6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/err.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
26 #include <linux/cache.h>
27 #include <linux/audit.h>
32 #ifdef CONFIG_XFRM_STATISTICS
36 #include "xfrm_hash.h"
38 #define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10))
39 #define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
40 #define XFRM_MAX_QUEUE_LEN 100
43 struct dst_entry *dst_orig;
47 static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);
48 static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO]
51 static struct kmem_cache *xfrm_dst_cache __read_mostly;
53 static void xfrm_init_pmtu(struct dst_entry *dst);
54 static int stale_bundle(struct dst_entry *dst);
55 static int xfrm_bundle_ok(struct xfrm_dst *xdst);
56 static void xfrm_policy_queue_process(unsigned long arg);
58 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);
59 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
63 __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
65 const struct flowi4 *fl4 = &fl->u.ip4;
67 return addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) &&
68 addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) &&
69 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
70 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
71 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
72 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
76 __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
78 const struct flowi6 *fl6 = &fl->u.ip6;
80 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
81 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
82 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
83 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
84 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
85 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
88 bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
89 unsigned short family)
93 return __xfrm4_selector_match(sel, fl);
95 return __xfrm6_selector_match(sel, fl);
100 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
102 struct xfrm_policy_afinfo *afinfo;
104 if (unlikely(family >= NPROTO))
107 afinfo = rcu_dereference(xfrm_policy_afinfo[family]);
108 if (unlikely(!afinfo))
113 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
118 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net,
120 const xfrm_address_t *saddr,
121 const xfrm_address_t *daddr,
122 int family, u32 mark)
124 struct xfrm_policy_afinfo *afinfo;
125 struct dst_entry *dst;
127 afinfo = xfrm_policy_get_afinfo(family);
128 if (unlikely(afinfo == NULL))
129 return ERR_PTR(-EAFNOSUPPORT);
131 dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark);
133 xfrm_policy_put_afinfo(afinfo);
138 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
140 xfrm_address_t *prev_saddr,
141 xfrm_address_t *prev_daddr,
142 int family, u32 mark)
144 struct net *net = xs_net(x);
145 xfrm_address_t *saddr = &x->props.saddr;
146 xfrm_address_t *daddr = &x->id.daddr;
147 struct dst_entry *dst;
149 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
153 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
158 dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark);
161 if (prev_saddr != saddr)
162 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
163 if (prev_daddr != daddr)
164 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
170 static inline unsigned long make_jiffies(long secs)
172 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
173 return MAX_SCHEDULE_TIMEOUT-1;
178 static void xfrm_policy_timer(unsigned long data)
180 struct xfrm_policy *xp = (struct xfrm_policy *)data;
181 unsigned long now = get_seconds();
182 long next = LONG_MAX;
186 read_lock(&xp->lock);
188 if (unlikely(xp->walk.dead))
191 dir = xfrm_policy_id2dir(xp->index);
193 if (xp->lft.hard_add_expires_seconds) {
194 long tmo = xp->lft.hard_add_expires_seconds +
195 xp->curlft.add_time - now;
201 if (xp->lft.hard_use_expires_seconds) {
202 long tmo = xp->lft.hard_use_expires_seconds +
203 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
209 if (xp->lft.soft_add_expires_seconds) {
210 long tmo = xp->lft.soft_add_expires_seconds +
211 xp->curlft.add_time - now;
214 tmo = XFRM_KM_TIMEOUT;
219 if (xp->lft.soft_use_expires_seconds) {
220 long tmo = xp->lft.soft_use_expires_seconds +
221 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
224 tmo = XFRM_KM_TIMEOUT;
231 km_policy_expired(xp, dir, 0, 0);
232 if (next != LONG_MAX &&
233 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
237 read_unlock(&xp->lock);
242 read_unlock(&xp->lock);
243 if (!xfrm_policy_delete(xp, dir))
244 km_policy_expired(xp, dir, 1, 0);
248 static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo)
250 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
252 if (unlikely(pol->walk.dead))
260 static int xfrm_policy_flo_check(struct flow_cache_object *flo)
262 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
264 return !pol->walk.dead;
267 static void xfrm_policy_flo_delete(struct flow_cache_object *flo)
269 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo));
272 static const struct flow_cache_ops xfrm_policy_fc_ops = {
273 .get = xfrm_policy_flo_get,
274 .check = xfrm_policy_flo_check,
275 .delete = xfrm_policy_flo_delete,
278 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
282 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
284 struct xfrm_policy *policy;
286 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
289 write_pnet(&policy->xp_net, net);
290 INIT_LIST_HEAD(&policy->walk.all);
291 INIT_HLIST_NODE(&policy->bydst);
292 INIT_HLIST_NODE(&policy->byidx);
293 rwlock_init(&policy->lock);
294 atomic_set(&policy->refcnt, 1);
295 skb_queue_head_init(&policy->polq.hold_queue);
296 setup_timer(&policy->timer, xfrm_policy_timer,
297 (unsigned long)policy);
298 setup_timer(&policy->polq.hold_timer, xfrm_policy_queue_process,
299 (unsigned long)policy);
300 policy->flo.ops = &xfrm_policy_fc_ops;
304 EXPORT_SYMBOL(xfrm_policy_alloc);
306 static void xfrm_policy_destroy_rcu(struct rcu_head *head)
308 struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
310 security_xfrm_policy_free(policy->security);
314 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
316 void xfrm_policy_destroy(struct xfrm_policy *policy)
318 BUG_ON(!policy->walk.dead);
320 if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
323 call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);
325 EXPORT_SYMBOL(xfrm_policy_destroy);
327 /* Rule must be locked. Release descentant resources, announce
328 * entry dead. The rule must be unlinked from lists to the moment.
331 static void xfrm_policy_kill(struct xfrm_policy *policy)
333 policy->walk.dead = 1;
335 atomic_inc(&policy->genid);
337 if (del_timer(&policy->polq.hold_timer))
338 xfrm_pol_put(policy);
339 skb_queue_purge(&policy->polq.hold_queue);
341 if (del_timer(&policy->timer))
342 xfrm_pol_put(policy);
344 xfrm_pol_put(policy);
347 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
349 static inline unsigned int idx_hash(struct net *net, u32 index)
351 return __idx_hash(index, net->xfrm.policy_idx_hmask);
354 /* calculate policy hash thresholds */
355 static void __get_hash_thresh(struct net *net,
356 unsigned short family, int dir,
357 u8 *dbits, u8 *sbits)
361 *dbits = net->xfrm.policy_bydst[dir].dbits4;
362 *sbits = net->xfrm.policy_bydst[dir].sbits4;
366 *dbits = net->xfrm.policy_bydst[dir].dbits6;
367 *sbits = net->xfrm.policy_bydst[dir].sbits6;
376 static struct hlist_head *policy_hash_bysel(struct net *net,
377 const struct xfrm_selector *sel,
378 unsigned short family, int dir)
380 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
385 __get_hash_thresh(net, family, dir, &dbits, &sbits);
386 hash = __sel_hash(sel, family, hmask, dbits, sbits);
388 return (hash == hmask + 1 ?
