1 /* SPDX-License-Identifier: GPL-2.0 */
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
23 #include <net/route.h>
25 #include <net/ip6_fib.h>
27 #include <net/gro_cells.h>
29 #include <linux/interrupt.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
54 #define XFRM_ADD_STATS(net, field, val) SNMP_ADD_STATS((net)->mib.xfrm_statistics, field, val)
56 #define XFRM_INC_STATS(net, field) ((void)(net))
57 #define XFRM_ADD_STATS(net, field, val) ((void)(net))
61 /* Organization of SPD aka "XFRM rules"
62 ------------------------------------
65 - policy rule, struct xfrm_policy (=SPD entry)
66 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
67 - instance of a transformer, struct xfrm_state (=SA)
68 - template to clone xfrm_state, struct xfrm_tmpl
70 SPD is plain linear list of xfrm_policy rules, ordered by priority.
71 (To be compatible with existing pfkeyv2 implementations,
72 many rules with priority of 0x7fffffff are allowed to exist and
73 such rules are ordered in an unpredictable way, thanks to bsd folks.)
75 Lookup is plain linear search until the first match with selector.
77 If "action" is "block", then we prohibit the flow, otherwise:
78 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
79 policy entry has list of up to XFRM_MAX_DEPTH transformations,
80 described by templates xfrm_tmpl. Each template is resolved
81 to a complete xfrm_state (see below) and we pack bundle of transformations
82 to a dst_entry returned to requestor.
84 dst -. xfrm .-> xfrm_state #1
85 |---. child .-> dst -. xfrm .-> xfrm_state #2
86 |---. child .-> dst -. xfrm .-> xfrm_state #3
89 Bundles are cached at xrfm_policy struct (field ->bundles).
92 Resolution of xrfm_tmpl
93 -----------------------
95 1. ->mode Mode: transport or tunnel
96 2. ->id.proto Protocol: AH/ESP/IPCOMP
97 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
98 Q: allow to resolve security gateway?
99 4. ->id.spi If not zero, static SPI.
100 5. ->saddr Local tunnel endpoint, ignored for transport mode.
101 6. ->algos List of allowed algos. Plain bitmask now.
102 Q: ealgos, aalgos, calgos. What a mess...
103 7. ->share Sharing mode.
104 Q: how to implement private sharing mode? To add struct sock* to
107 Having this template we search through SAD searching for entries
108 with appropriate mode/proto/algo, permitted by selector.
109 If no appropriate entry found, it is requested from key manager.
112 Q: How to find all the bundles referring to a physical path for
113 PMTU discovery? Seems, dst should contain list of all parents...
114 and enter to infinite locking hierarchy disaster.
115 No! It is easier, we will not search for them, let them find us.
116 We add genid to each dst plus pointer to genid of raw IP route,
117 pmtu disc will update pmtu on raw IP route and increase its genid.
118 dst_check() will see this for top level and trigger resyncing
119 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
122 struct xfrm_state_walk {
123 struct list_head all;
128 struct xfrm_address_filter *filter;
132 XFRM_DEV_OFFLOAD_IN = 1,
133 XFRM_DEV_OFFLOAD_OUT,
134 XFRM_DEV_OFFLOAD_FWD,
138 XFRM_DEV_OFFLOAD_UNSPECIFIED,
139 XFRM_DEV_OFFLOAD_CRYPTO,
140 XFRM_DEV_OFFLOAD_PACKET,
144 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1,
147 struct xfrm_dev_offload {
148 struct net_device *dev;
149 netdevice_tracker dev_tracker;
150 struct net_device *real_dev;
151 unsigned long offload_handle;
163 /* Flags for xfrm_mode. */
165 XFRM_MODE_FLAG_TUNNEL = 1,
168 enum xfrm_replay_mode {
169 XFRM_REPLAY_MODE_LEGACY,
170 XFRM_REPLAY_MODE_BMP,
171 XFRM_REPLAY_MODE_ESN,
174 /* Full description of state of transformer. */
176 possible_net_t xs_net;
178 struct hlist_node gclist;
179 struct hlist_node bydst;
181 struct hlist_node bysrc;
182 struct hlist_node byspi;
183 struct hlist_node byseq;
189 struct xfrm_selector sel;
190 struct xfrm_mark mark;
196 /* Key manager bits */
197 struct xfrm_state_walk km;
199 /* Parameters of this state. */
204 u8 aalgo, ealgo, calgo;
207 xfrm_address_t saddr;
211 struct xfrm_mark smark;
214 struct xfrm_lifetime_cfg lft;
216 /* Data for transformer */
217 struct xfrm_algo_auth *aalg;
218 struct xfrm_algo *ealg;
219 struct xfrm_algo *calg;
220 struct xfrm_algo_aead *aead;
223 /* mapping change rate limiting */
224 __be16 new_mapping_sport;
225 u32 new_mapping; /* seconds */
226 u32 mapping_maxage; /* seconds for input SA */
228 /* Data for encapsulator */
229 struct xfrm_encap_tmpl *encap;
230 struct sock __rcu *encap_sk;
232 /* Data for care-of address */
233 xfrm_address_t *coaddr;
235 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
236 struct xfrm_state *tunnel;
238 /* If a tunnel, number of users + 1 */
239 atomic_t tunnel_users;
241 /* State for replay detection */
242 struct xfrm_replay_state replay;
243 struct xfrm_replay_state_esn *replay_esn;
245 /* Replay detection state at the time we sent the last notification */
