6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/err.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
26 #include <linux/cache.h>
27 #include <linux/audit.h>
31 #ifdef CONFIG_XFRM_STATISTICS
35 #include "xfrm_hash.h"
37 int sysctl_xfrm_larval_drop __read_mostly = 1;
39 #ifdef CONFIG_XFRM_STATISTICS
40 DEFINE_SNMP_STAT(struct linux_xfrm_mib, xfrm_statistics) __read_mostly;
41 EXPORT_SYMBOL(xfrm_statistics);
44 DEFINE_MUTEX(xfrm_cfg_mutex);
45 EXPORT_SYMBOL(xfrm_cfg_mutex);
47 static DEFINE_RWLOCK(xfrm_policy_lock);
49 unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
50 EXPORT_SYMBOL(xfrm_policy_count);
52 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
53 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
55 static struct kmem_cache *xfrm_dst_cache __read_mostly;
57 static HLIST_HEAD(xfrm_policy_gc_list);
58 static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
60 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
61 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
62 static void xfrm_init_pmtu(struct dst_entry *dst);
65 __xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
67 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
68 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
69 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
70 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
71 (fl->proto == sel->proto || !sel->proto) &&
72 (fl->oif == sel->ifindex || !sel->ifindex);
76 __xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
78 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
79 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
80 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
81 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
82 (fl->proto == sel->proto || !sel->proto) &&
83 (fl->oif == sel->ifindex || !sel->ifindex);
86 int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
87 unsigned short family)
91 return __xfrm4_selector_match(sel, fl);
93 return __xfrm6_selector_match(sel, fl);
98 static inline struct dst_entry *__xfrm_dst_lookup(int tos,
99 xfrm_address_t *saddr,
100 xfrm_address_t *daddr,
103 struct xfrm_policy_afinfo *afinfo;
104 struct dst_entry *dst;
106 afinfo = xfrm_policy_get_afinfo(family);
107 if (unlikely(afinfo == NULL))
108 return ERR_PTR(-EAFNOSUPPORT);
110 dst = afinfo->dst_lookup(tos, saddr, daddr);
112 xfrm_policy_put_afinfo(afinfo);
117 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, int tos,
118 xfrm_address_t *prev_saddr,
119 xfrm_address_t *prev_daddr,
122 xfrm_address_t *saddr = &x->props.saddr;
123 xfrm_address_t *daddr = &x->id.daddr;
124 struct dst_entry *dst;
126 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
130 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
135 dst = __xfrm_dst_lookup(tos, saddr, daddr, family);
138 if (prev_saddr != saddr)
139 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
140 if (prev_daddr != daddr)
141 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
147 static inline unsigned long make_jiffies(long secs)
149 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
150 return MAX_SCHEDULE_TIMEOUT-1;
155 static void xfrm_policy_timer(unsigned long data)
157 struct xfrm_policy *xp = (struct xfrm_policy*)data;
158 unsigned long now = get_seconds();
159 long next = LONG_MAX;
163 read_lock(&xp->lock);
168 dir = xfrm_policy_id2dir(xp->index);
170 if (xp->lft.hard_add_expires_seconds) {