389 &net->xfrm.policy_inexact[dir] :
390 net->xfrm.policy_bydst[dir].table + hash);
393 static struct hlist_head *policy_hash_direct(struct net *net,
394 const xfrm_address_t *daddr,
395 const xfrm_address_t *saddr,
396 unsigned short family, int dir)
398 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
403 __get_hash_thresh(net, family, dir, &dbits, &sbits);
404 hash = __addr_hash(daddr, saddr, family, hmask, dbits, sbits);
406 return net->xfrm.policy_bydst[dir].table + hash;
409 static void xfrm_dst_hash_transfer(struct net *net,
410 struct hlist_head *list,
411 struct hlist_head *ndsttable,
412 unsigned int nhashmask,
415 struct hlist_node *tmp, *entry0 = NULL;
416 struct xfrm_policy *pol;
422 hlist_for_each_entry_safe(pol, tmp, list, bydst) {
425 __get_hash_thresh(net, pol->family, dir, &dbits, &sbits);
426 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
427 pol->family, nhashmask, dbits, sbits);
429 hlist_del(&pol->bydst);
430 hlist_add_head(&pol->bydst, ndsttable+h);
435 hlist_del(&pol->bydst);
436 hlist_add_behind(&pol->bydst, entry0);
438 entry0 = &pol->bydst;
440 if (!hlist_empty(list)) {
446 static void xfrm_idx_hash_transfer(struct hlist_head *list,
447 struct hlist_head *nidxtable,
448 unsigned int nhashmask)
450 struct hlist_node *tmp;
451 struct xfrm_policy *pol;
453 hlist_for_each_entry_safe(pol, tmp, list, byidx) {
456 h = __idx_hash(pol->index, nhashmask);
457 hlist_add_head(&pol->byidx, nidxtable+h);
461 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
463 return ((old_hmask + 1) << 1) - 1;
466 static void xfrm_bydst_resize(struct net *net, int dir)
468 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
469 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
470 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
471 struct hlist_head *odst = net->xfrm.policy_bydst[dir].table;
472 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
478 write_lock_bh(&net->xfrm.xfrm_policy_lock);
480 for (i = hmask; i >= 0; i--)
481 xfrm_dst_hash_transfer(net, odst + i, ndst, nhashmask, dir);
483 net->xfrm.policy_bydst[dir].table = ndst;
484 net->xfrm.policy_bydst[dir].hmask = nhashmask;
486 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
488 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
491 static void xfrm_byidx_resize(struct net *net, int total)
493 unsigned int hmask = net->xfrm.policy_idx_hmask;
494 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
495 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
496 struct hlist_head *oidx = net->xfrm.policy_byidx;
497 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
503 write_lock_bh(&net->xfrm.xfrm_policy_lock);
505 for (i = hmask; i >= 0; i--)
506 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
508 net->xfrm.policy_byidx = nidx;
509 net->xfrm.policy_idx_hmask = nhashmask;
511 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
513 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
516 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
518 unsigned int cnt = net->xfrm.policy_count[dir];
519 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
524 if ((hmask + 1) < xfrm_policy_hashmax &&
531 static inline int xfrm_byidx_should_resize(struct net *net, int total)
533 unsigned int hmask = net->xfrm.policy_idx_hmask;
535 if ((hmask + 1) < xfrm_policy_hashmax &&
542 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
544 read_lock_bh(&net->xfrm.xfrm_policy_lock);
545 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
546 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
547 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
548 si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
549 si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
550 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
551 si->spdhcnt = net->xfrm.policy_idx_hmask;
552 si->spdhmcnt = xfrm_policy_hashmax;
553 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
555 EXPORT_SYMBOL(xfrm_spd_getinfo);
557 static DEFINE_MUTEX(hash_resize_mutex);
558 static void xfrm_hash_resize(struct work_struct *work)
560 struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
563 mutex_lock(&hash_resize_mutex);
566 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
567 if (xfrm_bydst_should_resize(net, dir, &total))
568 xfrm_bydst_resize(net, dir);
570 if (xfrm_byidx_should_resize(net, total))
571 xfrm_byidx_resize(net, total);
573 mutex_unlock(&hash_resize_mutex);
576 static void xfrm_hash_rebuild(struct work_struct *work)
578 struct net *net = container_of(work, struct net,
579 xfrm.policy_hthresh.work);
581 struct xfrm_policy *pol;
582 struct xfrm_policy *policy;
583 struct hlist_head *chain;
584 struct hlist_head *odst;
585 struct hlist_node *newpos;
589 u8 lbits4, rbits4, lbits6, rbits6;
591 mutex_lock(&hash_resize_mutex);
593 /* read selector prefixlen thresholds */
595 seq = read_seqbegin(&net->xfrm.policy_hthresh.lock);
597 lbits4 = net->xfrm.policy_hthresh.lbits4;
598 rbits4 = net->xfrm.policy_hthresh.rbits4;
599 lbits6 = net->xfrm.policy_hthresh.lbits6;
600 rbits6 = net->xfrm.policy_hthresh.rbits6;
601 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));
603 write_lock_bh(&net->xfrm.xfrm_policy_lock);
605 /* reset the bydst and inexact table in all directions */
606 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
607 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
608 hmask = net->xfrm.policy_bydst[dir].hmask;
609 odst = net->xfrm.policy_bydst[dir].table;
610 for (i = hmask; i >= 0; i--)
611 INIT_HLIST_HEAD(odst + i);
612 if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
613 /* dir out => dst = remote, src = local */
614 net->xfrm.policy_bydst[dir].dbits4 = rbits4;
615 net->xfrm.policy_bydst[dir].sbits4 = lbits4;
616 net->xfrm.policy_bydst[dir].dbits6 = rbits6;
617 net->xfrm.policy_bydst[dir].sbits6 = lbits6;
619 /* dir in/fwd => dst = local, src = remote */
620 net->xfrm.policy_bydst[dir].dbits4 = lbits4;
621 net->xfrm.policy_bydst[dir].sbits4 = rbits4;
622 net->xfrm.policy_bydst[dir].dbits6 = lbits6;
623 net->xfrm.policy_bydst[dir].sbits6 = rbits6;
627 /* re-insert all policies by order of creation */
628 list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
630 chain = policy_hash_bysel(net, &policy->selector,
632 xfrm_policy_id2dir(policy->index));
633 hlist_for_each_entry(pol, chain, bydst) {
634 if (policy->priority >= pol->priority)
635 newpos = &pol->bydst;
640 hlist_add_behind(&policy->bydst, newpos);
642 hlist_add_head(&policy->bydst, chain);
645 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
647 mutex_unlock(&hash_resize_mutex);
650 void xfrm_policy_hash_rebuild(struct net *net)
652 schedule_work(&net->xfrm.policy_hthresh.work);
654 EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
656 /* Generate new index... KAME seems to generate them ordered by cost
657 * of an absolute inpredictability of ordering of rules. This will not pass. */
658 static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
660 static u32 idx_generator;
663 struct hlist_head *list;
664 struct xfrm_policy *p;
669 idx = (idx_generator | dir);
678 list = net->xfrm.policy_byidx + idx_hash(net, idx);
680 hlist_for_each_entry(p, list, byidx) {
681 if (p->index == idx) {
691 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
693 u32 *p1 = (u32 *) s1;
694 u32 *p2 = (u32 *) s2;
695 int len = sizeof(struct xfrm_selector) / sizeof(u32);
698 for (i = 0; i < len; i++) {
706 static void xfrm_policy_requeue(struct xfrm_policy *old,
707 struct xfrm_policy *new)
709 struct xfrm_policy_queue *pq = &old->polq;
710 struct sk_buff_head list;
712 if (skb_queue_empty(&pq->hold_queue))
715 __skb_queue_head_init(&list);
717 spin_lock_bh(&pq->hold_queue.lock);
718 skb_queue_splice_init(&pq->hold_queue, &list);
719 if (del_timer(&pq->hold_timer))
721 spin_unlock_bh(&pq->hold_queue.lock);
725 spin_lock_bh(&pq->hold_queue.lock);
726 skb_queue_splice(&list, &pq->hold_queue);
727 pq->timeout = XFRM_QUEUE_TMO_MIN;
728 if (!mod_timer(&pq->hold_timer, jiffies))
730 spin_unlock_bh(&pq->hold_queue.lock);
733 static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
734 struct xfrm_policy *pol)
736 u32 mark = policy->mark.v & policy->mark.m;
738 if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m)
741 if ((mark & pol->mark.m) == pol->mark.v &&
742 policy->priority == pol->priority)
748 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
750 struct net *net = xp_net(policy);
751 struct xfrm_policy *pol;
752 struct xfrm_policy *delpol;
753 struct hlist_head *chain;
754 struct hlist_node *newpos;
756 write_lock_bh(&net->xfrm.xfrm_policy_lock);
757 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
760 hlist_for_each_entry(pol, chain, bydst) {
761 if (pol->type == policy->type &&
762 !selector_cmp(&pol->selector, &policy->selector) &&
763 xfrm_policy_mark_match(policy, pol) &&
764 xfrm_sec_ctx_match(pol->security, policy->security) &&
767 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
771 if (policy->priority > pol->priority)
773 } else if (policy->priority >= pol->priority) {
774 newpos = &pol->bydst;
781 hlist_add_behind(&policy->bydst, newpos);
783 hlist_add_head(&policy->bydst, chain);
784 __xfrm_policy_link(policy, dir);
785 atomic_inc(&net->xfrm.flow_cache_genid);
787 /* After previous checking, family can either be AF_INET or AF_INET6 */
788 if (policy->family == AF_INET)
789 rt_genid_bump_ipv4(net);
791 rt_genid_bump_ipv6(net);
794 xfrm_policy_requeue(delpol, policy);
795 __xfrm_policy_unlink(delpol, dir);
797 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index);
798 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
799 policy->curlft.add_time = get_seconds();
800 policy->curlft.use_time = 0;
801 if (!mod_timer(&policy->timer, jiffies + HZ))
802 xfrm_pol_hold(policy);
803 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
806 xfrm_policy_kill(delpol);
807 else if (xfrm_bydst_should_resize(net, dir, NULL))
808 schedule_work(&net->xfrm.policy_hash_work);