246 struct xfrm_replay_state preplay;
247 struct xfrm_replay_state_esn *preplay_esn;
249 /* replay detection mode */
250 enum xfrm_replay_mode repl_mode;
251 /* internal flag that only holds state for delayed aevent at the
256 /* Replay detection notification settings */
260 /* Replay detection notification timer */
261 struct timer_list rtimer;
264 struct xfrm_stats stats;
266 struct xfrm_lifetime_cur curlft;
267 struct hrtimer mtimer;
269 struct xfrm_dev_offload xso;
271 /* used to fix curlft->add_time when changing date */
277 struct page_frag xfrag;
279 /* Reference to data common to all the instances of this
281 const struct xfrm_type *type;
282 struct xfrm_mode inner_mode;
283 struct xfrm_mode inner_mode_iaf;
284 struct xfrm_mode outer_mode;
286 const struct xfrm_type_offload *type_offload;
288 /* Security context */
289 struct xfrm_sec_ctx *security;
291 /* Private data of this transformer, format is opaque,
292 * interpreted by xfrm_type methods. */
296 static inline struct net *xs_net(struct xfrm_state *x)
298 return read_pnet(&x->xs_net);
301 /* xflags - make enum if more show up */
302 #define XFRM_TIME_DEFER 1
303 #define XFRM_SOFT_EXPIRE 2
314 /* callback structure passed from either netlink or pfkey */
330 struct xfrm_if_decode_session_result {
336 bool (*decode_session)(struct sk_buff *skb,
337 unsigned short family,
338 struct xfrm_if_decode_session_result *res);
341 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
342 void xfrm_if_unregister_cb(void);
347 struct xfrm_policy_afinfo {
348 struct dst_ops *dst_ops;
349 struct dst_entry *(*dst_lookup)(struct net *net,
351 const xfrm_address_t *saddr,
352 const xfrm_address_t *daddr,
354 int (*get_saddr)(struct net *net, int oif,
355 xfrm_address_t *saddr,
356 xfrm_address_t *daddr,
358 int (*fill_dst)(struct xfrm_dst *xdst,
359 struct net_device *dev,
360 const struct flowi *fl);
361 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
364 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
365 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
366 void km_policy_notify(struct xfrm_policy *xp, int dir,
367 const struct km_event *c);
368 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
371 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
372 struct xfrm_policy *pol);
373 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
374 int __xfrm_state_delete(struct xfrm_state *x);
376 struct xfrm_state_afinfo {
380 const struct xfrm_type_offload *type_offload_esp;
382 const struct xfrm_type *type_esp;
383 const struct xfrm_type *type_ipip;
384 const struct xfrm_type *type_ipip6;
385 const struct xfrm_type *type_comp;
386 const struct xfrm_type *type_ah;
387 const struct xfrm_type *type_routing;
388 const struct xfrm_type *type_dstopts;
390 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
391 int (*transport_finish)(struct sk_buff *skb,
393 void (*local_error)(struct sk_buff *skb, u32 mtu);
396 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
397 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
398 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
399 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
401 struct xfrm_input_afinfo {
404 int (*callback)(struct sk_buff *skb, u8 protocol,
408 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
409 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
411 void xfrm_flush_gc(void);
412 void xfrm_state_delete_tunnel(struct xfrm_state *x);
415 struct module *owner;
418 #define XFRM_TYPE_NON_FRAGMENT 1
419 #define XFRM_TYPE_REPLAY_PROT 2
420 #define XFRM_TYPE_LOCAL_COADDR 4
421 #define XFRM_TYPE_REMOTE_COADDR 8
423 int (*init_state)(struct xfrm_state *x,
424 struct netlink_ext_ack *extack);
425 void (*destructor)(struct xfrm_state *);
426 int (*input)(struct xfrm_state *, struct sk_buff *skb);
427 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
428 int (*reject)(struct xfrm_state *, struct sk_buff *,
429 const struct flowi *);
432 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
433 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
435 struct xfrm_type_offload {
436 struct module *owner;
438 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
439 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
440 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
443 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
444 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
446 static inline int xfrm_af2proto(unsigned int family)
458 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
460 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
461 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
462 return &x->inner_mode;
464 return &x->inner_mode_iaf;
468 /* id in template is interpreted as:
469 * daddr - destination of tunnel, may be zero for transport mode.
470 * spi - zero to acquire spi. Not zero if spi is static, then
471 * daddr must be fixed too.