171 long tmo = xp->lft.hard_add_expires_seconds +
172 xp->curlft.add_time - now;
178 if (xp->lft.hard_use_expires_seconds) {
179 long tmo = xp->lft.hard_use_expires_seconds +
180 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
186 if (xp->lft.soft_add_expires_seconds) {
187 long tmo = xp->lft.soft_add_expires_seconds +
188 xp->curlft.add_time - now;
191 tmo = XFRM_KM_TIMEOUT;
196 if (xp->lft.soft_use_expires_seconds) {
197 long tmo = xp->lft.soft_use_expires_seconds +
198 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
201 tmo = XFRM_KM_TIMEOUT;
208 km_policy_expired(xp, dir, 0, 0);
209 if (next != LONG_MAX &&
210 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
214 read_unlock(&xp->lock);
219 read_unlock(&xp->lock);
220 if (!xfrm_policy_delete(xp, dir))
221 km_policy_expired(xp, dir, 1, 0);
226 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
230 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
232 struct xfrm_policy *policy;
234 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
237 write_pnet(&policy->xp_net, net);
238 INIT_LIST_HEAD(&policy->walk.all);
239 INIT_HLIST_NODE(&policy->bydst);
240 INIT_HLIST_NODE(&policy->byidx);
241 rwlock_init(&policy->lock);
242 atomic_set(&policy->refcnt, 1);
243 setup_timer(&policy->timer, xfrm_policy_timer,
244 (unsigned long)policy);
248 EXPORT_SYMBOL(xfrm_policy_alloc);
250 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
252 void xfrm_policy_destroy(struct xfrm_policy *policy)
254 BUG_ON(!policy->walk.dead);
256 BUG_ON(policy->bundles);
258 if (del_timer(&policy->timer))
261 security_xfrm_policy_free(policy->security);
264 EXPORT_SYMBOL(xfrm_policy_destroy);
266 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
268 struct dst_entry *dst;
270 while ((dst = policy->bundles) != NULL) {
271 policy->bundles = dst->next;
275 if (del_timer(&policy->timer))
276 atomic_dec(&policy->refcnt);
278 if (atomic_read(&policy->refcnt) > 1)
281 xfrm_pol_put(policy);
284 static void xfrm_policy_gc_task(struct work_struct *work)
286 struct xfrm_policy *policy;
287 struct hlist_node *entry, *tmp;
288 struct hlist_head gc_list;
290 spin_lock_bh(&xfrm_policy_gc_lock);
291 gc_list.first = xfrm_policy_gc_list.first;
292 INIT_HLIST_HEAD(&xfrm_policy_gc_list);
293 spin_unlock_bh(&xfrm_policy_gc_lock);
295 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
296 xfrm_policy_gc_kill(policy);
298 static DECLARE_WORK(xfrm_policy_gc_work, xfrm_policy_gc_task);
300 /* Rule must be locked. Release descentant resources, announce
301 * entry dead. The rule must be unlinked from lists to the moment.
304 static void xfrm_policy_kill(struct xfrm_policy *policy)
308 write_lock_bh(&policy->lock);
309 dead = policy->walk.dead;
310 policy->walk.dead = 1;
311 write_unlock_bh(&policy->lock);
313 if (unlikely(dead)) {
318 spin_lock_bh(&xfrm_policy_gc_lock);
319 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list);
320 spin_unlock_bh(&xfrm_policy_gc_lock);
322 schedule_work(&xfrm_policy_gc_work);
325 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
327 static inline unsigned int idx_hash(u32 index)
329 return __idx_hash(index, init_net.xfrm.policy_idx_hmask);
332 static struct hlist_head *policy_hash_bysel(struct xfrm_selector *sel, unsigned short family, int dir)
334 unsigned int hmask = init_net.xfrm.policy_bydst[dir].hmask;
335 unsigned int hash = __sel_hash(sel, family, hmask);
337 return (hash == hmask + 1 ?