812 EXPORT_SYMBOL(xfrm_policy_insert);
814 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
815 int dir, struct xfrm_selector *sel,
816 struct xfrm_sec_ctx *ctx, int delete,
819 struct xfrm_policy *pol, *ret;
820 struct hlist_head *chain;
823 write_lock_bh(&net->xfrm.xfrm_policy_lock);
824 chain = policy_hash_bysel(net, sel, sel->family, dir);
826 hlist_for_each_entry(pol, chain, bydst) {
827 if (pol->type == type &&
828 (mark & pol->mark.m) == pol->mark.v &&
829 !selector_cmp(sel, &pol->selector) &&
830 xfrm_sec_ctx_match(ctx, pol->security)) {
833 *err = security_xfrm_policy_delete(
836 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
839 __xfrm_policy_unlink(pol, dir);
845 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
848 xfrm_policy_kill(ret);
851 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
853 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
854 int dir, u32 id, int delete, int *err)
856 struct xfrm_policy *pol, *ret;
857 struct hlist_head *chain;
860 if (xfrm_policy_id2dir(id) != dir)
864 write_lock_bh(&net->xfrm.xfrm_policy_lock);
865 chain = net->xfrm.policy_byidx + idx_hash(net, id);
867 hlist_for_each_entry(pol, chain, byidx) {
868 if (pol->type == type && pol->index == id &&
869 (mark & pol->mark.m) == pol->mark.v) {
872 *err = security_xfrm_policy_delete(
875 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
878 __xfrm_policy_unlink(pol, dir);
884 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
887 xfrm_policy_kill(ret);
890 EXPORT_SYMBOL(xfrm_policy_byid);
892 #ifdef CONFIG_SECURITY_NETWORK_XFRM
894 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
898 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
899 struct xfrm_policy *pol;
902 hlist_for_each_entry(pol,
903 &net->xfrm.policy_inexact[dir], bydst) {
904 if (pol->type != type)
906 err = security_xfrm_policy_delete(pol->security);
908 xfrm_audit_policy_delete(pol, 0, task_valid);
912 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
913 hlist_for_each_entry(pol,
914 net->xfrm.policy_bydst[dir].table + i,
916 if (pol->type != type)
918 err = security_xfrm_policy_delete(
921 xfrm_audit_policy_delete(pol, 0,
932 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
938 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
940 int dir, err = 0, cnt = 0;
942 write_lock_bh(&net->xfrm.xfrm_policy_lock);
944 err = xfrm_policy_flush_secctx_check(net, type, task_valid);
948 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
949 struct xfrm_policy *pol;
953 hlist_for_each_entry(pol,
954 &net->xfrm.policy_inexact[dir], bydst) {
955 if (pol->type != type)
957 __xfrm_policy_unlink(pol, dir);
958 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
961 xfrm_audit_policy_delete(pol, 1, task_valid);
963 xfrm_policy_kill(pol);
965 write_lock_bh(&net->xfrm.xfrm_policy_lock);
969 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
971 hlist_for_each_entry(pol,
972 net->xfrm.policy_bydst[dir].table + i,
974 if (pol->type != type)
976 __xfrm_policy_unlink(pol, dir);
977 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
980 xfrm_audit_policy_delete(pol, 1, task_valid);
981 xfrm_policy_kill(pol);
983 write_lock_bh(&net->xfrm.xfrm_policy_lock);
992 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
995 EXPORT_SYMBOL(xfrm_policy_flush);
997 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
998 int (*func)(struct xfrm_policy *, int, int, void*),
1001 struct xfrm_policy *pol;
1002 struct xfrm_policy_walk_entry *x;
1005 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
1006 walk->type != XFRM_POLICY_TYPE_ANY)
1009 if (list_empty(&walk->walk.all) && walk->seq != 0)
1012 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1013 if (list_empty(&walk->walk.all))
1014 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
1016 x = list_first_entry(&walk->walk.all,
1017 struct xfrm_policy_walk_entry, all);
1019 list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
1022 pol = container_of(x, struct xfrm_policy, walk);
1023 if (walk->type != XFRM_POLICY_TYPE_ANY &&
1024 walk->type != pol->type)
1026 error = func(pol, xfrm_policy_id2dir(pol->index),
1029 list_move_tail(&walk->walk.all, &x->all);
1034 if (walk->seq == 0) {
1038 list_del_init(&walk->walk.all);
1040 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1043 EXPORT_SYMBOL(xfrm_policy_walk);
1045 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
1047 INIT_LIST_HEAD(&walk->walk.all);
1048 walk->walk.dead = 1;
1052 EXPORT_SYMBOL(xfrm_policy_walk_init);
1054 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)
1056 if (list_empty(&walk->walk.all))
1059 write_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */
1060 list_del(&walk->walk.all);
1061 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1063 EXPORT_SYMBOL(xfrm_policy_walk_done);
1066 * Find policy to apply to this flow.
1068 * Returns 0 if policy found, else an -errno.
1070 static int xfrm_policy_match(const struct xfrm_policy *pol,
1071 const struct flowi *fl,
1072 u8 type, u16 family, int dir)
1074 const struct xfrm_selector *sel = &pol->selector;
1078 if (pol->family != family ||
1079 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
1083 match = xfrm_selector_match(sel, fl, family);
1085 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
1091 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
1092 const struct flowi *fl,
1096 struct xfrm_policy *pol, *ret;
1097 const xfrm_address_t *daddr, *saddr;
1098 struct hlist_head *chain;
1101 daddr = xfrm_flowi_daddr(fl, family);
1102 saddr = xfrm_flowi_saddr(fl, family);
1103 if (unlikely(!daddr || !saddr))
1106 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1107 chain = policy_hash_direct(net, daddr, saddr, family, dir);
1109 hlist_for_each_entry(pol, chain, bydst) {
1110 err = xfrm_policy_match(pol, fl, type, family, dir);
1120 priority = ret->priority;
1124 chain = &net->xfrm.policy_inexact[dir];
1125 hlist_for_each_entry(pol, chain, bydst) {
1126 if ((pol->priority >= priority) && ret)
1129 err = xfrm_policy_match(pol, fl, type, family, dir);
1145 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1150 static struct xfrm_policy *
1151 __xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
1153 #ifdef CONFIG_XFRM_SUB_POLICY
1154 struct xfrm_policy *pol;
1156 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
1160 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1163 static int flow_to_policy_dir(int dir)
1165 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1166 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1167 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1173 return XFRM_POLICY_IN;
1175 return XFRM_POLICY_OUT;
1177 return XFRM_POLICY_FWD;
1181 static struct flow_cache_object *
1182 xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
1183 u8 dir, struct flow_cache_object *old_obj, void *ctx)
1185 struct xfrm_policy *pol;
1188 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo));
1190 pol = __xfrm_policy_lookup(net, fl, family, flow_to_policy_dir(dir));
1191 if (IS_ERR_OR_NULL(pol))
1192 return ERR_CAST(pol);
1194 /* Resolver returns two references:
1195 * one for cache and one for caller of flow_cache_lookup() */
1201 static inline int policy_to_flow_dir(int dir)
1203 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1204 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1205 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1209 case XFRM_POLICY_IN:
1211 case XFRM_POLICY_OUT:
1212 return FLOW_DIR_OUT;
1213 case XFRM_POLICY_FWD:
1214 return FLOW_DIR_FWD;
1218 static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
1219 const struct flowi *fl, u16 family)
1221 struct xfrm_policy *pol;
1222 struct net *net = sock_net(sk);
1225 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1226 pol = rcu_dereference(sk->sk_policy[dir]);
1231 if (pol->family != family) {
1236 match = xfrm_selector_match(&pol->selector, fl, family);
1238 if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
1242 err = security_xfrm_policy_lookup(pol->security,
1244 policy_to_flow_dir(dir));
1247 else if (err == -ESRCH)
1255 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1260 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
1262 struct net *net = xp_net(pol);
1264 list_add(&pol->walk.all, &net->xfrm.policy_all);
1265 net->xfrm.policy_count[dir]++;
1269 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1272 struct net *net = xp_net(pol);
1274 if (list_empty(&pol->walk.all))
1277 /* Socket policies are not hashed. */
1278 if (!hlist_unhashed(&pol->bydst)) {
1279 hlist_del(&pol->bydst);
1280 hlist_del(&pol->byidx);
1283 list_del_init(&pol->walk.all);
1284 net->xfrm.policy_count[dir]--;
1289 static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir)
1291 __xfrm_policy_link(pol, XFRM_POLICY_MAX + dir);
1294 static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir)
1296 __xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir);
1299 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1301 struct net *net = xp_net(pol);
1303 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1304 pol = __xfrm_policy_unlink(pol, dir);
1305 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1307 xfrm_policy_kill(pol);
1312 EXPORT_SYMBOL(xfrm_policy_delete);
1314 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1316 struct net *net = sock_net(sk);
1317 struct xfrm_policy *old_pol;
1319 #ifdef CONFIG_XFRM_SUB_POLICY
1320 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
1324 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1325 old_pol = rcu_dereference_protected(sk->sk_policy[dir],
1326 lockdep_is_held(&net->xfrm.xfrm_policy_lock));
1328 pol->curlft.add_time = get_seconds();
1329 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
1330 xfrm_sk_policy_link(pol, dir);
1332 rcu_assign_pointer(sk->sk_policy[dir], pol);
1335 xfrm_policy_requeue(old_pol, pol);
1337 /* Unlinking succeeds always. This is the only function
1338 * allowed to delete or replace socket policy.
