projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[XFRM] STATE: Search by address using source address list.
[deliverable/linux.git] / include / net / xfrm.h
CommitLineData
1da177e4
LT		 1#ifndef _NET_XFRM_H
2#define _NET_XFRM_H
3
aabc9761 4#include <linux/compiler.h>
14c85021 5#include <linux/in.h>
1da177e4
LT		 6#include <linux/xfrm.h>
7#include <linux/spinlock.h>
8#include <linux/list.h>
9#include <linux/skbuff.h>
14c85021 10#include <linux/socket.h>
1da177e4 11#include <linux/pfkeyv2.h>
5794708f 12#include <linux/ipsec.h>
1da177e4 13#include <linux/in6.h>
4a3e2f71 14#include <linux/mutex.h>
1da177e4
LT		 15
16#include <net/sock.h>
17#include <net/dst.h>
18#include <net/route.h>
19#include <net/ipv6.h>
20#include <net/ip6_fib.h>
21
22#define XFRM_ALIGN8(len) (((len) + 7) & ~7)
b59f45d0
HX		 23#define MODULE_ALIAS_XFRM_MODE(family, encap) \
24 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
1da177e4 25
f8cd5488
JHS		 26extern struct sock *xfrm_nl;
27extern u32 sysctl_xfrm_aevent_etime;
28extern u32 sysctl_xfrm_aevent_rseqth;
29
4a3e2f71 30extern struct mutex xfrm_cfg_mutex;
1da177e4
LT		 31
32/* Organization of SPD aka "XFRM rules"
33 ------------------------------------
34
35 Basic objects:
36 - policy rule, struct xfrm_policy (=SPD entry)
37 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
38 - instance of a transformer, struct xfrm_state (=SA)
39 - template to clone xfrm_state, struct xfrm_tmpl
40
41 SPD is plain linear list of xfrm_policy rules, ordered by priority.
42 (To be compatible with existing pfkeyv2 implementations,
43 many rules with priority of 0x7fffffff are allowed to exist and
44 such rules are ordered in an unpredictable way, thanks to bsd folks.)
45
46 Lookup is plain linear search until the first match with selector.
47
48 If "action" is "block", then we prohibit the flow, otherwise:
49 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
50 policy entry has list of up to XFRM_MAX_DEPTH transformations,
51 described by templates xfrm_tmpl. Each template is resolved
52 to a complete xfrm_state (see below) and we pack bundle of transformations
53 to a dst_entry returned to requestor.
54
55 dst -. xfrm .-> xfrm_state #1
56 |---. child .-> dst -. xfrm .-> xfrm_state #2
57 |---. child .-> dst -. xfrm .-> xfrm_state #3
58 |---. child .-> NULL
59
60 Bundles are cached at xrfm_policy struct (field ->bundles).
61
62
63 Resolution of xrfm_tmpl
64 -----------------------
65 Template contains:
66 1. ->mode Mode: transport or tunnel
67 2. ->id.proto Protocol: AH/ESP/IPCOMP
68 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
69 Q: allow to resolve security gateway?
70 4. ->id.spi If not zero, static SPI.
71 5. ->saddr Local tunnel endpoint, ignored for transport mode.
72 6. ->algos List of allowed algos. Plain bitmask now.
73 Q: ealgos, aalgos, calgos. What a mess...
74 7. ->share Sharing mode.
75 Q: how to implement private sharing mode? To add struct sock* to
76 flow id?
77
78 Having this template we search through SAD searching for entries
79 with appropriate mode/proto/algo, permitted by selector.
80 If no appropriate entry found, it is requested from key manager.
81
82 PROBLEMS:
83 Q: How to find all the bundles referring to a physical path for
84 PMTU discovery? Seems, dst should contain list of all parents...
85 and enter to infinite locking hierarchy disaster.
86 No! It is easier, we will not search for them, let them find us.
87 We add genid to each dst plus pointer to genid of raw IP route,
88 pmtu disc will update pmtu on raw IP route and increase its genid.