338 &init_net.xfrm.policy_inexact[dir] :
339 init_net.xfrm.policy_bydst[dir].table + hash);
342 static struct hlist_head *policy_hash_direct(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
344 unsigned int hmask = init_net.xfrm.policy_bydst[dir].hmask;
345 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
347 return init_net.xfrm.policy_bydst[dir].table + hash;
350 static void xfrm_dst_hash_transfer(struct hlist_head *list,
351 struct hlist_head *ndsttable,
352 unsigned int nhashmask)
354 struct hlist_node *entry, *tmp, *entry0 = NULL;
355 struct xfrm_policy *pol;
359 hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) {
362 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
363 pol->family, nhashmask);
366 hlist_add_head(&pol->bydst, ndsttable+h);
372 hlist_add_after(entry0, &pol->bydst);
376 if (!hlist_empty(list)) {
382 static void xfrm_idx_hash_transfer(struct hlist_head *list,
383 struct hlist_head *nidxtable,
384 unsigned int nhashmask)
386 struct hlist_node *entry, *tmp;
387 struct xfrm_policy *pol;
389 hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) {
392 h = __idx_hash(pol->index, nhashmask);
393 hlist_add_head(&pol->byidx, nidxtable+h);
397 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
399 return ((old_hmask + 1) << 1) - 1;
402 static void xfrm_bydst_resize(int dir)
404 unsigned int hmask = init_net.xfrm.policy_bydst[dir].hmask;
405 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
406 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
407 struct hlist_head *odst = init_net.xfrm.policy_bydst[dir].table;
408 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
414 write_lock_bh(&xfrm_policy_lock);
416 for (i = hmask; i >= 0; i--)
417 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
419 init_net.xfrm.policy_bydst[dir].table = ndst;
420 init_net.xfrm.policy_bydst[dir].hmask = nhashmask;
422 write_unlock_bh(&xfrm_policy_lock);
424 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
427 static void xfrm_byidx_resize(int total)
429 unsigned int hmask = init_net.xfrm.policy_idx_hmask;
430 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
431 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
432 struct hlist_head *oidx = init_net.xfrm.policy_byidx;
433 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
439 write_lock_bh(&xfrm_policy_lock);
441 for (i = hmask; i >= 0; i--)
442 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
444 init_net.xfrm.policy_byidx = nidx;
445 init_net.xfrm.policy_idx_hmask = nhashmask;
447 write_unlock_bh(&xfrm_policy_lock);
449 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
452 static inline int xfrm_bydst_should_resize(int dir, int *total)
454 unsigned int cnt = xfrm_policy_count[dir];
455 unsigned int hmask = init_net.xfrm.policy_bydst[dir].hmask;
460 if ((hmask + 1) < xfrm_policy_hashmax &&
467 static inline int xfrm_byidx_should_resize(int total)
469 unsigned int hmask = init_net.xfrm.policy_idx_hmask;
471 if ((hmask + 1) < xfrm_policy_hashmax &&
478 void xfrm_spd_getinfo(struct xfrmk_spdinfo *si)
480 read_lock_bh(&xfrm_policy_lock);
481 si->incnt = xfrm_policy_count[XFRM_POLICY_IN];
482 si->outcnt = xfrm_policy_count[XFRM_POLICY_OUT];
483 si->fwdcnt = xfrm_policy_count[XFRM_POLICY_FWD];
484 si->inscnt = xfrm_policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
485 si->outscnt = xfrm_policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
486 si->fwdscnt = xfrm_policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
487 si->spdhcnt = init_net.xfrm.policy_idx_hmask;
488 si->spdhmcnt = xfrm_policy_hashmax;
489 read_unlock_bh(&xfrm_policy_lock);
491 EXPORT_SYMBOL(xfrm_spd_getinfo);
493 static DEFINE_MUTEX(hash_resize_mutex);
494 static void xfrm_hash_resize(struct work_struct *__unused)
498 mutex_lock(&hash_resize_mutex);
501 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
502 if (xfrm_bydst_should_resize(dir, &total))
503 xfrm_bydst_resize(dir);