1340 xfrm_sk_policy_unlink(old_pol, dir);
1342 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1345 xfrm_policy_kill(old_pol);
1350 static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1352 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1353 struct net *net = xp_net(old);
1356 newp->selector = old->selector;
1357 if (security_xfrm_policy_clone(old->security,
1360 return NULL; /* ENOMEM */
1362 newp->lft = old->lft;
1363 newp->curlft = old->curlft;
1364 newp->mark = old->mark;
1365 newp->action = old->action;
1366 newp->flags = old->flags;
1367 newp->xfrm_nr = old->xfrm_nr;
1368 newp->index = old->index;
1369 newp->type = old->type;
1370 newp->family = old->family;
1371 memcpy(newp->xfrm_vec, old->xfrm_vec,
1372 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1373 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1374 xfrm_sk_policy_link(newp, dir);
1375 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1381 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1383 const struct xfrm_policy *p;
1384 struct xfrm_policy *np;
1388 for (i = 0; i < 2; i++) {
1389 p = rcu_dereference(osk->sk_policy[i]);
1391 np = clone_policy(p, i);
1392 if (unlikely(!np)) {
1396 rcu_assign_pointer(sk->sk_policy[i], np);
1404 xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local,
1405 xfrm_address_t *remote, unsigned short family, u32 mark)
1408 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1410 if (unlikely(afinfo == NULL))
1412 err = afinfo->get_saddr(net, oif, local, remote, mark);
1413 xfrm_policy_put_afinfo(afinfo);
1417 /* Resolve list of templates for the flow, given policy. */
1420 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1421 struct xfrm_state **xfrm, unsigned short family)
1423 struct net *net = xp_net(policy);
1426 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
1427 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
1430 for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
1431 struct xfrm_state *x;
1432 xfrm_address_t *remote = daddr;
1433 xfrm_address_t *local = saddr;
1434 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
1436 if (tmpl->mode == XFRM_MODE_TUNNEL ||
1437 tmpl->mode == XFRM_MODE_BEET) {
1438 remote = &tmpl->id.daddr;
1439 local = &tmpl->saddr;
1440 if (xfrm_addr_any(local, tmpl->encap_family)) {
1441 error = xfrm_get_saddr(net, fl->flowi_oif,
1443 tmpl->encap_family, 0);
1450 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
1452 if (x && x->km.state == XFRM_STATE_VALID) {
1459 error = (x->km.state == XFRM_STATE_ERROR ?
1462 } else if (error == -ESRCH) {
1466 if (!tmpl->optional)
1472 for (nx--; nx >= 0; nx--)
1473 xfrm_state_put(xfrm[nx]);
1478 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1479 struct xfrm_state **xfrm, unsigned short family)
1481 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1482 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
1488 for (i = 0; i < npols; i++) {
1489 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
1494 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
1502 /* found states are sorted for outbound processing */
1504 xfrm_state_sort(xfrm, tpp, cnx, family);
1509 for (cnx--; cnx >= 0; cnx--)
1510 xfrm_state_put(tpp[cnx]);
1515 /* Check that the bundle accepts the flow and its components are
1519 static inline int xfrm_get_tos(const struct flowi *fl, int family)
1521 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1527 tos = afinfo->get_tos(fl);
1529 xfrm_policy_put_afinfo(afinfo);
1534 static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo)
1536 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1537 struct dst_entry *dst = &xdst->u.dst;
1539 if (xdst->route == NULL) {
1540 /* Dummy bundle - if it has xfrms we were not
1541 * able to build bundle as template resolution failed.
1542 * It means we need to try again resolving. */
1543 if (xdst->num_xfrms > 0)
1545 } else if (dst->flags & DST_XFRM_QUEUE) {
1549 if (stale_bundle(dst))
1557 static int xfrm_bundle_flo_check(struct flow_cache_object *flo)
1559 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1560 struct dst_entry *dst = &xdst->u.dst;
1564 if (stale_bundle(dst))
1570 static void xfrm_bundle_flo_delete(struct flow_cache_object *flo)
1572 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1573 struct dst_entry *dst = &xdst->u.dst;
1578 static const struct flow_cache_ops xfrm_bundle_fc_ops = {
1579 .get = xfrm_bundle_flo_get,
1580 .check = xfrm_bundle_flo_check,
1581 .delete = xfrm_bundle_flo_delete,
1584 static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1586 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1587 struct dst_ops *dst_ops;
1588 struct xfrm_dst *xdst;
1591 return ERR_PTR(-EINVAL);
1595 dst_ops = &net->xfrm.xfrm4_dst_ops;
1597 #if IS_ENABLED(CONFIG_IPV6)
1599 dst_ops = &net->xfrm.xfrm6_dst_ops;
1605 xdst = dst_alloc(dst_ops, NULL, 0, DST_OBSOLETE_NONE, 0);
1608 struct dst_entry *dst = &xdst->u.dst;
1610 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
1611 xdst->flo.ops = &xfrm_bundle_fc_ops;
1613 xdst = ERR_PTR(-ENOBUFS);
1615 xfrm_policy_put_afinfo(afinfo);
1620 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1623 struct xfrm_policy_afinfo *afinfo =
1624 xfrm_policy_get_afinfo(dst->ops->family);
1630 err = afinfo->init_path(path, dst, nfheader_len);
1632 xfrm_policy_put_afinfo(afinfo);
1637 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1638 const struct flowi *fl)
1640 struct xfrm_policy_afinfo *afinfo =
1641 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
1647 err = afinfo->fill_dst(xdst, dev, fl);
1649 xfrm_policy_put_afinfo(afinfo);
1655 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
1656 * all the metrics... Shortly, bundle a bundle.