89 dst_check() will see this for top level and trigger resyncing
90 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
91 */
92
93/* Full description of state of transformer. */
94struct xfrm_state
95{
96 /* Note: bydst is re-used during gc */
97 struct list_head bydst;
6c44e6b7 98 struct list_head bysrc;
1da177e4
LT		 99 struct list_head byspi;
100
101 atomic_t refcnt;
102 spinlock_t lock;
103
104 struct xfrm_id id;
105 struct xfrm_selector sel;
106
107 /* Key manger bits */
108 struct {
109 u8 state;
110 u8 dying;
111 u32 seq;
112 } km;
113
114 /* Parameters of this state. */
115 struct {
116 u32 reqid;
117 u8 mode;
118 u8 replay_window;
119 u8 aalgo, ealgo, calgo;
120 u8 flags;
121 u16 family;
122 xfrm_address_t saddr;
123 int header_len;
124 int trailer_len;
125 } props;
126
127 struct xfrm_lifetime_cfg lft;
128
129 /* Data for transformer */
130 struct xfrm_algo *aalg;
131 struct xfrm_algo *ealg;
132 struct xfrm_algo *calg;
133
134 /* Data for encapsulator */
135 struct xfrm_encap_tmpl *encap;
136
137 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
138 struct xfrm_state *tunnel;
139
140 /* If a tunnel, number of users + 1 */
141 atomic_t tunnel_users;
142
143 /* State for replay detection */
144 struct xfrm_replay_state replay;
145
f8cd5488
JHS		 146 /* Replay detection state at the time we sent the last notification */
147 struct xfrm_replay_state preplay;
148
2717096a
JHS		 149 /* internal flag that only holds state for delayed aevent at the
150 * moment
151 */
152 u32 xflags;
153
f8cd5488
JHS		 154 /* Replay detection notification settings */
155 u32 replay_maxage;
156 u32 replay_maxdiff;
157
158 /* Replay detection notification timer */
159 struct timer_list rtimer;
160
1da177e4
LT		 161 /* Statistics */
162 struct xfrm_stats stats;
163
164 struct xfrm_lifetime_cur curlft;
165 struct timer_list timer;
166
167 /* Reference to data common to all the instances of this
168 * transformer. */
169 struct xfrm_type *type;
b59f45d0 170 struct xfrm_mode *mode;
1da177e4 171
df71837d
TJ		 172 /* Security context */
173 struct xfrm_sec_ctx *security;
174
1da177e4
LT		 175 /* Private data of this transformer, format is opaque,
176 * interpreted by xfrm_type methods. */
177 void *data;
178};
179
2717096a
JHS		 180/* xflags - make enum if more show up */
181#define XFRM_TIME_DEFER 1
182
1da177e4
LT		 183enum {
184 XFRM_STATE_VOID,
185 XFRM_STATE_ACQ,
186 XFRM_STATE_VALID,
187 XFRM_STATE_ERROR,
188 XFRM_STATE_EXPIRED,
189 XFRM_STATE_DEAD
190};
191
26b15dad
JHS		 192/* callback structure passed from either netlink or pfkey */
193struct km_event
194{
bf08867f
HX		 195 union {
196 u32 hard;
197 u32 proto;
198 u32 byid;
f8cd5488 199 u32 aevent;
bf08867f
HX		 200 } data;
201
26b15dad
JHS		 202 u32 seq;
203 u32 pid;
204 u32 event;
205};
206
1da177e4
LT		 207struct xfrm_type;
208struct xfrm_dst;
209struct xfrm_policy_afinfo {
210 unsigned short family;
73654d61 211 struct xfrm_type *type_map[IPPROTO_MAX];
b59f45d0 212 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
1da177e4
LT		 213 struct dst_ops *dst_ops;
214 void (*garbage_collect)(void);
215 int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
216 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
217 int (*bundle_create)(struct xfrm_policy *policy,
218 struct xfrm_state **xfrm,
219 int nx,
220 struct flowi *fl,
221 struct dst_entry **dst_p);
222 void (*decode_session)(struct sk_buff *skb,
223 struct flowi *fl);
224};
225
226extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
227extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
26b15dad
JHS		 228extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
229extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
1da177e4
LT		 230#define XFRM_ACQ_EXPIRES 30