505 if (xfrm_byidx_should_resize(total))
506 xfrm_byidx_resize(total);
508 mutex_unlock(&hash_resize_mutex);
511 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
513 /* Generate new index... KAME seems to generate them ordered by cost
514 * of an absolute inpredictability of ordering of rules. This will not pass. */
515 static u32 xfrm_gen_index(int dir)
517 static u32 idx_generator;
520 struct hlist_node *entry;
521 struct hlist_head *list;
522 struct xfrm_policy *p;
526 idx = (idx_generator | dir);
530 list = init_net.xfrm.policy_byidx + idx_hash(idx);
532 hlist_for_each_entry(p, entry, list, byidx) {
533 if (p->index == idx) {
543 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
545 u32 *p1 = (u32 *) s1;
546 u32 *p2 = (u32 *) s2;
547 int len = sizeof(struct xfrm_selector) / sizeof(u32);
550 for (i = 0; i < len; i++) {
558 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
560 struct xfrm_policy *pol;
561 struct xfrm_policy *delpol;
562 struct hlist_head *chain;
563 struct hlist_node *entry, *newpos;
564 struct dst_entry *gc_list;
566 write_lock_bh(&xfrm_policy_lock);
567 chain = policy_hash_bysel(&policy->selector, policy->family, dir);
570 hlist_for_each_entry(pol, entry, chain, bydst) {
571 if (pol->type == policy->type &&
572 !selector_cmp(&pol->selector, &policy->selector) &&
573 xfrm_sec_ctx_match(pol->security, policy->security) &&
576 write_unlock_bh(&xfrm_policy_lock);
580 if (policy->priority > pol->priority)
582 } else if (policy->priority >= pol->priority) {
583 newpos = &pol->bydst;
590 hlist_add_after(newpos, &policy->bydst);
592 hlist_add_head(&policy->bydst, chain);
593 xfrm_pol_hold(policy);
594 xfrm_policy_count[dir]++;
595 atomic_inc(&flow_cache_genid);
597 hlist_del(&delpol->bydst);
598 hlist_del(&delpol->byidx);
599 list_del(&delpol->walk.all);
600 xfrm_policy_count[dir]--;
602 policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
603 hlist_add_head(&policy->byidx, init_net.xfrm.policy_byidx+idx_hash(policy->index));
604 policy->curlft.add_time = get_seconds();
605 policy->curlft.use_time = 0;
606 if (!mod_timer(&policy->timer, jiffies + HZ))
607 xfrm_pol_hold(policy);
608 list_add(&policy->walk.all, &init_net.xfrm.policy_all);
609 write_unlock_bh(&xfrm_policy_lock);
612 xfrm_policy_kill(delpol);
613 else if (xfrm_bydst_should_resize(dir, NULL))
614 schedule_work(&xfrm_hash_work);
616 read_lock_bh(&xfrm_policy_lock);
618 entry = &policy->bydst;
619 hlist_for_each_entry_continue(policy, entry, bydst) {
620 struct dst_entry *dst;
622 write_lock(&policy->lock);
623 dst = policy->bundles;
625 struct dst_entry *tail = dst;
628 tail->next = gc_list;
631 policy->bundles = NULL;
633 write_unlock(&policy->lock);
635 read_unlock_bh(&xfrm_policy_lock);
638 struct dst_entry *dst = gc_list;
646 EXPORT_SYMBOL(xfrm_policy_insert);
648 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
649 struct xfrm_selector *sel,
650 struct xfrm_sec_ctx *ctx, int delete,
653 struct xfrm_policy *pol, *ret;
654 struct hlist_head *chain;
655 struct hlist_node *entry;
658 write_lock_bh(&xfrm_policy_lock);
659 chain = policy_hash_bysel(sel, sel->family, dir);
661 hlist_for_each_entry(pol, entry, chain, bydst) {
662 if (pol->type == type &&
663 !selector_cmp(sel, &pol->selector) &&
664 xfrm_sec_ctx_match(ctx, pol->security)) {
667 *err = security_xfrm_policy_delete(
670 write_unlock_bh(&xfrm_policy_lock);
673 hlist_del(&pol->bydst);
674 hlist_del(&pol->byidx);
675 list_del(&pol->walk.all);
676 xfrm_policy_count[dir]--;
682 write_unlock_bh(&xfrm_policy_lock);
685 atomic_inc(&flow_cache_genid);
686 xfrm_policy_kill(ret);
690 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
692 struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete,
695 struct xfrm_policy *pol, *ret;
696 struct hlist_head *chain;
697 struct hlist_node *entry;
700 if (xfrm_policy_id2dir(id) != dir)
704 write_lock_bh(&xfrm_policy_lock);
705 chain = init_net.xfrm.policy_byidx + idx_hash(id);
