 1517int xfrm_state_check_expire(struct xfrm_state *x);
1518void xfrm_state_insert(struct xfrm_state *x);
1519int xfrm_state_add(struct xfrm_state *x);
1520int xfrm_state_update(struct xfrm_state *x);
1521struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1522 const xfrm_address_t *daddr, __be32 spi,
1523 u8 proto, unsigned short family);
1524struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1525 const xfrm_address_t *daddr,
1526 const xfrm_address_t *saddr,
1527 u8 proto,
1528 unsigned short family);
41a49cc3 1529#ifdef CONFIG_XFRM_SUB_POLICY
3aaf3915 1530void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
d511337a 1531 unsigned short family);
3aaf3915
FW		 1532void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1533 unsigned short family);
41a49cc3 1534#else
3aaf3915
FW		 1535static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1536 int n, unsigned short family)
41a49cc3 1537{
41a49cc3
MN		 1538}
1539
3aaf3915
FW		 1540static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1541 int n, unsigned short family)
41a49cc3 1542{
41a49cc3
MN		 1543}
1544#endif
af11e316
JHS		 1545
1546struct xfrmk_sadinfo {
1547 u32 sadhcnt; /* current hash bkts */
1548 u32 sadhmcnt; /* max allowed hash bkts */
1549 u32 sadcnt; /* current running count */
1550};
1551
5a6d3416
JHS		 1552struct xfrmk_spdinfo {
1553 u32 incnt;
1554 u32 outcnt;
1555 u32 fwdcnt;
1556 u32 inscnt;
1557 u32 outscnt;
1558 u32 fwdscnt;
1559 u32 spdhcnt;
1560 u32 spdhmcnt;
1561};
1562
d511337a
JP		 1563struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1564int xfrm_state_delete(struct xfrm_state *x);
f75a2804 1565int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
d77e38e6 1566int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
d511337a
JP		 1567void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1568void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1569u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1570int xfrm_init_replay(struct xfrm_state *x);
b515d263 1571u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu);
c7b37c76 1572u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
ffdb5211 1573int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
d511337a 1574int xfrm_init_state(struct xfrm_state *x);
d511337a
JP		 1575int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1576int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
7b380192
SD		 1577int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1578 int (*finish)(struct net *, struct sock *,
1579 struct sk_buff *));
acf568ee
HX		 1580int xfrm_trans_queue(struct sk_buff *skb,
1581 int (*finish)(struct net *, struct sock *,
1582 struct sk_buff *));
9ab1265d 1583int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
7026b1dd 1584int xfrm_output(struct sock *sk, struct sk_buff *skb);
0c620e97
FW		 1585
1586#if IS_ENABLED(CONFIG_NET_PKTGEN)
1587int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1588#endif
1589
d511337a 1590void xfrm_local_error(struct sk_buff *skb, int mtu);
d511337a
JP		 1591int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1592int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1593 int encap_type);
1594int xfrm4_transport_finish(struct sk_buff *skb, int async);
1595int xfrm4_rcv(struct sk_buff *skb);
c4541b41
HX		 1596
1597static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1598{
70be6c91 1599 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
3328715e
SK		 1600 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1601 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1602 return xfrm_input(skb, nexthdr, spi, 0);
c4541b41
HX		 1603}
1604
ede2059d 1605int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
3328715e
SK		 1606int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1607int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
d511337a
JP		 1608int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1609int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
d511337a 1610void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
d511337a 1611int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
63c43787
ND		 1612int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1613 struct ip6_tnl *t);
0146dca7
SD		 1614int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1615 int encap_type);
d511337a 1616int xfrm6_transport_finish(struct sk_buff *skb, int async);
63c43787 1617int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
d511337a
JP		 1618int xfrm6_rcv(struct sk_buff *skb);
1619int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1620 xfrm_address_t *saddr, u8 proto);
7b77d161 1621void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
7e14ea15
SK		 1622int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1623int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
d511337a 1624int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
7b77d161 1625int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