231
232struct xfrm_tmpl;
980ebd25 233extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
53bc6b4d
JHS		 234extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
235extern int __xfrm_state_delete(struct xfrm_state *x);
236
1da177e4
LT		 237struct xfrm_state_afinfo {
238 unsigned short family;
1da177e4 239 struct list_head *state_bydst;
6c44e6b7 240 struct list_head *state_bysrc;
1da177e4 241 struct list_head *state_byspi;
d094cd83 242 int (*init_flags)(struct xfrm_state *x);
1da177e4
LT		 243 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
244 struct xfrm_tmpl *tmpl,
245 xfrm_address_t *daddr, xfrm_address_t *saddr);
246 struct xfrm_state *(*state_lookup)(xfrm_address_t *daddr, u32 spi, u8 proto);
eb2971b6 247 struct xfrm_state *(*state_lookup_byaddr)(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto);
1da177e4
LT		 248 struct xfrm_state *(*find_acq)(u8 mode, u32 reqid, u8 proto,
249 xfrm_address_t *daddr, xfrm_address_t *saddr,
250 int create);
251};
252
253extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
254extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
255
256extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
257
1da177e4
LT		 258struct xfrm_type
259{
260 char *description;
261 struct module *owner;
262 __u8 proto;
263
72cb6962 264 int (*init_state)(struct xfrm_state *x);
1da177e4 265 void (*destructor)(struct xfrm_state *);
e695633e 266 int (*input)(struct xfrm_state *, struct sk_buff *skb);
1da177e4
LT		 267 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
268 /* Estimate maximal size of result of transformation of a dgram */
269 u32 (*get_max_size)(struct xfrm_state *, int size);
270};
271
1da177e4
LT		 272extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
273extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
274extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family);
275extern void xfrm_put_type(struct xfrm_type *type);
276
b59f45d0
HX		 277struct xfrm_mode {
278 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
279 int (*output)(struct sk_buff *skb);
280
281 struct module *owner;
282 unsigned int encap;
283};
284
285extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
286extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
287extern struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family);
288extern void xfrm_put_mode(struct xfrm_mode *mode);
289
1da177e4
LT		 290struct xfrm_tmpl
291{
292/* id in template is interpreted as:
293 * daddr - destination of tunnel, may be zero for transport mode.
294 * spi - zero to acquire spi. Not zero if spi is static, then
295 * daddr must be fixed too.
296 * proto - AH/ESP/IPCOMP
297 */
298 struct xfrm_id id;
299
300/* Source address of tunnel. Ignored, if it is not a tunnel. */
301 xfrm_address_t saddr;
302
303 __u32 reqid;
304
7e49e6de 305/* Mode: transport, tunnel etc. */
1da177e4
LT		 306 __u8 mode;
307
308/* Sharing mode: unique, this session only, this user only etc. */
309 __u8 share;
310
311/* May skip this transfomration if no SA is found */
312 __u8 optional;
313
314/* Bit mask of algos allowed for acquisition */
315 __u32 aalgos;
316 __u32 ealgos;
317 __u32 calgos;
318};
319
622dc828 320#define XFRM_MAX_DEPTH 6
1da177e4
LT		 321
322struct xfrm_policy
323{
324 struct xfrm_policy *next;
325 struct list_head list;
326
327 /* This lock only affects elements except for entry. */
328 rwlock_t lock;
329 atomic_t refcnt;
330 struct timer_list timer;
331
332 u32 priority;
333 u32 index;
334 struct xfrm_selector selector;
335 struct xfrm_lifetime_cfg lft;
336 struct xfrm_lifetime_cur curlft;
337 struct dst_entry *bundles;
338 __u16 family;
339 __u8 action;
340 __u8 flags;
341 __u8 dead;
342 __u8 xfrm_nr;
df71837d 343 struct xfrm_sec_ctx *security;