707 hlist_for_each_entry(pol, entry, chain, byidx) {
708 if (pol->type == type && pol->index == id) {
711 *err = security_xfrm_policy_delete(
714 write_unlock_bh(&xfrm_policy_lock);
717 hlist_del(&pol->bydst);
718 hlist_del(&pol->byidx);
719 list_del(&pol->walk.all);
720 xfrm_policy_count[dir]--;
726 write_unlock_bh(&xfrm_policy_lock);
729 atomic_inc(&flow_cache_genid);
730 xfrm_policy_kill(ret);
734 EXPORT_SYMBOL(xfrm_policy_byid);
736 #ifdef CONFIG_SECURITY_NETWORK_XFRM
738 xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
742 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
743 struct xfrm_policy *pol;
744 struct hlist_node *entry;
747 hlist_for_each_entry(pol, entry,
748 &init_net.xfrm.policy_inexact[dir], bydst) {
749 if (pol->type != type)
751 err = security_xfrm_policy_delete(pol->security);
753 xfrm_audit_policy_delete(pol, 0,
754 audit_info->loginuid,
755 audit_info->sessionid,
760 for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
761 hlist_for_each_entry(pol, entry,
762 init_net.xfrm.policy_bydst[dir].table + i,
764 if (pol->type != type)
766 err = security_xfrm_policy_delete(
769 xfrm_audit_policy_delete(pol, 0,
770 audit_info->loginuid,
771 audit_info->sessionid,
782 xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
788 int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
792 write_lock_bh(&xfrm_policy_lock);
794 err = xfrm_policy_flush_secctx_check(type, audit_info);
798 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
799 struct xfrm_policy *pol;
800 struct hlist_node *entry;
805 hlist_for_each_entry(pol, entry,
806 &init_net.xfrm.policy_inexact[dir], bydst) {
807 if (pol->type != type)
809 hlist_del(&pol->bydst);
810 hlist_del(&pol->byidx);
811 write_unlock_bh(&xfrm_policy_lock);
813 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
814 audit_info->sessionid,
817 xfrm_policy_kill(pol);
820 write_lock_bh(&xfrm_policy_lock);
824 for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
826 hlist_for_each_entry(pol, entry,
827 init_net.xfrm.policy_bydst[dir].table + i,
829 if (pol->type != type)
831 hlist_del(&pol->bydst);
832 hlist_del(&pol->byidx);
833 list_del(&pol->walk.all);
834 write_unlock_bh(&xfrm_policy_lock);
836 xfrm_audit_policy_delete(pol, 1,
837 audit_info->loginuid,
838 audit_info->sessionid,
840 xfrm_policy_kill(pol);
843 write_lock_bh(&xfrm_policy_lock);
848 xfrm_policy_count[dir] -= killed;
850 atomic_inc(&flow_cache_genid);
852 write_unlock_bh(&xfrm_policy_lock);
855 EXPORT_SYMBOL(xfrm_policy_flush);
857 int xfrm_policy_walk(struct xfrm_policy_walk *walk,
858 int (*func)(struct xfrm_policy *, int, int, void*),
861 struct xfrm_policy *pol;
862 struct xfrm_policy_walk_entry *x;
865 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
866 walk->type != XFRM_POLICY_TYPE_ANY)
869 if (list_empty(&walk->walk.all) && walk->seq != 0)
872 write_lock_bh(&xfrm_policy_lock);
873 if (list_empty(&walk->walk.all))
874 x = list_first_entry(&init_net.xfrm.policy_all, struct xfrm_policy_walk_entry, all);
876 x = list_entry(&walk->walk.all, struct xfrm_policy_walk_entry, all);
877 list_for_each_entry_from(x, &init_net.xfrm.policy_all, all) {
880 pol = container_of(x, struct xfrm_policy, walk);
881 if (walk->type != XFRM_POLICY_TYPE_ANY &&
882 walk->type != pol->type)
884 error = func(pol, xfrm_policy_id2dir(pol->index),
887 list_move_tail(&walk->walk.all, &x->all);
892 if (walk->seq == 0) {
896 list_del_init(&walk->walk.all);
898 write_unlock_bh(&xfrm_policy_lock);
901 EXPORT_SYMBOL(xfrm_policy_walk);
903 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
905 INIT_LIST_HEAD(&walk->walk.all);
910 EXPORT_SYMBOL(xfrm_policy_walk_init);
912 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk)
914 if (list_empty(&walk->walk.all))
917 write_lock_bh(&xfrm_policy_lock);
918 list_del(&walk->walk.all);
919 write_unlock_bh(&xfrm_policy_lock);
921 EXPORT_SYMBOL(xfrm_policy_walk_done);
924 * Find policy to apply to this flow.