472 * proto - AH/ESP/IPCOMP
476 /* Source address of tunnel. Ignored, if it is not a tunnel. */
477 xfrm_address_t saddr;
479 unsigned short encap_family;
483 /* Mode: transport, tunnel etc. */
486 /* Sharing mode: unique, this session only, this user only etc. */
489 /* May skip this transfomration if no SA is found */
492 /* Skip aalgos/ealgos/calgos checks. */
495 /* Bit mask of algos allowed for acquisition */
501 #define XFRM_MAX_DEPTH 6
502 #define XFRM_MAX_OFFLOAD_DEPTH 1
504 struct xfrm_policy_walk_entry {
505 struct list_head all;
509 struct xfrm_policy_walk {
510 struct xfrm_policy_walk_entry walk;
515 struct xfrm_policy_queue {
516 struct sk_buff_head hold_queue;
517 struct timer_list hold_timer;
518 unsigned long timeout;
522 possible_net_t xp_net;
523 struct hlist_node bydst;
524 struct hlist_node byidx;
526 /* This lock only affects elements except for entry. */
530 struct timer_list timer;
536 struct xfrm_mark mark;
537 struct xfrm_selector selector;
538 struct xfrm_lifetime_cfg lft;
539 struct xfrm_lifetime_cur curlft;
540 struct xfrm_policy_walk_entry walk;
541 struct xfrm_policy_queue polq;
548 struct xfrm_sec_ctx *security;
549 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
550 struct hlist_node bydst_inexact_list;
553 struct xfrm_dev_offload xdo;
556 static inline struct net *xp_net(const struct xfrm_policy *xp)
558 return read_pnet(&xp->xp_net);
561 struct xfrm_kmaddress {
562 xfrm_address_t local;
563 xfrm_address_t remote;
568 struct xfrm_migrate {
569 xfrm_address_t old_daddr;
570 xfrm_address_t old_saddr;
571 xfrm_address_t new_daddr;
572 xfrm_address_t new_saddr;
581 #define XFRM_KM_TIMEOUT 30
583 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
584 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
586 /* default aevent timeout in units of 100ms */
587 #define XFRM_AE_ETIME 10
588 /* Async Event timer multiplier */
589 #define XFRM_AE_ETH_M 10
590 /* default seq threshold size */
591 #define XFRM_AE_SEQT_SIZE 2
594 struct list_head list;
595 int (*notify)(struct xfrm_state *x, const struct km_event *c);
596 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
597 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
598 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
599 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
600 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
601 int (*migrate)(const struct xfrm_selector *sel,
603 const struct xfrm_migrate *m,
605 const struct xfrm_kmaddress *k,
606 const struct xfrm_encap_tmpl *encap);
607 bool (*is_alive)(const struct km_event *c);
610 void xfrm_register_km(struct xfrm_mgr *km);
611 void xfrm_unregister_km(struct xfrm_mgr *km);
613 struct xfrm_tunnel_skb_cb {
615 struct inet_skb_parm h4;
616 struct inet6_skb_parm h6;
620 struct ip_tunnel *ip4;
625 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
628 * This structure is used for the duration where packets are being
629 * transformed by IPsec. As soon as the packet leaves IPsec the
630 * area beyond the generic IP part may be overwritten.
633 struct xfrm_tunnel_skb_cb header;
635 /* Sequence number for replay protection. */
648 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
651 * This structure is used by the afinfo prepare_input/prepare_output functions
652 * to transmit header information to the mode input/output functions.
654 struct xfrm_mode_skb_cb {
655 struct xfrm_tunnel_skb_cb header;
657 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
661 /* IP header length (excluding options or extension headers). */
664 /* TOS for IPv4, class for IPv6. */
667 /* TTL for IPv4, hop limitfor IPv6. */
670 /* Protocol for IPv4, NH for IPv6. */
673 /* Option length for IPv4, zero for IPv6. */
676 /* Used by IPv6 only, zero for IPv4. */
680 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
683 * This structure is used by the input processing to locate the SPI and
684 * related information.