1da177e4
LT		 344 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
345};
346
f8cd5488
JHS		 347#define XFRM_KM_TIMEOUT 30
348/* which seqno */
349#define XFRM_REPLAY_SEQ 1
350#define XFRM_REPLAY_OSEQ 2
351#define XFRM_REPLAY_SEQ_MASK 3
352/* what happened */
353#define XFRM_REPLAY_UPDATE XFRM_AE_CR
354#define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
355
356/* default aevent timeout in units of 100ms */
357#define XFRM_AE_ETIME 10
358/* Async Event timer multiplier */
359#define XFRM_AE_ETH_M 10
360/* default seq threshold size */
361#define XFRM_AE_SEQT_SIZE 2
1da177e4
LT		 362
363struct xfrm_mgr
364{
365 struct list_head list;
366 char *id;
26b15dad 367 int (*notify)(struct xfrm_state *x, struct km_event *c);
1da177e4 368 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
cb969f07 369 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
1da177e4 370 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
26b15dad 371 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
1da177e4
LT		 372};
373
374extern int xfrm_register_km(struct xfrm_mgr *km);
375extern int xfrm_unregister_km(struct xfrm_mgr *km);
376
377
378extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
379
380static inline void xfrm_pol_hold(struct xfrm_policy *policy)
381{
382 if (likely(policy != NULL))
383 atomic_inc(&policy->refcnt);
384}
385
386extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
387
388static inline void xfrm_pol_put(struct xfrm_policy *policy)
389{
390 if (atomic_dec_and_test(&policy->refcnt))
391 __xfrm_policy_destroy(policy);
392}
393
394#define XFRM_DST_HSIZE 1024
395
396static __inline__
397unsigned __xfrm4_dst_hash(xfrm_address_t *addr)
398{
399 unsigned h;
400 h = ntohl(addr->a4);
401 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
402 return h;
403}
404
405static __inline__
406unsigned __xfrm6_dst_hash(xfrm_address_t *addr)
407{
408 unsigned h;
409 h = ntohl(addr->a6[2]^addr->a6[3]);
410 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
411 return h;
412}
413
414static __inline__
415unsigned xfrm_dst_hash(xfrm_address_t *addr, unsigned short family)
416{
417 switch (family) {
418 case AF_INET:
419 return __xfrm4_dst_hash(addr);
420 case AF_INET6:
421 return __xfrm6_dst_hash(addr);
422 }
423 return 0;
424}
425
6c44e6b7
MN		 426static __inline__
427unsigned __xfrm4_src_hash(xfrm_address_t *addr)
428{
429 return __xfrm4_dst_hash(addr);
430}
431
432static __inline__
433unsigned __xfrm6_src_hash(xfrm_address_t *addr)
434{
435 return __xfrm6_dst_hash(addr);
436}
437
438static __inline__
439unsigned xfrm_src_hash(xfrm_address_t *addr, unsigned short family)
440{
441 switch (family) {
442 case AF_INET:
443 return __xfrm4_src_hash(addr);
444 case AF_INET6:
445 return __xfrm6_src_hash(addr);
446 }
447 return 0;
448}
449
1da177e4
LT		 450static __inline__
451unsigned __xfrm4_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
452{
453 unsigned h;
454 h = ntohl(addr->a4^spi^proto);
455 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
456 return h;
457}
458
459static __inline__
460unsigned __xfrm6_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
461{
462 unsigned h;
463 h = ntohl(addr->a6[2]^addr->a6[3]^spi^proto);
464 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
465 return h;
466}
467
468static __inline__
469unsigned xfrm_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto, unsigned short family)
470{
471 switch (family) {
472 case AF_INET:
473 return __xfrm4_spi_hash(addr, spi, proto);
474 case AF_INET6:
475 return __xfrm6_spi_hash(addr, spi, proto);
476 }
477 return 0; /*XXX*/
478}
479
480extern void __xfrm_state_destroy(struct xfrm_state *);
481
21380b81
HX		 482static inline void __xfrm_state_put(struct xfrm_state *x)