d511337a
JP		 1626__be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1627__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
ede2059d 1628int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1da177e4
LT		 1629
1630#ifdef CONFIG_XFRM
3e50ddd8 1631void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
d511337a 1632int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
0146dca7 1633int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
c6d1b26a
CH		 1634int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1635 int optlen);
1da177e4 1636#else
c6d1b26a
CH		 1637static inline int xfrm_user_policy(struct sock *sk, int optname,
1638 sockptr_t optval, int optlen)
1da177e4
LT		 1639{
1640 return -ENOPROTOOPT;
82695b30 1641}
1da177e4
LT		 1642#endif
1643
d77e38e6
SK		 1644struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1645 const xfrm_address_t *saddr,
1646 const xfrm_address_t *daddr,
077fbac4 1647 int family, u32 mark);
d77e38e6 1648
0331b1f3 1649struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
4c563f76 1650
d511337a
JP		 1651void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1652int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1653 int (*func)(struct xfrm_policy *, int, int, void*),
1654 void *);
283bc9f3 1655void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1da177e4 1656int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
4f47e8ab
XL		 1657struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1658 const struct xfrm_mark *mark,
1659 u32 if_id, u8 type, int dir,
4e81bb83 1660 struct xfrm_selector *sel,
ef41aaa0
EP		 1661 struct xfrm_sec_ctx *ctx, int delete,
1662 int *err);
4f47e8ab
XL		 1663struct xfrm_policy *xfrm_policy_byid(struct net *net,
1664 const struct xfrm_mark *mark, u32 if_id,
1665 u8 type, int dir, u32 id, int delete,
1666 int *err);
2e71029e 1667int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
880a6fab 1668void xfrm_policy_hash_rebuild(struct net *net);
1da177e4 1669u32 xfrm_get_acqseq(void);
776e9dd9 1670int verify_spi_info(u8 proto, u32 min, u32 max);
d511337a 1671int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
e473fcb4 1672struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
7e652640 1673 u8 mode, u32 reqid, u32 if_id, u8 proto,
a70486f0
DM		 1674 const xfrm_address_t *daddr,
1675 const xfrm_address_t *saddr, int create,
bd55775c 1676 unsigned short family);
d511337a 1677int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1da177e4 1678
80c9abaa 1679#ifdef CONFIG_XFRM_MIGRATE
d511337a
JP		 1680int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1681 const struct xfrm_migrate *m, int num_bundles,
8bafd730
AA		 1682 const struct xfrm_kmaddress *k,
1683 const struct xfrm_encap_tmpl *encap);
283bc9f3 1684struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
d511337a 1685struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
4ab47d47
AA		 1686 struct xfrm_migrate *m,
1687 struct xfrm_encap_tmpl *encap);
d511337a
JP		 1688int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1689 struct xfrm_migrate *m, int num_bundles,
4ab47d47
AA		 1690 struct xfrm_kmaddress *k, struct net *net,
1691 struct xfrm_encap_tmpl *encap);
80c9abaa
SS		 1692#endif
1693
d511337a
JP		 1694int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1695void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1696int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1697 xfrm_address_t *addr);
1698
1699void xfrm_input_init(void);
1700int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1701
1702void xfrm_probe_algs(void);
1703int xfrm_count_pfkey_auth_supported(void);
1704int xfrm_count_pfkey_enc_supported(void);
1705struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1706struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1707struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1708struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1709struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1710struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1711struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1712struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1713struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1714 int probe);
1da177e4 1715
70e94e66
YH		 1716static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1717 const xfrm_address_t *b)
1718{
1719 return ipv6_addr_equal((const struct in6_addr *)a,
1720 (const struct in6_addr *)b);
1721}
1722
1723static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1724 const xfrm_address_t *b,
1725 sa_family_t family)
1da177e4
LT		 1726{
1727 switch (family) {
1728 default:
1729 case AF_INET:
70e94e66 1730 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1da177e4 1731 case AF_INET6:
70e94e66 1732 return xfrm6_addr_equal(a, b);
1da177e4
LT		 1733 }
1734}
1735
77d8d7a6
HX		 1736static inline int xfrm_policy_id2dir(u32 index)
1737{
1738 return index & 7;