686 struct xfrm_spi_skb_cb {
687 struct xfrm_tunnel_skb_cb header;
689 unsigned int daddroff;
694 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
696 #ifdef CONFIG_AUDITSYSCALL
697 static inline struct audit_buffer *xfrm_audit_start(const char *op)
699 struct audit_buffer *audit_buf = NULL;
701 if (audit_enabled == AUDIT_OFF)
703 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
704 AUDIT_MAC_IPSEC_EVENT);
705 if (audit_buf == NULL)
707 audit_log_format(audit_buf, "op=%s", op);
711 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
712 struct audit_buffer *audit_buf)
714 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
715 audit_get_loginuid(current) :
717 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
720 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
721 audit_log_task_context(audit_buf);
724 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
725 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
727 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
728 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
729 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
730 struct sk_buff *skb);
731 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
733 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
734 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
736 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
740 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
745 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
750 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
755 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
760 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
765 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
766 struct sk_buff *skb, __be32 net_seq)
770 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
775 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
776 __be32 net_spi, __be32 net_seq)
780 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
781 struct sk_buff *skb, u8 proto)
784 #endif /* CONFIG_AUDITSYSCALL */
786 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
788 if (likely(policy != NULL))
789 refcount_inc(&policy->refcnt);
792 void xfrm_policy_destroy(struct xfrm_policy *policy);
794 static inline void xfrm_pol_put(struct xfrm_policy *policy)
796 if (refcount_dec_and_test(&policy->refcnt))
797 xfrm_policy_destroy(policy);
800 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
803 for (i = npols - 1; i >= 0; --i)
804 xfrm_pol_put(pols[i]);
807 void __xfrm_state_destroy(struct xfrm_state *, bool);
809 static inline void __xfrm_state_put(struct xfrm_state *x)
811 refcount_dec(&x->refcnt);
814 static inline void xfrm_state_put(struct xfrm_state *x)
816 if (refcount_dec_and_test(&x->refcnt))
817 __xfrm_state_destroy(x, false);
820 static inline void xfrm_state_put_sync(struct xfrm_state *x)
822 if (refcount_dec_and_test(&x->refcnt))
823 __xfrm_state_destroy(x, true);
826 static inline void xfrm_state_hold(struct xfrm_state *x)
828 refcount_inc(&x->refcnt);
831 static inline bool addr_match(const void *token1, const void *token2,
832 unsigned int prefixlen)
834 const __be32 *a1 = token1;
835 const __be32 *a2 = token2;
839 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
840 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
843 if (memcmp(a1, a2, pdw << 2))
849 mask = htonl((0xffffffff) << (32 - pbi));
851 if ((a1[pdw] ^ a2[pdw]) & mask)
858 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
860 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
861 if (sizeof(long) == 4 && prefixlen == 0)
863 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
867 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
870 switch(fl->flowi_proto) {
873 case IPPROTO_UDPLITE:
875 port = uli->ports.sport;
879 port = htons(uli->icmpt.type);
882 port = htons(uli->mht.type);
885 port = htons(ntohl(uli->gre_key) >> 16);
894 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
897 switch(fl->flowi_proto) {
900 case IPPROTO_UDPLITE:
902 port = uli->ports.dport;
906 port = htons(uli->icmpt.code);
909 port = htons(ntohl(uli->gre_key) & 0xffff);
917 bool xfrm_selector_match(const struct xfrm_selector *sel,
918 const struct flowi *fl, unsigned short family);
920 #ifdef CONFIG_SECURITY_NETWORK_XFRM
921 /* If neither has a context --> match
922 * Otherwise, both must have a context and the sids, doi, alg must match
924 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
926 return ((!s1 && !s2) ||
928 (s1->ctx_sid == s2->ctx_sid) &&
929 (s1->ctx_doi == s2->ctx_doi) &&
930 (s1->ctx_alg == s2->ctx_alg)));
933 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
939 /* A struct encoding bundle of transformations to apply to some set of flow.
941 * xdst->child points to the next element of bundle.
942 * dst->xfrm points to an instanse of transformer.
944 * Due to unfortunate limitations of current routing cache, which we
945 * have no time to fix, it mirrors struct rtable and bound to the same
946 * routing key, including saddr,daddr. However, we can have many of
947 * bundles differing by session id. All the bundles grow from a parent
952 struct dst_entry dst;
956 struct dst_entry *route;
957 struct dst_entry *child;
958 struct dst_entry *path;
959 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
960 int num_pols, num_xfrms;
963 u32 route_mtu_cached;
964 u32 child_mtu_cached;
969 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
972 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
973 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
978 return (struct dst_entry *) dst;
981 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
984 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
985 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
993 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
998 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
1000 xfrm_pols_put(xdst->pols, xdst->num_pols);
1001 dst_release(xdst->route);
1002 if (likely(xdst->u.dst.xfrm))
1003 xfrm_state_put(xdst->u.dst.xfrm);
1007 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
1009 struct xfrm_if_parms {
1010 int link; /* ifindex of underlying L2 interface */
1011 u32 if_id; /* interface identifyer */
1016 struct xfrm_if __rcu *next; /* next interface in list */
1017 struct net_device *dev; /* virtual device associated with interface */
1018 struct net *net; /* netns for packet i/o */
1019 struct xfrm_if_parms p; /* interface parms */
1021 struct gro_cells gro_cells;
1024 struct xfrm_offload {
1025 /* Output sequence number for replay protection on offloading. */
1032 #define SA_DELETE_REQ 1
1033 #define CRYPTO_DONE 2
1034 #define CRYPTO_NEXT_DONE 4
1035 #define CRYPTO_FALLBACK 8
1036 #define XFRM_GSO_SEGMENT 16
1039 #define XFRM_DEV_RESUME 128
1040 #define XFRM_XMIT 256
1043 #define CRYPTO_SUCCESS 1
1044 #define CRYPTO_GENERIC_ERROR 2
1045 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1046 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1047 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1048 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1049 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1050 #define CRYPTO_INVALID_PROTOCOL 128
1052 /* Used to keep whole l2 header for transport mode GRO */
1064 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1065 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1068 struct sec_path *secpath_set(struct sk_buff *skb);
1071 secpath_reset(struct sk_buff *skb)
1074 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1079 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1083 return addr->a4 == 0;
1085 return ipv6_addr_any(&addr->in6);
1091 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1093 return (tmpl->saddr.a4 &&
1094 tmpl->saddr.a4 != x->props.saddr.a4);
1098 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1100 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1101 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1105 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1109 return __xfrm4_state_addr_cmp(tmpl, x);
1111 return __xfrm6_state_addr_cmp(tmpl, x);
1117 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1119 struct sec_path *sp = skb_sec_path(skb);
1121 return sp->xvec[sp->len - 1];
1125 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1128 struct sec_path *sp = skb_sec_path(skb);
1130 if (!sp || !sp->olen || sp->len != sp->olen)
1133 return &sp->ovec[sp->olen - 1];
1140 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1141 unsigned short family);
1143 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1146 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1147 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1152 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1153 int dir, unsigned short family)
1155 if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1156 /* same dst may be used for traffic originating from
1157 * devices with different policy settings.