483{
484 atomic_dec(&x->refcnt);
485}
486
1da177e4
LT		 487static inline void xfrm_state_put(struct xfrm_state *x)
488{
489 if (atomic_dec_and_test(&x->refcnt))
490 __xfrm_state_destroy(x);
491}
492
493static inline void xfrm_state_hold(struct xfrm_state *x)
494{
495 atomic_inc(&x->refcnt);
496}
497
498static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
499{
500 __u32 *a1 = token1;
501 __u32 *a2 = token2;
502 int pdw;
503 int pbi;
504
505 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
506 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
507
508 if (pdw)
509 if (memcmp(a1, a2, pdw << 2))
510 return 0;
511
512 if (pbi) {
513 __u32 mask;
514
515 mask = htonl((0xffffffff) << (32 - pbi));
516
517 if ((a1[pdw] ^ a2[pdw]) & mask)
518 return 0;
519 }
520
521 return 1;
522}
523
524static __inline__
525u16 xfrm_flowi_sport(struct flowi *fl)
526{
527 u16 port;
528 switch(fl->proto) {
529 case IPPROTO_TCP:
530 case IPPROTO_UDP:
531 case IPPROTO_SCTP:
532 port = fl->fl_ip_sport;
533 break;
534 case IPPROTO_ICMP:
535 case IPPROTO_ICMPV6:
536 port = htons(fl->fl_icmp_type);
537 break;
538 default:
539 port = 0; /*XXX*/
540 }
541 return port;
542}
543
544static __inline__
545u16 xfrm_flowi_dport(struct flowi *fl)
546{
547 u16 port;
548 switch(fl->proto) {
549 case IPPROTO_TCP:
550 case IPPROTO_UDP:
551 case IPPROTO_SCTP:
552 port = fl->fl_ip_dport;
553 break;
554 case IPPROTO_ICMP:
555 case IPPROTO_ICMPV6:
556 port = htons(fl->fl_icmp_code);
557 break;
558 default:
559 port = 0; /*XXX*/
560 }
561 return port;
562}
563
564static inline int
565__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
566{
567 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
568 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
569 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
570 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
571 (fl->proto == sel->proto || !sel->proto) &&
572 (fl->oif == sel->ifindex || !sel->ifindex);
573}
574
575static inline int
576__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
577{
578 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
579 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
580 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
581 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
582 (fl->proto == sel->proto || !sel->proto) &&
583 (fl->oif == sel->ifindex || !sel->ifindex);
584}
585
586static inline int
587xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
588 unsigned short family)
589{
590 switch (family) {
591 case AF_INET:
592 return __xfrm4_selector_match(sel, fl);
593 case AF_INET6:
594 return __xfrm6_selector_match(sel, fl);
595 }
596 return 0;
597}
598
df71837d
TJ		 599#ifdef CONFIG_SECURITY_NETWORK_XFRM
600/* If neither has a context --> match
601 * Otherwise, both must have a context and the sids, doi, alg must match
602 */
603static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
604{
605 return ((!s1 && !s2) ||
606 (s1 && s2 &&
607 (s1->ctx_sid == s2->ctx_sid) &&
608 (s1->ctx_doi == s2->ctx_doi) &&
609 (s1->ctx_alg == s2->ctx_alg)));
610}
611#else
612static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
613{
614 return 1;
615}
616#endif
617
1da177e4
LT		 618/* A struct encoding bundle of transformations to apply to some set of flow.
619 *
620 * dst->child points to the next element of bundle.
621 * dst->xfrm points to an instanse of transformer.
622 *
623 * Due to unfortunate limitations of current routing cache, which we
624 * have no time to fix, it mirrors struct rtable and bound to the same
625 * routing key, including saddr,daddr. However, we can have many of
626 * bundles differing by session id. All the bundles grow from a parent
627 * policy rule.