926 * Returns 0 if policy found, else an -errno.
928 static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
929 u8 type, u16 family, int dir)
931 struct xfrm_selector *sel = &pol->selector;
932 int match, ret = -ESRCH;
934 if (pol->family != family ||
938 match = xfrm_selector_match(sel, fl, family);
940 ret = security_xfrm_policy_lookup(pol->security, fl->secid,
946 static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl,
950 struct xfrm_policy *pol, *ret;
951 xfrm_address_t *daddr, *saddr;
952 struct hlist_node *entry;
953 struct hlist_head *chain;
956 daddr = xfrm_flowi_daddr(fl, family);
957 saddr = xfrm_flowi_saddr(fl, family);
958 if (unlikely(!daddr || !saddr))
961 read_lock_bh(&xfrm_policy_lock);
962 chain = policy_hash_direct(daddr, saddr, family, dir);
964 hlist_for_each_entry(pol, entry, chain, bydst) {
965 err = xfrm_policy_match(pol, fl, type, family, dir);
975 priority = ret->priority;
979 chain = &init_net.xfrm.policy_inexact[dir];
980 hlist_for_each_entry(pol, entry, chain, bydst) {
981 err = xfrm_policy_match(pol, fl, type, family, dir);
989 } else if (pol->priority < priority) {
997 read_unlock_bh(&xfrm_policy_lock);
1002 static int xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
1003 void **objp, atomic_t **obj_refp)
1005 struct xfrm_policy *pol;
1008 #ifdef CONFIG_XFRM_SUB_POLICY
1009 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir);
1017 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1022 #ifdef CONFIG_XFRM_SUB_POLICY
1025 if ((*objp = (void *) pol) != NULL)
1026 *obj_refp = &pol->refcnt;
1030 static inline int policy_to_flow_dir(int dir)
1032 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
1033 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
1034 XFRM_POLICY_FWD == FLOW_DIR_FWD)
1038 case XFRM_POLICY_IN:
1040 case XFRM_POLICY_OUT:
1041 return FLOW_DIR_OUT;
1042 case XFRM_POLICY_FWD:
1043 return FLOW_DIR_FWD;
1047 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
1049 struct xfrm_policy *pol;
1051 read_lock_bh(&xfrm_policy_lock);
1052 if ((pol = sk->sk_policy[dir]) != NULL) {
1053 int match = xfrm_selector_match(&pol->selector, fl,
1058 err = security_xfrm_policy_lookup(pol->security,
1060 policy_to_flow_dir(dir));
1063 else if (err == -ESRCH)
1070 read_unlock_bh(&xfrm_policy_lock);
1074 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
1076 struct hlist_head *chain = policy_hash_bysel(&pol->selector,
1079 list_add(&pol->walk.all, &init_net.xfrm.policy_all);
1080 hlist_add_head(&pol->bydst, chain);
1081 hlist_add_head(&pol->byidx, init_net.xfrm.policy_byidx+idx_hash(pol->index));
1082 xfrm_policy_count[dir]++;
1085 if (xfrm_bydst_should_resize(dir, NULL))
1086 schedule_work(&xfrm_hash_work);
1089 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1092 if (hlist_unhashed(&pol->bydst))
1095 hlist_del(&pol->bydst);
1096 hlist_del(&pol->byidx);
1097 list_del(&pol->walk.all);
1098 xfrm_policy_count[dir]--;
1103 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1105 write_lock_bh(&xfrm_policy_lock);