1159 return IPCB(skb)->flags & IPSKB_NOPOLICY;
1161 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1164 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1165 struct sk_buff *skb,
1166 unsigned int family, int reverse)
1168 struct net *net = dev_net(skb->dev);
1169 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1170 struct xfrm_offload *xo = xfrm_offload(skb);
1171 struct xfrm_state *x;
1173 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1174 return __xfrm_policy_check(sk, ndir, skb, family);
1177 x = xfrm_input_state(skb);
1178 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1179 return (xo->flags & CRYPTO_DONE) &&
1180 (xo->status & CRYPTO_SUCCESS);
1183 return __xfrm_check_nopolicy(net, skb, dir) ||
1184 __xfrm_check_dev_nopolicy(skb, dir, family) ||
1185 __xfrm_policy_check(sk, ndir, skb, family);
1188 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1190 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1193 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1195 return xfrm_policy_check(sk, dir, skb, AF_INET);
1198 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1200 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1203 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1204 struct sk_buff *skb)
1206 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1209 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1210 struct sk_buff *skb)
1212 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1215 int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1216 unsigned int family, int reverse);
1218 static inline int xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
1219 unsigned int family)
1221 return __xfrm_decode_session(net, skb, fl, family, 0);
1224 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1226 unsigned int family)
1228 return __xfrm_decode_session(net, skb, fl, family, 1);
1231 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1233 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1235 struct net *net = dev_net(skb->dev);
1237 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1238 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1241 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1242 __xfrm_route_forward(skb, family);
1245 static inline int xfrm4_route_forward(struct sk_buff *skb)
1247 return xfrm_route_forward(skb, AF_INET);
1250 static inline int xfrm6_route_forward(struct sk_buff *skb)
1252 return xfrm_route_forward(skb, AF_INET6);
1255 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1257 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1259 if (!sk_fullsock(osk))
1261 sk->sk_policy[0] = NULL;
1262 sk->sk_policy[1] = NULL;
1263 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1264 return __xfrm_sk_clone_policy(sk, osk);
1268 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1270 static inline void xfrm_sk_free_policy(struct sock *sk)
1272 struct xfrm_policy *pol;
1274 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1275 if (unlikely(pol != NULL)) {
1276 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1277 sk->sk_policy[0] = NULL;
1279 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1280 if (unlikely(pol != NULL)) {
1281 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1282 sk->sk_policy[1] = NULL;
1288 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1289 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1290 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1291 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1292 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1296 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1300 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1304 static inline int xfrm_decode_session_reverse(struct net *net, struct sk_buff *skb,
1306 unsigned int family)
1310 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1311 struct sk_buff *skb)
1315 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1316 struct sk_buff *skb)
1323 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1327 return (xfrm_address_t *)&fl->u.ip4.daddr;
1329 return (xfrm_address_t *)&fl->u.ip6.daddr;
1335 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1339 return (xfrm_address_t *)&fl->u.ip4.saddr;
1341 return (xfrm_address_t *)&fl->u.ip6.saddr;
1347 void xfrm_flowi_addr_get(const struct flowi *fl,
1348 xfrm_address_t *saddr, xfrm_address_t *daddr,
1349 unsigned short family)
1353 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1354 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1357 saddr->in6 = fl->u.ip6.saddr;
1358 daddr->in6 = fl->u.ip6.daddr;
1363 static __inline__ int
1364 __xfrm4_state_addr_check(const struct xfrm_state *x,
1365 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1367 if (daddr->a4 == x->id.daddr.a4 &&
1368 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1373 static __inline__ int
1374 __xfrm6_state_addr_check(const struct xfrm_state *x,
1375 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1377 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1378 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1379 ipv6_addr_any((struct in6_addr *)saddr) ||
1380 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1385 static __inline__ int
1386 xfrm_state_addr_check(const struct xfrm_state *x,
1387 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1388 unsigned short family)
1392 return __xfrm4_state_addr_check(x, daddr, saddr);
1394 return __xfrm6_state_addr_check(x, daddr, saddr);
1399 static __inline__ int
1400 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1401 unsigned short family)
1405 return __xfrm4_state_addr_check(x,
1406 (const xfrm_address_t *)&fl->u.ip4.daddr,
1407 (const xfrm_address_t *)&fl->u.ip4.saddr);
1409 return __xfrm6_state_addr_check(x,
1410 (const xfrm_address_t *)&fl->u.ip6.daddr,
1411 (const xfrm_address_t *)&fl->u.ip6.saddr);
1416 static inline int xfrm_state_kern(const struct xfrm_state *x)
1418 return atomic_read(&x->tunnel_users);
1421 static inline bool xfrm_id_proto_valid(u8 proto)
1427 #if IS_ENABLED(CONFIG_IPV6)
1428 case IPPROTO_ROUTING:
1429 case IPPROTO_DSTOPTS:
1437 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1438 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1440 return (!userproto || proto == userproto ||
1441 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1442 proto == IPPROTO_ESP ||
1443 proto == IPPROTO_COMP)));