1659 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1660 struct xfrm_state **xfrm, int nx,
1661 const struct flowi *fl,
1662 struct dst_entry *dst)
1664 struct net *net = xp_net(policy);
1665 unsigned long now = jiffies;
1666 struct net_device *dev;
1667 struct xfrm_mode *inner_mode;
1668 struct dst_entry *dst_prev = NULL;
1669 struct dst_entry *dst0 = NULL;
1673 int nfheader_len = 0;
1674 int trailer_len = 0;
1676 int family = policy->selector.family;
1677 xfrm_address_t saddr, daddr;
1679 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
1681 tos = xfrm_get_tos(fl, family);
1688 for (; i < nx; i++) {
1689 struct xfrm_dst *xdst = xfrm_alloc_dst(net, family);
1690 struct dst_entry *dst1 = &xdst->u.dst;
1692 err = PTR_ERR(xdst);
1698 if (xfrm[i]->sel.family == AF_UNSPEC) {
1699 inner_mode = xfrm_ip2inner_mode(xfrm[i],
1700 xfrm_af2proto(family));
1702 err = -EAFNOSUPPORT;
1707 inner_mode = xfrm[i]->inner_mode;
1712 dst_prev->child = dst_clone(dst1);
1713 dst1->flags |= DST_NOHASH;
1717 dst_copy_metrics(dst1, dst);
1719 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1720 family = xfrm[i]->props.family;
1721 dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif,
1722 &saddr, &daddr, family,
1723 xfrm[i]->props.output_mark);
1730 dst1->xfrm = xfrm[i];
1731 xdst->xfrm_genid = xfrm[i]->genid;
1733 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
1734 dst1->flags |= DST_HOST;
1735 dst1->lastuse = now;
1737 dst1->input = dst_discard;
1738 dst1->output = inner_mode->afinfo->output;
1740 dst1->next = dst_prev;
1743 header_len += xfrm[i]->props.header_len;
1744 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
1745 nfheader_len += xfrm[i]->props.header_len;
1746 trailer_len += xfrm[i]->props.trailer_len;
1749 dst_prev->child = dst;
1757 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
1758 xfrm_init_pmtu(dst_prev);
1760 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1761 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1763 err = xfrm_fill_dst(xdst, dev, fl);
1767 dst_prev->header_len = header_len;
1768 dst_prev->trailer_len = trailer_len;
1769 header_len -= xdst->u.dst.xfrm->props.header_len;
1770 trailer_len -= xdst->u.dst.xfrm->props.trailer_len;
1778 xfrm_state_put(xfrm[i]);
1782 dst0 = ERR_PTR(err);
1786 static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1787 struct xfrm_policy **pols,
1788 int *num_pols, int *num_xfrms)
1792 if (*num_pols == 0 || !pols[0]) {
1797 if (IS_ERR(pols[0]))
1798 return PTR_ERR(pols[0]);
1800 *num_xfrms = pols[0]->xfrm_nr;
1802 #ifdef CONFIG_XFRM_SUB_POLICY
1803 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
1804 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1805 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
1806 XFRM_POLICY_TYPE_MAIN,
1810 if (IS_ERR(pols[1])) {
1811 xfrm_pols_put(pols, *num_pols);
1812 return PTR_ERR(pols[1]);
1815 (*num_xfrms) += pols[1]->xfrm_nr;
1819 for (i = 0; i < *num_pols; i++) {
1820 if (pols[i]->action != XFRM_POLICY_ALLOW) {
1830 static struct xfrm_dst *
1831 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1832 const struct flowi *fl, u16 family,
1833 struct dst_entry *dst_orig)
1835 struct net *net = xp_net(pols[0]);
1836 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1837 struct dst_entry *dst;
1838 struct xfrm_dst *xdst;
1841 /* Try to instantiate a bundle */
1842 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
1844 if (err != 0 && err != -EAGAIN)
1845 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1846 return ERR_PTR(err);
1849 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
1851 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1852 return ERR_CAST(dst);
1855 xdst = (struct xfrm_dst *)dst;
1856 xdst->num_xfrms = err;
1857 xdst->num_pols = num_pols;
1858 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
1859 xdst->policy_genid = atomic_read(&pols[0]->genid);
1864 static void xfrm_policy_queue_process(unsigned long arg)
1866 struct sk_buff *skb;
1868 struct dst_entry *dst;
1869 struct xfrm_policy *pol = (struct xfrm_policy *)arg;
1870 struct net *net = xp_net(pol);
1871 struct xfrm_policy_queue *pq = &pol->polq;
1873 struct sk_buff_head list;
1875 spin_lock(&pq->hold_queue.lock);
1876 skb = skb_peek(&pq->hold_queue);
1878 spin_unlock(&pq->hold_queue.lock);
1883 xfrm_decode_session(skb, &fl, dst->ops->family);
1884 spin_unlock(&pq->hold_queue.lock);
1886 dst_hold(dst->path);
1887 dst = xfrm_lookup(net, dst->path, &fl, sk, 0);
1891 if (dst->flags & DST_XFRM_QUEUE) {
1894 if (pq->timeout >= XFRM_QUEUE_TMO_MAX)
1897 pq->timeout = pq->timeout << 1;
1898 if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
1905 __skb_queue_head_init(&list);
1907 spin_lock(&pq->hold_queue.lock);
1909 skb_queue_splice_init(&pq->hold_queue, &list);
1910 spin_unlock(&pq->hold_queue.lock);
1912 while (!skb_queue_empty(&list)) {
1913 skb = __skb_dequeue(&list);
1915 xfrm_decode_session(skb, &fl, skb_dst(skb)->ops->family);
1916 dst_hold(skb_dst(skb)->path);
1917 dst = xfrm_lookup(net, skb_dst(skb)->path, &fl, skb->sk, 0);
1925 skb_dst_set(skb, dst);
1927 dst_output(net, skb->sk, skb);
1936 skb_queue_purge(&pq->hold_queue);
1940 static int xdst_queue_output(struct net *net, struct sock *sk, struct sk_buff *skb)
1942 unsigned long sched_next;
1943 struct dst_entry *dst = skb_dst(skb);
1944 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
1945 struct xfrm_policy *pol = xdst->pols[0];
1946 struct xfrm_policy_queue *pq = &pol->polq;
1948 if (unlikely(skb_fclone_busy(sk, skb))) {
1953 if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
1960 spin_lock_bh(&pq->hold_queue.lock);
1963 pq->timeout = XFRM_QUEUE_TMO_MIN;
1965 sched_next = jiffies + pq->timeout;
1967 if (del_timer(&pq->hold_timer)) {
1968 if (time_before(pq->hold_timer.expires, sched_next))
1969 sched_next = pq->hold_timer.expires;
1973 __skb_queue_tail(&pq->hold_queue, skb);
1974 if (!mod_timer(&pq->hold_timer, sched_next))
1977 spin_unlock_bh(&pq->hold_queue.lock);
1982 static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net,
1983 struct xfrm_flo *xflo,
1984 const struct flowi *fl,
1989 struct net_device *dev;
1990 struct dst_entry *dst;
1991 struct dst_entry *dst1;
1992 struct xfrm_dst *xdst;
1994 xdst = xfrm_alloc_dst(net, family);
1998 if (!(xflo->flags & XFRM_LOOKUP_QUEUE) ||
1999 net->xfrm.sysctl_larval_drop ||
2003 dst = xflo->dst_orig;
2004 dst1 = &xdst->u.dst;
2008 dst_copy_metrics(dst1, dst);
2010 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
2011 dst1->flags |= DST_HOST | DST_XFRM_QUEUE;
2012 dst1->lastuse = jiffies;
2014 dst1->input = dst_discard;
2015 dst1->output = xdst_queue_output;
2021 xfrm_init_path((struct xfrm_dst *)dst1, dst, 0);
2028 err = xfrm_fill_dst(xdst, dev, fl);
2037 xdst = ERR_PTR(err);
2041 static struct flow_cache_object *
2042 xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
2043 struct flow_cache_object *oldflo, void *ctx)
2045 struct xfrm_flo *xflo = (struct xfrm_flo *)ctx;
2046 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2047 struct xfrm_dst *xdst, *new_xdst;
2048 int num_pols = 0, num_xfrms = 0, i, err, pol_dead;
2050 /* Check if the policies from old bundle are usable */
2053 xdst = container_of(oldflo, struct xfrm_dst, flo);
2054 num_pols = xdst->num_pols;
2055 num_xfrms = xdst->num_xfrms;
2057 for (i = 0; i < num_pols; i++) {
2058 pols[i] = xdst->pols[i];
2059 pol_dead |= pols[i]->walk.dead;
2062 dst_free(&xdst->u.dst);
2070 /* Resolve policies to use if we couldn't get them from
2071 * previous cache entry */
2074 pols[0] = __xfrm_policy_lookup(net, fl, family,
2075 flow_to_policy_dir(dir));
2076 err = xfrm_expand_policies(fl, family, pols,
2077 &num_pols, &num_xfrms);
2083 goto make_dummy_bundle;
2086 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
2088 if (IS_ERR(new_xdst)) {
2089 err = PTR_ERR(new_xdst);
2093 goto make_dummy_bundle;
2094 dst_hold(&xdst->u.dst);
2096 } else if (new_xdst == NULL) {
2099 goto make_dummy_bundle;
2100 xdst->num_xfrms = 0;
2101 dst_hold(&xdst->u.dst);
2105 /* Kill the previous bundle */
2107 /* The policies were stolen for newly generated bundle */
2109 dst_free(&xdst->u.dst);
2112 /* Flow cache does not have reference, it dst_free()'s,
2113 * but we do need to return one reference for original caller */
2114 dst_hold(&new_xdst->u.dst);
2115 return &new_xdst->flo;
2118 /* We found policies, but there's no bundles to instantiate:
2119 * either because the policy blocks, has no transformations or
2120 * we could not build template (no xfrm_states).*/
2121 xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family);
2123 xfrm_pols_put(pols, num_pols);
2124 return ERR_CAST(xdst);
2126 xdst->num_pols = num_pols;
2127 xdst->num_xfrms = num_xfrms;
2128 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
2130 dst_hold(&xdst->u.dst);
2134 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
2137 dst_free(&xdst->u.dst);
2139 xfrm_pols_put(pols, num_pols);
2140 return ERR_PTR(err);
2143 static struct dst_entry *make_blackhole(struct net *net, u16 family,
2144 struct dst_entry *dst_orig)
2146 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2147 struct dst_entry *ret;
2150 dst_release(dst_orig);
2151 return ERR_PTR(-EINVAL);
2153 ret = afinfo->blackhole_route(net, dst_orig);
2155 xfrm_policy_put_afinfo(afinfo);
2160 /* Main function: finds/creates a bundle for given flow.