1106 pol = __xfrm_policy_unlink(pol, dir);
1107 write_unlock_bh(&xfrm_policy_lock);
1109 if (dir < XFRM_POLICY_MAX)
1110 atomic_inc(&flow_cache_genid);
1111 xfrm_policy_kill(pol);
1116 EXPORT_SYMBOL(xfrm_policy_delete);
1118 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1120 struct xfrm_policy *old_pol;
1122 #ifdef CONFIG_XFRM_SUB_POLICY
1123 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
1127 write_lock_bh(&xfrm_policy_lock);
1128 old_pol = sk->sk_policy[dir];
1129 sk->sk_policy[dir] = pol;
1131 pol->curlft.add_time = get_seconds();
1132 pol->index = xfrm_gen_index(XFRM_POLICY_MAX+dir);
1133 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1136 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1137 write_unlock_bh(&xfrm_policy_lock);
1140 xfrm_policy_kill(old_pol);
1145 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
1147 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1150 newp->selector = old->selector;
1151 if (security_xfrm_policy_clone(old->security,
1154 return NULL; /* ENOMEM */
1156 newp->lft = old->lft;
1157 newp->curlft = old->curlft;
1158 newp->action = old->action;
1159 newp->flags = old->flags;
1160 newp->xfrm_nr = old->xfrm_nr;
1161 newp->index = old->index;
1162 newp->type = old->type;
1163 memcpy(newp->xfrm_vec, old->xfrm_vec,
1164 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1165 write_lock_bh(&xfrm_policy_lock);
1166 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
1167 write_unlock_bh(&xfrm_policy_lock);
1173 int __xfrm_sk_clone_policy(struct sock *sk)
1175 struct xfrm_policy *p0 = sk->sk_policy[0],
1176 *p1 = sk->sk_policy[1];
1178 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
1179 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
1181 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
1187 xfrm_get_saddr(xfrm_address_t *local, xfrm_address_t *remote,
1188 unsigned short family)
1191 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1193 if (unlikely(afinfo == NULL))
1195 err = afinfo->get_saddr(local, remote);
1196 xfrm_policy_put_afinfo(afinfo);
1200 /* Resolve list of templates for the flow, given policy. */
1203 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
1204 struct xfrm_state **xfrm,
1205 unsigned short family)
1209 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
1210 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
1213 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
1214 struct xfrm_state *x;
1215 xfrm_address_t *remote = daddr;
1216 xfrm_address_t *local = saddr;
1217 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
1219 if (tmpl->mode == XFRM_MODE_TUNNEL ||
1220 tmpl->mode == XFRM_MODE_BEET) {
1221 remote = &tmpl->id.daddr;
1222 local = &tmpl->saddr;
1223 family = tmpl->encap_family;
1224 if (xfrm_addr_any(local, family)) {
1225 error = xfrm_get_saddr(&tmp, remote, family);
1232 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
1234 if (x && x->km.state == XFRM_STATE_VALID) {
1241 error = (x->km.state == XFRM_STATE_ERROR ?