1739}
1740
a6483b79 1741#ifdef CONFIG_XFRM
c7f87783 1742void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
adfc2fdb 1743int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
cfc61c59 1744void xfrm_replay_notify(struct xfrm_state *x, int event);
b5a1d1fe 1745int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
25cfb8bc 1746int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
cfc61c59 1747
a6483b79 1748static inline int xfrm_aevent_is_on(struct net *net)
f8cd5488 1749{
be33690d
PM		 1750 struct sock *nlsk;
1751 int ret = 0;
1752
1753 rcu_read_lock();
a6483b79 1754 nlsk = rcu_dereference(net->xfrm.nlsk);
be33690d
PM		 1755 if (nlsk)
1756 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1757 rcu_read_unlock();
1758 return ret;
f8cd5488 1759}
0f24558e
HG		 1760
1761static inline int xfrm_acquire_is_on(struct net *net)
1762{
1763 struct sock *nlsk;
1764 int ret = 0;
1765
1766 rcu_read_lock();
1767 nlsk = rcu_dereference(net->xfrm.nlsk);
1768 if (nlsk)
1769 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1770 rcu_read_unlock();
1771
1772 return ret;
1773}
a6483b79 1774#endif
f8cd5488 1775
373b8eeb 1776static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
ee5c2317
SK		 1777{
1778 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1779}
1780
06cd22f8 1781static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
0f99be0d
ED		 1782{
1783 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1784}
1785
1bd963a7 1786static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
4447bb33
MW		 1787{
1788 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1789}
1790
5e708e47 1791static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
9736acf3
SK		 1792{
1793 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1794}
1795
80c9abaa 1796#ifdef CONFIG_XFRM_MIGRATE
af2f464e
SK		 1797static inline int xfrm_replay_clone(struct xfrm_state *x,
1798 struct xfrm_state *orig)
1799{
91a46c6d
AA		 1800
1801 x->replay_esn = kmemdup(orig->replay_esn,
1802 xfrm_replay_state_esn_len(orig->replay_esn),
af2f464e
SK		 1803 GFP_KERNEL);
1804 if (!x->replay_esn)
1805 return -ENOMEM;
91a46c6d
AA		 1806 x->preplay_esn = kmemdup(orig->preplay_esn,
1807 xfrm_replay_state_esn_len(orig->preplay_esn),
af2f464e 1808 GFP_KERNEL);
91a46c6d 1809 if (!x->preplay_esn)
af2f464e 1810 return -ENOMEM;
af2f464e
SK		 1811
1812 return 0;
1813}
1814
ee5c2317
SK		 1815static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1816{
1817 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1818}
1819
1820
80c9abaa
SS		 1821static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1822{
0f99be0d 1823 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
80c9abaa
SS		 1824}
1825
4447bb33
MW		 1826static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1827{
1828 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1829}
1830
80c9abaa
SS		 1831static inline void xfrm_states_put(struct xfrm_state **states, int n)
1832{
1833 int i;
1834 for (i = 0; i < n; i++)
1835 xfrm_state_put(*(states + i));
1836}
1837
1838static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1839{
1840 int i;
1841 for (i = 0; i < n; i++)
1842 xfrm_state_delete(*(states + i));
1843}
1844#endif
f8cd5488 1845
def8b4fa 1846#ifdef CONFIG_XFRM
00501121
HX		 1847static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1848{
2294be0f
FW		 1849 struct sec_path *sp = skb_sec_path(skb);
1850
1851 return sp->xvec[sp->len - 1];
00501121 1852}
f53c7239
SK		 1853#endif
1854
54ef207a
SK		 1855static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1856{
f53c7239 1857#ifdef CONFIG_XFRM
2294be0f 1858 struct sec_path *sp = skb_sec_path(skb);
54ef207a
SK		 1859
1860 if (!sp || !sp->olen || sp->len != sp->olen)
1861 return NULL;
1862
1863 return &sp->ovec[sp->olen - 1];
f53c7239
SK		 1864#else
1865 return NULL;
def8b4fa 1866#endif
f53c7239 1867}
00501121 1868
e9a441b6 1869void __init xfrm_dev_init(void);
b81f884a
HL		 1870
1871#ifdef CONFIG_XFRM_OFFLOAD
f53c7239
SK		 1872void xfrm_dev_resume(struct sk_buff *skb);
1873void xfrm_dev_backlog(struct softnet_data *sd);
1874struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
d77e38e6
SK		 1875int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1876 struct xfrm_user_offload *xuo);
1877bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1878
50bd870a
YE		 1879static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1880{
1881 struct xfrm_state_offload *xso = &x->xso;
1882
1883 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1884 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1885}
1886
f70f250a
SK		 1887static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1888{
1889 struct xfrm_state *x = dst->xfrm;
b6ca8bd5 1890 struct xfrm_dst *xdst;
f70f250a
SK		 1891
1892 if (!x || !x->type_offload)
1893 return false;
1894
b6ca8bd5 1895 xdst = (struct xfrm_dst *) dst;
2271d519
SK		 1896 if (!x->xso.offload_handle && !xdst->child->xfrm)