2162 * At the moment we eat a raw IP route. Mostly to speed up lookups
2163 * on interfaces with disabled IPsec.
2165 struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
2166 const struct flowi *fl,
2167 const struct sock *sk, int flags)
2169 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2170 struct flow_cache_object *flo;
2171 struct xfrm_dst *xdst;
2172 struct dst_entry *dst, *route;
2173 u16 family = dst_orig->ops->family;
2174 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
2175 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
2181 sk = sk_const_to_full_sk(sk);
2182 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
2184 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family);
2185 err = xfrm_expand_policies(fl, family, pols,
2186 &num_pols, &num_xfrms);
2191 if (num_xfrms <= 0) {
2192 drop_pols = num_pols;
2196 xdst = xfrm_resolve_and_create_bundle(
2200 xfrm_pols_put(pols, num_pols);
2201 err = PTR_ERR(xdst);
2203 } else if (xdst == NULL) {
2205 drop_pols = num_pols;
2209 dst_hold(&xdst->u.dst);
2210 xdst->u.dst.flags |= DST_NOCACHE;
2211 route = xdst->route;
2216 struct xfrm_flo xflo;
2218 xflo.dst_orig = dst_orig;
2221 /* To accelerate a bit... */
2222 if ((dst_orig->flags & DST_NOXFRM) ||
2223 !net->xfrm.policy_count[XFRM_POLICY_OUT])
2226 flo = flow_cache_lookup(net, fl, family, dir,
2227 xfrm_bundle_lookup, &xflo);
2234 xdst = container_of(flo, struct xfrm_dst, flo);
2236 num_pols = xdst->num_pols;
2237 num_xfrms = xdst->num_xfrms;
2238 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols);
2239 route = xdst->route;
2243 if (route == NULL && num_xfrms > 0) {
2244 /* The only case when xfrm_bundle_lookup() returns a
2245 * bundle with null route, is when the template could
2246 * not be resolved. It means policies are there, but
2247 * bundle could not be created, since we don't yet
2248 * have the xfrm_state's. We need to wait for KM to
2249 * negotiate new SA's or bail out with error.*/
2250 if (net->xfrm.sysctl_larval_drop) {
2251 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
2258 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
2266 if ((flags & XFRM_LOOKUP_ICMP) &&
2267 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
2272 for (i = 0; i < num_pols; i++)
2273 pols[i]->curlft.use_time = get_seconds();
2275 if (num_xfrms < 0) {
2276 /* Prohibit the flow */
2277 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
2280 } else if (num_xfrms > 0) {
2281 /* Flow transformed */
2282 dst_release(dst_orig);
2284 /* Flow passes untransformed */
2289 xfrm_pols_put(pols, drop_pols);
2290 if (dst && dst->xfrm &&
2291 dst->xfrm->props.mode == XFRM_MODE_TUNNEL)
2292 dst->flags |= DST_XFRM_TUNNEL;
2296 if (!(flags & XFRM_LOOKUP_ICMP)) {
2304 if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
2305 dst_release(dst_orig);
2306 xfrm_pols_put(pols, drop_pols);
2307 return ERR_PTR(err);
2309 EXPORT_SYMBOL(xfrm_lookup);
2311 /* Callers of xfrm_lookup_route() must ensure a call to dst_output().
2312 * Otherwise we may send out blackholed packets.
2314 struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
2315 const struct flowi *fl,
2316 const struct sock *sk, int flags)
2318 struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
2319 flags | XFRM_LOOKUP_QUEUE |
2320 XFRM_LOOKUP_KEEP_DST_REF);
2322 if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
2323 return make_blackhole(net, dst_orig->ops->family, dst_orig);
2327 EXPORT_SYMBOL(xfrm_lookup_route);
2330 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
2332 struct xfrm_state *x;
2334 if (!skb->sp || idx < 0 || idx >= skb->sp->len)
2336 x = skb->sp->xvec[idx];
2337 if (!x->type->reject)
2339 return x->type->reject(x, skb, fl);
2342 /* When skb is transformed back to its "native" form, we have to
2343 * check policy restrictions. At the moment we make this in maximally
2344 * stupid way. Shame on me. :-) Of course, connected sockets must
2345 * have policy cached at them.
2349 xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
2350 unsigned short family)
2352 if (xfrm_state_kern(x))
2353 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
2354 return x->id.proto == tmpl->id.proto &&
2355 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
2356 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
2357 x->props.mode == tmpl->mode &&
2358 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
2359 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
2360 !(x->props.mode != XFRM_MODE_TRANSPORT &&
2361 xfrm_state_addr_cmp(tmpl, x, family));
2365 * 0 or more than 0 is returned when validation is succeeded (either bypass
2366 * because of optional transport mode, or next index of the mathced secpath
2367 * state with the template.
2368 * -1 is returned when no matching template is found.
2369 * Otherwise "-2 - errored_index" is returned.
2372 xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
2373 unsigned short family)
2377 if (tmpl->optional) {
2378 if (tmpl->mode == XFRM_MODE_TRANSPORT)
2382 for (; idx < sp->len; idx++) {
2383 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
2385 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
2394 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
2395 unsigned int family, int reverse)
2397 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2400 if (unlikely(afinfo == NULL))
2401 return -EAFNOSUPPORT;
2403 afinfo->decode_session(skb, fl, reverse);
2404 err = security_xfrm_decode_session(skb, &fl->flowi_secid);
2405 xfrm_policy_put_afinfo(afinfo);
2408 EXPORT_SYMBOL(__xfrm_decode_session);
2410 static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
2412 for (; k < sp->len; k++) {
2413 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
2422 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
2423 unsigned short family)
2425 struct net *net = dev_net(skb->dev);
2426 struct xfrm_policy *pol;
2427 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
2436 reverse = dir & ~XFRM_POLICY_MASK;
2437 dir &= XFRM_POLICY_MASK;
2438 fl_dir = policy_to_flow_dir(dir);
2440 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) {
2441 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
2445 nf_nat_decode_session(skb, &fl, family);
2447 /* First, check used SA against their selectors. */
2451 for (i = skb->sp->len-1; i >= 0; i--) {
2452 struct xfrm_state *x = skb->sp->xvec[i];
2453 if (!xfrm_selector_match(&x->sel, &fl, family)) {
2454 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
2461 sk = sk_to_full_sk(sk);
2462 if (sk && sk->sk_policy[dir]) {
2463 pol = xfrm_sk_policy_lookup(sk, dir, &fl, family);
2465 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2471 struct flow_cache_object *flo;
2473 flo = flow_cache_lookup(net, &fl, family, fl_dir,
2474 xfrm_policy_lookup, NULL);
2475 if (IS_ERR_OR_NULL(flo))
2476 pol = ERR_CAST(flo);
2478 pol = container_of(flo, struct xfrm_policy, flo);
2482 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2487 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
2488 xfrm_secpath_reject(xerr_idx, skb, &fl);
2489 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
2495 pol->curlft.use_time = get_seconds();
2499 #ifdef CONFIG_XFRM_SUB_POLICY
2500 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
2501 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
2505 if (IS_ERR(pols[1])) {
2506 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
2509 pols[1]->curlft.use_time = get_seconds();
2515 if (pol->action == XFRM_POLICY_ALLOW) {
2516 struct sec_path *sp;
2517 static struct sec_path dummy;
2518 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
2519 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
2520 struct xfrm_tmpl **tpp = tp;
2524 if ((sp = skb->sp) == NULL)
2527 for (pi = 0; pi < npols; pi++) {
2528 if (pols[pi] != pol &&
2529 pols[pi]->action != XFRM_POLICY_ALLOW) {
2530 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2533 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
2534 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
2537 for (i = 0; i < pols[pi]->xfrm_nr; i++)
2538 tpp[ti++] = &pols[pi]->xfrm_vec[i];
2542 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family, net);
2546 /* For each tunnel xfrm, find the first matching tmpl.
2547 * For each tmpl before that, find corresponding xfrm.
2548 * Order is _important_. Later we will implement
2549 * some barriers, but at the moment barriers
2550 * are implied between each two transformations.