1447 * xfrm algorithm information
1449 struct xfrm_algo_aead_info {
1454 struct xfrm_algo_auth_info {
1459 struct xfrm_algo_encr_info {
1465 struct xfrm_algo_comp_info {
1469 struct xfrm_algo_desc {
1473 u8 pfkey_supported:1;
1475 struct xfrm_algo_aead_info aead;
1476 struct xfrm_algo_auth_info auth;
1477 struct xfrm_algo_encr_info encr;
1478 struct xfrm_algo_comp_info comp;
1480 struct sadb_alg desc;
1483 /* XFRM protocol handlers. */
1484 struct xfrm4_protocol {
1485 int (*handler)(struct sk_buff *skb);
1486 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1488 int (*cb_handler)(struct sk_buff *skb, int err);
1489 int (*err_handler)(struct sk_buff *skb, u32 info);
1491 struct xfrm4_protocol __rcu *next;
1495 struct xfrm6_protocol {
1496 int (*handler)(struct sk_buff *skb);
1497 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1499 int (*cb_handler)(struct sk_buff *skb, int err);
1500 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1501 u8 type, u8 code, int offset, __be32 info);
1503 struct xfrm6_protocol __rcu *next;
1507 /* XFRM tunnel handlers. */
1508 struct xfrm_tunnel {
1509 int (*handler)(struct sk_buff *skb);
1510 int (*cb_handler)(struct sk_buff *skb, int err);
1511 int (*err_handler)(struct sk_buff *skb, u32 info);
1513 struct xfrm_tunnel __rcu *next;
1517 struct xfrm6_tunnel {
1518 int (*handler)(struct sk_buff *skb);
1519 int (*cb_handler)(struct sk_buff *skb, int err);
1520 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1521 u8 type, u8 code, int offset, __be32 info);
1522 struct xfrm6_tunnel __rcu *next;
1526 void xfrm_init(void);
1527 void xfrm4_init(void);
1528 int xfrm_state_init(struct net *net);
1529 void xfrm_state_fini(struct net *net);
1530 void xfrm4_state_init(void);
1531 void xfrm4_protocol_init(void);
1533 int xfrm6_init(void);
1534 void xfrm6_fini(void);
1535 int xfrm6_state_init(void);
1536 void xfrm6_state_fini(void);
1537 int xfrm6_protocol_init(void);
1538 void xfrm6_protocol_fini(void);
1540 static inline int xfrm6_init(void)
1544 static inline void xfrm6_fini(void)
1550 #ifdef CONFIG_XFRM_STATISTICS
1551 int xfrm_proc_init(struct net *net);
1552 void xfrm_proc_fini(struct net *net);
1555 int xfrm_sysctl_init(struct net *net);
1556 #ifdef CONFIG_SYSCTL
1557 void xfrm_sysctl_fini(struct net *net);
1559 static inline void xfrm_sysctl_fini(struct net *net)
1564 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1565 struct xfrm_address_filter *filter);
1566 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1567 int (*func)(struct xfrm_state *, int, void*), void *);
1568 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1569 struct xfrm_state *xfrm_state_alloc(struct net *net);
1570 void xfrm_state_free(struct xfrm_state *x);
1571 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1572 const xfrm_address_t *saddr,
1573 const struct flowi *fl,
1574 struct xfrm_tmpl *tmpl,
1575 struct xfrm_policy *pol, int *err,
1576 unsigned short family, u32 if_id);
1577 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1578 xfrm_address_t *daddr,
1579 xfrm_address_t *saddr,
1580 unsigned short family,
1581 u8 mode, u8 proto, u32 reqid);
1582 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1583 unsigned short family);
1584 int xfrm_state_check_expire(struct xfrm_state *x);
1585 void xfrm_state_update_stats(struct net *net);
1586 #ifdef CONFIG_XFRM_OFFLOAD
1587 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x)
1589 struct xfrm_dev_offload *xdo = &x->xso;
1590 struct net_device *dev = xdo->dev;
1592 if (dev && dev->xfrmdev_ops &&
1593 dev->xfrmdev_ops->xdo_dev_state_update_stats)
1594 dev->xfrmdev_ops->xdo_dev_state_update_stats(x);
1598 static inline void xfrm_dev_state_update_stats(struct xfrm_state *x) {}
1600 void xfrm_state_insert(struct xfrm_state *x);
1601 int xfrm_state_add(struct xfrm_state *x);
1602 int xfrm_state_update(struct xfrm_state *x);
1603 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1604 const xfrm_address_t *daddr, __be32 spi,
1605 u8 proto, unsigned short family);
1606 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1607 const xfrm_address_t *daddr,
1608 const xfrm_address_t *saddr,
1610 unsigned short family);
1611 #ifdef CONFIG_XFRM_SUB_POLICY
1612 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1613 unsigned short family);
1614 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1615 unsigned short family);
1617 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1618 int n, unsigned short family)
1622 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1623 int n, unsigned short family)
1628 struct xfrmk_sadinfo {
1629 u32 sadhcnt; /* current hash bkts */
1630 u32 sadhmcnt; /* max allowed hash bkts */
1631 u32 sadcnt; /* current running count */
1634 struct xfrmk_spdinfo {
1645 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1646 int xfrm_state_delete(struct xfrm_state *x);
1647 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1648 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1649 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1651 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1652 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1653 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1654 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack);
1655 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1656 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
1657 struct netlink_ext_ack *extack);
1658 int xfrm_init_state(struct xfrm_state *x);
1659 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1660 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1661 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1662 int (*finish)(struct net *, struct sock *,
1664 int xfrm_trans_queue(struct sk_buff *skb,
1665 int (*finish)(struct net *, struct sock *,
1667 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1668 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1670 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1671 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1674 void xfrm_local_error(struct sk_buff *skb, int mtu);
1675 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1677 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1678 int xfrm4_rcv(struct sk_buff *skb);
1680 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1682 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1683 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1684 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1685 return xfrm_input(skb, nexthdr, spi, 0);