1897 return true;
0f6c480f 1898 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
b6ca8bd5 1899 !xdst->child->xfrm)
f70f250a
SK		 1900 return true;
1901
1902 return false;
1903}
1904
d77e38e6
SK		 1905static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1906{
1907 struct xfrm_state_offload *xso = &x->xso;
1908
1909 if (xso->dev)
1910 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1911}
1912
1913static inline void xfrm_dev_state_free(struct xfrm_state *x)
1914{
1915 struct xfrm_state_offload *xso = &x->xso;
77990464 1916 struct net_device *dev = xso->dev;
d77e38e6
SK		 1917
1918 if (dev && dev->xfrmdev_ops) {
7f05b467
SN		 1919 if (dev->xfrmdev_ops->xdo_dev_state_free)
1920 dev->xfrmdev_ops->xdo_dev_state_free(x);
d77e38e6 1921 xso->dev = NULL;
e1b539bd 1922 dev_put_track(dev, &xso->dev_tracker);
d77e38e6
SK		 1923 }
1924}
1925#else
f53c7239
SK		 1926static inline void xfrm_dev_resume(struct sk_buff *skb)
1927{
1928}
1929
1930static inline void xfrm_dev_backlog(struct softnet_data *sd)
1931{
1932}
1933
1934static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
f6e27114 1935{
3dca3f38 1936 return skb;
f6e27114
SK		 1937}
1938
d77e38e6
SK		 1939static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1940{
1941 return 0;
1942}
1943
1944static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1945{
1946}
1947
1948static inline void xfrm_dev_state_free(struct xfrm_state *x)
1949{
1950}
1951
1952static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1953{
1954 return false;
1955}
f70f250a 1956
50bd870a
YE		 1957static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1958{
1959}
1960
f70f250a
SK		 1961static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1962{
1963 return false;
1964}
d77e38e6
SK		 1965#endif
1966
bf825f81
JHS		 1967static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1968{
1969 if (attrs[XFRMA_MARK])
4efd7e83 1970 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
bf825f81
JHS		 1971 else
1972 m->v = m->m = 0;
1973
1974 return m->v & m->m;
1975}
1976
e3dfa389 1977static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
bf825f81 1978{
1d1e34dd 1979 int ret = 0;
bf825f81 1980
1d1e34dd
DM		 1981 if (m->m | m->v)
1982 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1983 return ret;
bf825f81
JHS		 1984}
1985
9b42c1f1
SK		 1986static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1987{
1988 struct xfrm_mark *m = &x->props.smark;
1989
1990 return (m->v & m->m) | (mark & ~m->m);
1991}
1992
7e652640
SK		 1993static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1994{
1995 int ret = 0;
1996
1997 if (if_id)
1998 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
1999 return ret;
2000}
2001
70be6c91
SK		 2002static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2003 unsigned int family)
2004{
2005 bool tunnel = false;
2006
2007 switch(family) {
2008 case AF_INET:
2009 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2010 tunnel = true;
2011 break;
2012 case AF_INET6:
2013 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2014 tunnel = true;
2015 break;
2016 }
c9500d7b 2017 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
70be6c91
SK		 2018 return -EINVAL;
2019
2020 return 0;
2021}
ede64dd2 2022
5461fc0c 2023extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
5106f4a8 2024extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
5461fc0c 2025
c9e7c76d 2026struct xfrm_translator {
5461fc0c
DS		 2027 /* Allocate frag_list and put compat translation there */
2028 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2029
5106f4a8
DS		 2030 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2031 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2032 int maxtype, const struct nla_policy *policy,
2033 struct netlink_ext_ack *extack);
2034
96392ee5
DS		 2035 /* Translate 32-bit user_policy from sockptr */
2036 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2037
c9e7c76d
DS		 2038 struct module *owner;
2039};
2040
2041#if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2042extern int xfrm_register_translator(struct xfrm_translator *xtr);
2043extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2044extern struct xfrm_translator *xfrm_get_translator(void);
2045extern void xfrm_put_translator(struct xfrm_translator *xtr);
2046#else
2047static inline struct xfrm_translator *xfrm_get_translator(void)
2048{
2049 return NULL;
2050}
2051static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2052{
2053}
2054#endif
2055
ede64dd2
FW		 2056#if IS_ENABLED(CONFIG_IPV6)
2057static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2058{
2059 int proto;
2060
2061 if (!sk || sk->sk_family != AF_INET6)
2062 return false;
2063
2064 proto = sk->sk_protocol;
2065 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2066 return inet6_sk(sk)->dontfrag;
2067
2068 return false;
2069}
2070#endif
1da177e4 2071#endif /* _NET_XFRM_H */
Linux 6.x block layer and io_uring tree(s)