2552 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
2553 k = xfrm_policy_ok(tpp[i], sp, k, family);
2556 /* "-2 - errored_index" returned */
2558 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2563 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
2564 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
2568 xfrm_pols_put(pols, npols);
2571 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
2574 xfrm_secpath_reject(xerr_idx, skb, &fl);
2576 xfrm_pols_put(pols, npols);
2579 EXPORT_SYMBOL(__xfrm_policy_check);
2581 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2583 struct net *net = dev_net(skb->dev);
2585 struct dst_entry *dst;
2588 if (xfrm_decode_session(skb, &fl, family) < 0) {
2589 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
2595 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
2600 skb_dst_set(skb, dst);
2603 EXPORT_SYMBOL(__xfrm_route_forward);
2605 /* Optimize later using cookies and generation ids. */
2607 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2609 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
2610 * to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to
2611 * get validated by dst_ops->check on every use. We do this
2612 * because when a normal route referenced by an XFRM dst is
2613 * obsoleted we do not go looking around for all parent
2614 * referencing XFRM dsts so that we can invalidate them. It
2615 * is just too much work. Instead we make the checks here on
2616 * every use. For example:
2618 * XFRM dst A --> IPv4 dst X
2620 * X is the "xdst->route" of A (X is also the "dst->path" of A
2621 * in this example). If X is marked obsolete, "A" will not
2622 * notice. That's what we are validating here via the
2623 * stale_bundle() check.
2625 * When a policy's bundle is pruned, we dst_free() the XFRM
2626 * dst which causes it's ->obsolete field to be set to
2627 * DST_OBSOLETE_DEAD. If an XFRM dst has been pruned like
2628 * this, we want to force a new route lookup.
2630 if (dst->obsolete < 0 && !stale_bundle(dst))
2636 static int stale_bundle(struct dst_entry *dst)
2638 return !xfrm_bundle_ok((struct xfrm_dst *)dst);
2641 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
2643 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
2644 dst->dev = dev_net(dev)->loopback_dev;
2649 EXPORT_SYMBOL(xfrm_dst_ifdown);
2651 static void xfrm_link_failure(struct sk_buff *skb)
2653 /* Impossible. Such dst must be popped before reaches point of failure. */
2656 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2659 if (dst->obsolete) {
2667 void xfrm_garbage_collect(struct net *net)
2669 flow_cache_flush(net);
2671 EXPORT_SYMBOL(xfrm_garbage_collect);
2673 static void xfrm_garbage_collect_deferred(struct net *net)
2675 flow_cache_flush_deferred(net);
2678 static void xfrm_init_pmtu(struct dst_entry *dst)
2681 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2682 u32 pmtu, route_mtu_cached;
2684 pmtu = dst_mtu(dst->child);
2685 xdst->child_mtu_cached = pmtu;
2687 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
2689 route_mtu_cached = dst_mtu(xdst->route);
2690 xdst->route_mtu_cached = route_mtu_cached;
2692 if (pmtu > route_mtu_cached)
2693 pmtu = route_mtu_cached;
2695 dst_metric_set(dst, RTAX_MTU, pmtu);
2696 } while ((dst = dst->next));
2699 /* Check that the bundle accepts the flow and its components are
2703 static int xfrm_bundle_ok(struct xfrm_dst *first)
2705 struct dst_entry *dst = &first->u.dst;
2706 struct xfrm_dst *last;
2709 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2710 (dst->dev && !netif_running(dst->dev)))
2713 if (dst->flags & DST_XFRM_QUEUE)
2719 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2721 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2723 if (xdst->xfrm_genid != dst->xfrm->genid)
2725 if (xdst->num_pols > 0 &&
2726 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2729 mtu = dst_mtu(dst->child);
2730 if (xdst->child_mtu_cached != mtu) {
2732 xdst->child_mtu_cached = mtu;
2735 if (!dst_check(xdst->route, xdst->route_cookie))
2737 mtu = dst_mtu(xdst->route);
2738 if (xdst->route_mtu_cached != mtu) {
2740 xdst->route_mtu_cached = mtu;
2744 } while (dst->xfrm);
2749 mtu = last->child_mtu_cached;
2753 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2754 if (mtu > last->route_mtu_cached)
2755 mtu = last->route_mtu_cached;
2756 dst_metric_set(dst, RTAX_MTU, mtu);
2761 last = (struct xfrm_dst *)last->u.dst.next;
2762 last->child_mtu_cached = mtu;
2768 static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
2770 return dst_metric_advmss(dst->path);
2773 static unsigned int xfrm_mtu(const struct dst_entry *dst)
2775 unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
2777 return mtu ? : dst_mtu(dst->path);
2780 static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst,
2781 struct sk_buff *skb,
2784 return dst->path->ops->neigh_lookup(dst, skb, daddr);
2787 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2790 if (unlikely(afinfo == NULL))
2792 if (unlikely(afinfo->family >= NPROTO))
2793 return -EAFNOSUPPORT;
2794 spin_lock(&xfrm_policy_afinfo_lock);
2795 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
2798 struct dst_ops *dst_ops = afinfo->dst_ops;
2799 if (likely(dst_ops->kmem_cachep == NULL))
2800 dst_ops->kmem_cachep = xfrm_dst_cache;
2801 if (likely(dst_ops->check == NULL))
2802 dst_ops->check = xfrm_dst_check;
2803 if (likely(dst_ops->default_advmss == NULL))
2804 dst_ops->default_advmss = xfrm_default_advmss;
2805 if (likely(dst_ops->mtu == NULL))
2806 dst_ops->mtu = xfrm_mtu;
2807 if (likely(dst_ops->negative_advice == NULL))
2808 dst_ops->negative_advice = xfrm_negative_advice;
2809 if (likely(dst_ops->link_failure == NULL))
2810 dst_ops->link_failure = xfrm_link_failure;
2811 if (likely(dst_ops->neigh_lookup == NULL))
2812 dst_ops->neigh_lookup = xfrm_neigh_lookup;
2813 if (likely(afinfo->garbage_collect == NULL))
2814 afinfo->garbage_collect = xfrm_garbage_collect_deferred;
2815 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo);
2817 spin_unlock(&xfrm_policy_afinfo_lock);
2821 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
2823 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
2826 if (unlikely(afinfo == NULL))
2828 if (unlikely(afinfo->family >= NPROTO))
2829 return -EAFNOSUPPORT;
2830 spin_lock(&xfrm_policy_afinfo_lock);
2831 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
2832 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
2835 RCU_INIT_POINTER(xfrm_policy_afinfo[afinfo->family],
2838 spin_unlock(&xfrm_policy_afinfo_lock);
2840 struct dst_ops *dst_ops = afinfo->dst_ops;
2844 dst_ops->kmem_cachep = NULL;
2845 dst_ops->check = NULL;
2846 dst_ops->negative_advice = NULL;
2847 dst_ops->link_failure = NULL;
2848 afinfo->garbage_collect = NULL;
2852 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
2854 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
2856 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
2860 xfrm_garbage_collect(dev_net(dev));
2865 static struct notifier_block xfrm_dev_notifier = {
2866 .notifier_call = xfrm_dev_event,
2869 #ifdef CONFIG_XFRM_STATISTICS
2870 static int __net_init xfrm_statistics_init(struct net *net)
2873 net->mib.xfrm_statistics = alloc_percpu(struct linux_xfrm_mib);
2874 if (!net->mib.xfrm_statistics)
2876 rv = xfrm_proc_init(net);
2878 free_percpu(net->mib.xfrm_statistics);
2882 static void xfrm_statistics_fini(struct net *net)
2884 xfrm_proc_fini(net);
2885 free_percpu(net->mib.xfrm_statistics);
2888 static int __net_init xfrm_statistics_init(struct net *net)
2893 static void xfrm_statistics_fini(struct net *net)
2898 static int __net_init xfrm_policy_init(struct net *net)
2900 unsigned int hmask, sz;
2903 if (net_eq(net, &init_net))
2904 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
2905 sizeof(struct xfrm_dst),
2906 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2910 sz = (hmask+1) * sizeof(struct hlist_head);
2912 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
2913 if (!net->xfrm.policy_byidx)
2915 net->xfrm.policy_idx_hmask = hmask;
2917 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
2918 struct xfrm_policy_hash *htab;
2920 net->xfrm.policy_count[dir] = 0;
2921 net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0;
2922 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
2924 htab = &net->xfrm.policy_bydst[dir];
2925 htab->table = xfrm_hash_alloc(sz);
2928 htab->hmask = hmask;
2934 net->xfrm.policy_hthresh.lbits4 = 32;
2935 net->xfrm.policy_hthresh.rbits4 = 32;
2936 net->xfrm.policy_hthresh.lbits6 = 128;
2937 net->xfrm.policy_hthresh.rbits6 = 128;
2939 seqlock_init(&net->xfrm.policy_hthresh.lock);
2941 INIT_LIST_HEAD(&net->xfrm.policy_all);
2942 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