1688 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1689 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1690 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1691 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1692 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1693 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1694 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1696 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1698 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1699 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1700 int xfrm6_rcv(struct sk_buff *skb);
1701 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1702 xfrm_address_t *saddr, u8 proto);
1703 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1704 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1705 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1706 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1707 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1708 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1709 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1710 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1713 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1714 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1715 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1716 struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1717 struct sk_buff *skb);
1718 struct sk_buff *xfrm6_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
1719 struct sk_buff *skb);
1720 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1723 static inline int xfrm_user_policy(struct sock *sk, int optname,
1724 sockptr_t optval, int optlen)
1726 return -ENOPROTOOPT;
1730 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1731 const xfrm_address_t *saddr,
1732 const xfrm_address_t *daddr,
1733 int family, u32 mark);
1735 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1737 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1738 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1739 int (*func)(struct xfrm_policy *, int, int, void*),
1741 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1742 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1743 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1744 const struct xfrm_mark *mark,
1745 u32 if_id, u8 type, int dir,
1746 struct xfrm_selector *sel,
1747 struct xfrm_sec_ctx *ctx, int delete,
1749 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1750 const struct xfrm_mark *mark, u32 if_id,
1751 u8 type, int dir, u32 id, int delete,
1753 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1754 void xfrm_policy_hash_rebuild(struct net *net);
1755 u32 xfrm_get_acqseq(void);
1756 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
1757 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
1758 struct netlink_ext_ack *extack);
1759 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1760 u8 mode, u32 reqid, u32 if_id, u8 proto,
1761 const xfrm_address_t *daddr,
1762 const xfrm_address_t *saddr, int create,
1763 unsigned short family);
1764 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1766 #ifdef CONFIG_XFRM_MIGRATE
1767 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1768 const struct xfrm_migrate *m, int num_bundles,
1769 const struct xfrm_kmaddress *k,
1770 const struct xfrm_encap_tmpl *encap);
1771 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1773 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1774 struct xfrm_migrate *m,
1775 struct xfrm_encap_tmpl *encap);
1776 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1777 struct xfrm_migrate *m, int num_bundles,
1778 struct xfrm_kmaddress *k, struct net *net,
1779 struct xfrm_encap_tmpl *encap, u32 if_id,
1780 struct netlink_ext_ack *extack);
1783 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1784 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1785 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1786 xfrm_address_t *addr);
1788 void xfrm_input_init(void);
1789 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1791 void xfrm_probe_algs(void);
1792 int xfrm_count_pfkey_auth_supported(void);
1793 int xfrm_count_pfkey_enc_supported(void);
1794 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1795 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1796 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1797 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1798 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1799 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1800 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1801 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1802 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1805 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1806 const xfrm_address_t *b)
1808 return ipv6_addr_equal((const struct in6_addr *)a,
1809 (const struct in6_addr *)b);
1812 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1813 const xfrm_address_t *b,
1819 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1821 return xfrm6_addr_equal(a, b);
1825 static inline int xfrm_policy_id2dir(u32 index)
1831 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1832 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1833 void xfrm_replay_notify(struct xfrm_state *x, int event);
1834 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1835 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1837 static inline int xfrm_aevent_is_on(struct net *net)
1843 nlsk = rcu_dereference(net->xfrm.nlsk);
1845 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1850 static inline int xfrm_acquire_is_on(struct net *net)
1856 nlsk = rcu_dereference(net->xfrm.nlsk);
1858 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1865 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1867 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1870 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1872 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1875 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1877 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1880 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1882 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1885 #ifdef CONFIG_XFRM_MIGRATE
1886 static inline int xfrm_replay_clone(struct xfrm_state *x,