628 */
629struct xfrm_dst
630{
631 union {
632 struct xfrm_dst *next;
633 struct dst_entry dst;
634 struct rtable rt;
635 struct rt6_info rt6;
636 } u;
637 struct dst_entry *route;
638 u32 route_mtu_cached;
639 u32 child_mtu_cached;
92d63dec
HY		 640 u32 route_cookie;
641 u32 path_cookie;
1da177e4
LT		 642};
643
aabc9761
HX		 644static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
645{
646 dst_release(xdst->route);
647 if (likely(xdst->u.dst.xfrm))
648 xfrm_state_put(xdst->u.dst.xfrm);
649}
650
651extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
652
1da177e4
LT		 653struct sec_path
654{
655 atomic_t refcnt;
656 int len;
dbe5b4aa 657 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1da177e4
LT		 658};
659
660static inline struct sec_path *
661secpath_get(struct sec_path *sp)
662{
663 if (sp)
664 atomic_inc(&sp->refcnt);
665 return sp;
666}
667
668extern void __secpath_destroy(struct sec_path *sp);
669
670static inline void
671secpath_put(struct sec_path *sp)
672{
673 if (sp && atomic_dec_and_test(&sp->refcnt))
674 __secpath_destroy(sp);
675}
676
677extern struct sec_path *secpath_dup(struct sec_path *src);
678
679static inline void
680secpath_reset(struct sk_buff *skb)
681{
682#ifdef CONFIG_XFRM
683 secpath_put(skb->sp);
684 skb->sp = NULL;
685#endif
686}
687
688static inline int
689__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
690{
691 return (tmpl->saddr.a4 &&
692 tmpl->saddr.a4 != x->props.saddr.a4);
693}
694
695static inline int
696__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
697{
698 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
699 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
700}
701
702static inline int
703xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
704{
705 switch (family) {
706 case AF_INET:
707 return __xfrm4_state_addr_cmp(tmpl, x);
708 case AF_INET6:
709 return __xfrm6_state_addr_cmp(tmpl, x);
710 }
711 return !0;
712}
713
714#ifdef CONFIG_XFRM
715
716extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
717
718static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
719{
720 if (sk && sk->sk_policy[XFRM_POLICY_IN])
721 return __xfrm_policy_check(sk, dir, skb, family);
722
723 return (!xfrm_policy_list[dir] && !skb->sp) ||
724 (skb->dst->flags & DST_NOPOLICY) ||
725 __xfrm_policy_check(sk, dir, skb, family);
726}
727
728static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
729{
730 return xfrm_policy_check(sk, dir, skb, AF_INET);
731}
732
733static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
734{
735 return xfrm_policy_check(sk, dir, skb, AF_INET6);
736}
737
3e3850e9 738extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
1da177e4
LT		 739extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
740
741static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
742{
743 return !xfrm_policy_list[XFRM_POLICY_OUT] ||
744 (skb->dst->flags & DST_NOXFRM) ||
745 __xfrm_route_forward(skb, family);
746}
747
748static inline int xfrm4_route_forward(struct sk_buff *skb)
749{
750 return xfrm_route_forward(skb, AF_INET);
751}
752
753static inline int xfrm6_route_forward(struct sk_buff *skb)
754{
755 return xfrm_route_forward(skb, AF_INET6);
756}
757
758extern int __xfrm_sk_clone_policy(struct sock *sk);
759
760static inline int xfrm_sk_clone_policy(struct sock *sk)
761{
762 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
763 return __xfrm_sk_clone_policy(sk);
764 return 0;
765}
766
4666faab 767extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1da177e4
LT		 768
769static inline void xfrm_sk_free_policy(struct sock *sk)
770{
771 if (unlikely(sk->sk_policy[0] != NULL)) {
772 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
773 sk->sk_policy[0] = NULL;
774 }
775 if (unlikely(sk->sk_policy[1] != NULL)) {
776 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
777 sk->sk_policy[1] = NULL;
778 }
779}
780
781#else
782
783static inline void xfrm_sk_free_policy(struct sock *sk) {}
784static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
785static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
786static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
787static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
788{
789 return 1;
790}
791static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
792{
793 return 1;
794}
795static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
796{
797 return 1;
798}
799#endif
800
801static __inline__
802xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
803{