2943 INIT_WORK(&net->xfrm.policy_hthresh.work, xfrm_hash_rebuild);
2944 if (net_eq(net, &init_net))
2945 register_netdevice_notifier(&xfrm_dev_notifier);
2949 for (dir--; dir >= 0; dir--) {
2950 struct xfrm_policy_hash *htab;
2952 htab = &net->xfrm.policy_bydst[dir];
2953 xfrm_hash_free(htab->table, sz);
2955 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2960 static void xfrm_policy_fini(struct net *net)
2965 flush_work(&net->xfrm.policy_hash_work);
2966 #ifdef CONFIG_XFRM_SUB_POLICY
2967 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
2969 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
2971 WARN_ON(!list_empty(&net->xfrm.policy_all));
2973 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
2974 struct xfrm_policy_hash *htab;
2976 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
2978 htab = &net->xfrm.policy_bydst[dir];
2979 sz = (htab->hmask + 1) * sizeof(struct hlist_head);
2980 WARN_ON(!hlist_empty(htab->table));
2981 xfrm_hash_free(htab->table, sz);
2984 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
2985 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
2986 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2989 static int __net_init xfrm_net_init(struct net *net)
2993 /* Initialize the per-net locks here */
2994 spin_lock_init(&net->xfrm.xfrm_state_lock);
2995 rwlock_init(&net->xfrm.xfrm_policy_lock);
2996 mutex_init(&net->xfrm.xfrm_cfg_mutex);
2998 rv = xfrm_statistics_init(net);
3000 goto out_statistics;
3001 rv = xfrm_state_init(net);
3004 rv = xfrm_policy_init(net);
3007 rv = xfrm_sysctl_init(net);
3010 rv = flow_cache_init(net);
3017 xfrm_sysctl_fini(net);
3019 xfrm_policy_fini(net);
3021 xfrm_state_fini(net);
3023 xfrm_statistics_fini(net);
3028 static void __net_exit xfrm_net_exit(struct net *net)
3030 flow_cache_fini(net);
3031 xfrm_sysctl_fini(net);
3032 xfrm_policy_fini(net);
3033 xfrm_state_fini(net);
3034 xfrm_statistics_fini(net);
3037 static struct pernet_operations __net_initdata xfrm_net_ops = {
3038 .init = xfrm_net_init,
3039 .exit = xfrm_net_exit,
3042 void __init xfrm_init(void)
3044 register_pernet_subsys(&xfrm_net_ops);
3048 #ifdef CONFIG_AUDITSYSCALL
3049 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
3050 struct audit_buffer *audit_buf)
3052 struct xfrm_sec_ctx *ctx = xp->security;
3053 struct xfrm_selector *sel = &xp->selector;
3056 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
3057 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
3059 switch (sel->family) {
3061 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
3062 if (sel->prefixlen_s != 32)
3063 audit_log_format(audit_buf, " src_prefixlen=%d",
3065 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
3066 if (sel->prefixlen_d != 32)
3067 audit_log_format(audit_buf, " dst_prefixlen=%d",
3071 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
3072 if (sel->prefixlen_s != 128)
3073 audit_log_format(audit_buf, " src_prefixlen=%d",
3075 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
3076 if (sel->prefixlen_d != 128)
3077 audit_log_format(audit_buf, " dst_prefixlen=%d",
3083 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
3085 struct audit_buffer *audit_buf;
3087 audit_buf = xfrm_audit_start("SPD-add");
3088 if (audit_buf == NULL)
3090 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3091 audit_log_format(audit_buf, " res=%u", result);
3092 xfrm_audit_common_policyinfo(xp, audit_buf);
3093 audit_log_end(audit_buf);
3095 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
3097 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
3100 struct audit_buffer *audit_buf;
3102 audit_buf = xfrm_audit_start("SPD-delete");
3103 if (audit_buf == NULL)
3105 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3106 audit_log_format(audit_buf, " res=%u", result);
3107 xfrm_audit_common_policyinfo(xp, audit_buf);
3108 audit_log_end(audit_buf);
3110 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
3113 #ifdef CONFIG_XFRM_MIGRATE
3114 static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
3115 const struct xfrm_selector *sel_tgt)
3117 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
3118 if (sel_tgt->family == sel_cmp->family &&
3119 xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr,
3121 xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr,
3123 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
3124 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
3128 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
3135 static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel,
3136 u8 dir, u8 type, struct net *net)
3138 struct xfrm_policy *pol, *ret = NULL;
3139 struct hlist_head *chain;
3142 read_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME*/
3143 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
3144 hlist_for_each_entry(pol, chain, bydst) {
3145 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
3146 pol->type == type) {
3148 priority = ret->priority;
3152 chain = &net->xfrm.policy_inexact[dir];
3153 hlist_for_each_entry(pol, chain, bydst) {
3154 if ((pol->priority >= priority) && ret)
3157 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
3158 pol->type == type) {
3166 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
3171 static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
3175 if (t->mode == m->mode && t->id.proto == m->proto &&
3176 (m->reqid == 0 || t->reqid == m->reqid)) {
3178 case XFRM_MODE_TUNNEL:
3179 case XFRM_MODE_BEET:
3180 if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr,
3182 xfrm_addr_equal(&t->saddr, &m->old_saddr,
3187 case XFRM_MODE_TRANSPORT:
3188 /* in case of transport mode, template does not store
3189 any IP addresses, hence we just compare mode and
3200 /* update endpoint address(es) of template(s) */
3201 static int xfrm_policy_migrate(struct xfrm_policy *pol,
3202 struct xfrm_migrate *m, int num_migrate)
3204 struct xfrm_migrate *mp;
3207 write_lock_bh(&pol->lock);
3208 if (unlikely(pol->walk.dead)) {
3209 /* target policy has been deleted */
3210 write_unlock_bh(&pol->lock);
3214 for (i = 0; i < pol->xfrm_nr; i++) {
3215 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
3216 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
3219 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
3220 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
3222 /* update endpoints */
3223 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
3224 sizeof(pol->xfrm_vec[i].id.daddr));
3225 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
3226 sizeof(pol->xfrm_vec[i].saddr));
3227 pol->xfrm_vec[i].encap_family = mp->new_family;
3229 atomic_inc(&pol->genid);
3233 write_unlock_bh(&pol->lock);
3241 static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
3245 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
3248 for (i = 0; i < num_migrate; i++) {
3249 if (xfrm_addr_equal(&m[i].old_daddr, &m[i].new_daddr,
3251 xfrm_addr_equal(&m[i].old_saddr, &m[i].new_saddr,
3254 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
3255 xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
3258 /* check if there is any duplicated entry */
3259 for (j = i + 1; j < num_migrate; j++) {
3260 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
3261 sizeof(m[i].old_daddr)) &&
3262 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
3263 sizeof(m[i].old_saddr)) &&
3264 m[i].proto == m[j].proto &&
3265 m[i].mode == m[j].mode &&
3266 m[i].reqid == m[j].reqid &&
3267 m[i].old_family == m[j].old_family)
3275 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
3276 struct xfrm_migrate *m, int num_migrate,
3277 struct xfrm_kmaddress *k, struct net *net)
3279 int i, err, nx_cur = 0, nx_new = 0;
3280 struct xfrm_policy *pol = NULL;
3281 struct xfrm_state *x, *xc;
3282 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
3283 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
3284 struct xfrm_migrate *mp;
3286 /* Stage 0 - sanity checks */
3287 if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
3290 if (dir >= XFRM_POLICY_MAX) {
3295 /* Stage 1 - find policy */
3296 if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
3301 /* Stage 2 - find and update state(s) */
3302 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
3303 if ((x = xfrm_migrate_state_find(mp, net))) {
3306 if ((xc = xfrm_state_migrate(x, mp))) {
3316 /* Stage 3 - update policy */
3317 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
3320 /* Stage 4 - delete old state(s) */
3322 xfrm_states_put(x_cur, nx_cur);
3323 xfrm_states_delete(x_cur, nx_cur);
3326 /* Stage 5 - announce */
3327 km_migrate(sel, dir, type, m, num_migrate, k);
3339 xfrm_states_put(x_cur, nx_cur);
3341 xfrm_states_delete(x_new, nx_new);
3345 EXPORT_SYMBOL(xfrm_migrate);
OSDN Git Service