1887 struct xfrm_state *orig)
1890 x->replay_esn = kmemdup(orig->replay_esn,
1891 xfrm_replay_state_esn_len(orig->replay_esn),
1895 x->preplay_esn = kmemdup(orig->preplay_esn,
1896 xfrm_replay_state_esn_len(orig->preplay_esn),
1898 if (!x->preplay_esn)
1904 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1906 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1910 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1912 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1915 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1917 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1920 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1923 for (i = 0; i < n; i++)
1924 xfrm_state_put(*(states + i));
1927 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1930 for (i = 0; i < n; i++)
1931 xfrm_state_delete(*(states + i));
1935 void __init xfrm_dev_init(void);
1937 #ifdef CONFIG_XFRM_OFFLOAD
1938 void xfrm_dev_resume(struct sk_buff *skb);
1939 void xfrm_dev_backlog(struct softnet_data *sd);
1940 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1941 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1942 struct xfrm_user_offload *xuo,
1943 struct netlink_ext_ack *extack);
1944 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
1945 struct xfrm_user_offload *xuo, u8 dir,
1946 struct netlink_ext_ack *extack);
1947 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1949 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1951 struct xfrm_dev_offload *xso = &x->xso;
1953 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1954 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1957 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1959 struct xfrm_state *x = dst->xfrm;
1960 struct xfrm_dst *xdst;
1962 if (!x || !x->type_offload)
1965 xdst = (struct xfrm_dst *) dst;
1966 if (!x->xso.offload_handle && !xdst->child->xfrm)
1968 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1975 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1977 struct xfrm_dev_offload *xso = &x->xso;
1980 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1983 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1985 struct xfrm_dev_offload *xso = &x->xso;
1986 struct net_device *dev = xso->dev;
1988 if (dev && dev->xfrmdev_ops) {
1989 if (dev->xfrmdev_ops->xdo_dev_state_free)
1990 dev->xfrmdev_ops->xdo_dev_state_free(x);
1992 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
1993 netdev_put(dev, &xso->dev_tracker);
1997 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
1999 struct xfrm_dev_offload *xdo = &x->xdo;
2000 struct net_device *dev = xdo->dev;
2002 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete)
2003 dev->xfrmdev_ops->xdo_dev_policy_delete(x);
2006 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2008 struct xfrm_dev_offload *xdo = &x->xdo;
2009 struct net_device *dev = xdo->dev;
2011 if (dev && dev->xfrmdev_ops) {
2012 if (dev->xfrmdev_ops->xdo_dev_policy_free)
2013 dev->xfrmdev_ops->xdo_dev_policy_free(x);
2015 netdev_put(dev, &xdo->dev_tracker);
2019 static inline void xfrm_dev_resume(struct sk_buff *skb)
2023 static inline void xfrm_dev_backlog(struct softnet_data *sd)
2027 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
2032 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack)
2037 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
2041 static inline void xfrm_dev_state_free(struct xfrm_state *x)
2045 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
2046 struct xfrm_user_offload *xuo, u8 dir,
2047 struct netlink_ext_ack *extack)
2052 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2056 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2060 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
2065 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2069 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2075 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
2077 if (attrs[XFRMA_MARK])
2078 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
2085 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
2090 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
2094 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
2096 struct xfrm_mark *m = &x->props.smark;
2098 return (m->v & m->m) | (mark & ~m->m);
2101 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2106 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2110 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2111 unsigned int family)
2113 bool tunnel = false;
2117 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2121 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2125 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2131 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2132 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2134 struct xfrm_translator {
2135 /* Allocate frag_list and put compat translation there */
2136 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2138 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2139 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2140 int maxtype, const struct nla_policy *policy,
2141 struct netlink_ext_ack *extack);
2143 /* Translate 32-bit user_policy from sockptr */
2144 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2146 struct module *owner;
2149 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2150 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2151 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2152 extern struct xfrm_translator *xfrm_get_translator(void);
2153 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2155 static inline struct xfrm_translator *xfrm_get_translator(void)
2159 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2164 #if IS_ENABLED(CONFIG_IPV6)
2165 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2169 if (!sk || sk->sk_family != AF_INET6)
2172 proto = sk->sk_protocol;
2173 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2174 return inet6_test_bit(DONTFRAG, sk);
2180 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
2181 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))
2183 extern struct metadata_dst __percpu *xfrm_bpf_md_dst;
2185 int register_xfrm_interface_bpf(void);
2189 static inline int register_xfrm_interface_bpf(void)
2196 #if IS_ENABLED(CONFIG_DEBUG_INFO_BTF)
2197 int register_xfrm_state_bpf(void);
2199 static inline int register_xfrm_state_bpf(void)
2205 #endif /* _NET_XFRM_H */