804 switch (family){
805 case AF_INET:
806 return (xfrm_address_t *)&fl->fl4_dst;
807 case AF_INET6:
808 return (xfrm_address_t *)&fl->fl6_dst;
809 }
810 return NULL;
811}
812
813static __inline__
814xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
815{
816 switch (family){
817 case AF_INET:
818 return (xfrm_address_t *)&fl->fl4_src;
819 case AF_INET6:
820 return (xfrm_address_t *)&fl->fl6_src;
821 }
822 return NULL;
823}
824
825static __inline__ int
826__xfrm4_state_addr_check(struct xfrm_state *x,
827 xfrm_address_t *daddr, xfrm_address_t *saddr)
828{
829 if (daddr->a4 == x->id.daddr.a4 &&
830 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
831 return 1;
832 return 0;
833}
834
835static __inline__ int
836__xfrm6_state_addr_check(struct xfrm_state *x,
837 xfrm_address_t *daddr, xfrm_address_t *saddr)
838{
839 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
840 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
841 ipv6_addr_any((struct in6_addr *)saddr) ||
842 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
843 return 1;
844 return 0;
845}
846
847static __inline__ int
848xfrm_state_addr_check(struct xfrm_state *x,
849 xfrm_address_t *daddr, xfrm_address_t *saddr,
850 unsigned short family)
851{
852 switch (family) {
853 case AF_INET:
854 return __xfrm4_state_addr_check(x, daddr, saddr);
855 case AF_INET6:
856 return __xfrm6_state_addr_check(x, daddr, saddr);
857 }
858 return 0;
859}
860
861static inline int xfrm_state_kern(struct xfrm_state *x)
862{
863 return atomic_read(&x->tunnel_users);
864}
865
5794708f
MN		 866static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
867{
dc00a525
MN		 868 return (!userproto || proto == userproto ||
869 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
870 proto == IPPROTO_ESP ||
871 proto == IPPROTO_COMP)));
5794708f
MN		 872}
873
1da177e4
LT		 874/*
875 * xfrm algorithm information
876 */
877struct xfrm_algo_auth_info {
878 u16 icv_truncbits;
879 u16 icv_fullbits;
880};
881
882struct xfrm_algo_encr_info {
883 u16 blockbits;
884 u16 defkeybits;
885};
886
887struct xfrm_algo_comp_info {
888 u16 threshold;
889};
890
891struct xfrm_algo_desc {
892 char *name;
04ff1260 893 char *compat;
1da177e4
LT		 894 u8 available:1;
895 union {
896 struct xfrm_algo_auth_info auth;
897 struct xfrm_algo_encr_info encr;
898 struct xfrm_algo_comp_info comp;
899 } uinfo;
900 struct sadb_alg desc;
901};
902
903/* XFRM tunnel handlers. */
904struct xfrm_tunnel {
905 int (*handler)(struct sk_buff *skb);
d2acc347
HX		 906 int (*err_handler)(struct sk_buff *skb, __u32 info);
907
908 struct xfrm_tunnel *next;
909 int priority;
1da177e4
LT		 910};
911
912struct xfrm6_tunnel {
d2acc347
HX		 913 int (*handler)(struct sk_buff *skb);
914 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
915 int type, int code, int offset, __u32 info);
916
917 struct xfrm6_tunnel *next;
918 int priority;
1da177e4
LT		 919};
920
921extern void xfrm_init(void);
922extern void xfrm4_init(void);
923extern void xfrm6_init(void);
924extern void xfrm6_fini(void);
925extern void xfrm_state_init(void);
926extern void xfrm4_state_init(void);
1da177e4
LT		 927extern void xfrm6_state_init(void);
928extern void xfrm6_state_fini(void);
929
930extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
931extern struct xfrm_state *xfrm_state_alloc(void);
932extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
933 struct flowi *fl, struct xfrm_tmpl *tmpl,
934 struct xfrm_policy *pol, int *err,
935 unsigned short family);
936extern int xfrm_state_check_expire(struct xfrm_state *x);
937extern void xfrm_state_insert(struct xfrm_state *x);
938extern int xfrm_state_add(struct xfrm_state *x);
939extern int xfrm_state_update(struct xfrm_state *x);
940extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family);
eb2971b6 941extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
1da177e4 942extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
26b15dad 943extern int xfrm_state_delete(struct xfrm_state *x);
1da177e4
LT		 944extern void xfrm_state_flush(u8 proto);
945extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
946extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
f8cd5488 947extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1da177e4
LT		 948extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
949extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
72cb6962 950extern int xfrm_init_state(struct xfrm_state *x);
1da177e4
LT		 951extern int xfrm4_rcv(struct sk_buff *skb);
952extern int xfrm4_output(struct sk_buff *skb);
953extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
954extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
d2acc347 955extern int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi);
951dbc8a 956extern int xfrm6_rcv(struct sk_buff **pskb);
1da177e4
LT		 957extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);
958extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);
959extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
960extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
961extern u32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
962extern int xfrm6_output(struct sk_buff *skb);
963
964#ifdef CONFIG_XFRM
965extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type);
966extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
967extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
968#else
969static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
970{
971 return -ENOPROTOOPT;
972}
973
974static inline int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
975{
976 /* should not happen */
977 kfree_skb(skb);
978 return 0;
979}
980static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
981{
982 return -EINVAL;
983}
984#endif
985
dd0fc66f 986struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
1da177e4
LT		 987extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
988int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
df71837d
TJ		 989struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
990 struct xfrm_sec_ctx *ctx, int delete);
1da177e4
LT		 991struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
992void xfrm_policy_flush(void);
993u32 xfrm_get_acqseq(void);
994void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
995struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
996 xfrm_address_t *daddr, xfrm_address_t *saddr,
997 int create, unsigned short family);
998extern void xfrm_policy_flush(void);
999extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1000extern int xfrm_flush_bundles(void);
399c180a 1001extern void xfrm_flush_all_bundles(void);
1da177e4
LT		 1002extern int xfrm_bundle_ok(struct xfrm_dst *xdst, struct flowi *fl, int family);
1003extern void xfrm_init_pmtu(struct dst_entry *dst);
1004
1005extern wait_queue_head_t km_waitq;
1006extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
6c5c8ca7 1007extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1da177e4
LT		 1008
1009extern void xfrm_input_init(void);
1010extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq);
1011
1012extern void xfrm_probe_algs(void);
1013extern int xfrm_count_auth_supported(void);
1014extern int xfrm_count_enc_supported(void);
1015extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1016extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1017extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1018extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1019extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1020extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1021extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1022extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1023
07d4ee58 1024struct hash_desc;
9409f38a 1025struct scatterlist;
07d4ee58
HX		 1026typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1027 unsigned int);
1da177e4 1028
07d4ee58
HX		 1029extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1030 int offset, int len, icv_update_fn_t icv_update);
1da177e4
LT		 1031
1032static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1033 int family)
1034{
1035 switch (family) {
1036 default:
1037 case AF_INET:
1038 return a->a4 - b->a4;
1039 case AF_INET6:
1040 return ipv6_addr_cmp((struct in6_addr *)a,
1041 (struct in6_addr *)b);
1042 }
1043}
1044
77d8d7a6
HX		 1045static inline int xfrm_policy_id2dir(u32 index)
1046{
1047 return index & 7;
1048}
1049
f8cd5488
JHS		 1050static inline int xfrm_aevent_is_on(void)
1051{
be33690d
PM		 1052 struct sock *nlsk;
1053 int ret = 0;
1054
1055 rcu_read_lock();
1056 nlsk = rcu_dereference(xfrm_nl);
1057 if (nlsk)
1058 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1059 rcu_read_unlock();
1060 return ret;
f8cd5488
JHS		 1061}
1062
1063static inline void xfrm_aevent_doreplay(struct xfrm_state *x)
1064{
1065 if (xfrm_aevent_is_on())
1066 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1067}
1068
1069
1da177e4 1070#endif /* _NET_XFRM_H */
Linux kernel - Deliverables
This page took 0.226659 seconds and 5 git commands to generate.