1245 else if (error == -ESRCH)
1248 if (!tmpl->optional)
1254 for (nx--; nx>=0; nx--)
1255 xfrm_state_put(xfrm[nx]);
1260 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1261 struct xfrm_state **xfrm,
1262 unsigned short family)
1264 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1265 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
1271 for (i = 0; i < npols; i++) {
1272 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
1277 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
1285 /* found states are sorted for outbound processing */
1287 xfrm_state_sort(xfrm, tpp, cnx, family);
1292 for (cnx--; cnx>=0; cnx--)
1293 xfrm_state_put(tpp[cnx]);
1298 /* Check that the bundle accepts the flow and its components are
1302 static struct dst_entry *
1303 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
1305 struct dst_entry *x;
1306 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1307 if (unlikely(afinfo == NULL))
1308 return ERR_PTR(-EINVAL);
1309 x = afinfo->find_bundle(fl, policy);
1310 xfrm_policy_put_afinfo(afinfo);
1314 static inline int xfrm_get_tos(struct flowi *fl, int family)
1316 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1322 tos = afinfo->get_tos(fl);
1324 xfrm_policy_put_afinfo(afinfo);
1329 static inline struct xfrm_dst *xfrm_alloc_dst(int family)
1331 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1332 struct xfrm_dst *xdst;
1335 return ERR_PTR(-EINVAL);
1337 xdst = dst_alloc(afinfo->dst_ops) ?: ERR_PTR(-ENOBUFS);
1339 xfrm_policy_put_afinfo(afinfo);
1344 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1347 struct xfrm_policy_afinfo *afinfo =
1348 xfrm_policy_get_afinfo(dst->ops->family);
1354 err = afinfo->init_path(path, dst, nfheader_len);
1356 xfrm_policy_put_afinfo(afinfo);
1361 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
1363 struct xfrm_policy_afinfo *afinfo =
1364 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
1370 err = afinfo->fill_dst(xdst, dev);
1372 xfrm_policy_put_afinfo(afinfo);
1377 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
1378 * all the metrics... Shortly, bundle a bundle.
1381 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1382 struct xfrm_state **xfrm, int nx,
1384 struct dst_entry *dst)
1386 unsigned long now = jiffies;
1387 struct net_device *dev;
1388 struct dst_entry *dst_prev = NULL;
1389 struct dst_entry *dst0 = NULL;
1393 int nfheader_len = 0;
1394 int trailer_len = 0;
1396 int family = policy->selector.family;
1397 xfrm_address_t saddr, daddr;
1399 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
1401 tos = xfrm_get_tos(fl, family);
1408 for (; i < nx; i++) {
1409 struct xfrm_dst *xdst = xfrm_alloc_dst(family);
1410 struct dst_entry *dst1 = &xdst->u.dst;
1412 err = PTR_ERR(xdst);
1421 dst_prev->child = dst_clone(dst1);
1422 dst1->flags |= DST_NOHASH;
1426 memcpy(&dst1->metrics, &dst->metrics, sizeof(dst->metrics));
1428 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1429 family = xfrm[i]->props.family;
1430 dst = xfrm_dst_lookup(xfrm[i], tos, &saddr, &daddr,
1438 dst1->xfrm = xfrm[i];
1439 xdst->genid = xfrm[i]->genid;
1441 dst1->obsolete = -1;
1442 dst1->flags |= DST_HOST;
1443 dst1->lastuse = now;
1445 dst1->input = dst_discard;
1446 dst1->output = xfrm[i]->outer_mode->afinfo->output;
1448 dst1->next = dst_prev;
1451 header_len += xfrm[i]->props.header_len;
1452 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
1453 nfheader_len += xfrm[i]->props.header_len;
1454 trailer_len += xfrm[i]->props.trailer_len;
1457 dst_prev->child = dst;
1465 /* Copy neighbout for reachability confirmation */
1466 dst0->neighbour = neigh_clone(dst->neighbour);
1468 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
1469 xfrm_init_pmtu(dst_prev);
1471 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1472 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1474 err = xfrm_fill_dst(xdst, dev);
1478 dst_prev->header_len = header_len;
1479 dst_prev->trailer_len = trailer_len;
1480 header_len -= xdst->u.dst.xfrm->props.header_len;
1481 trailer_len -= xdst->u.dst.xfrm->props.trailer_len;
1489 xfrm_state_put(xfrm[i]);
1493 dst0 = ERR_PTR(err);
1498 xfrm_dst_alloc_copy(void **target, void *src, int size)
1501 *target = kmalloc(size, GFP_ATOMIC);
1505 memcpy(*target, src, size);
1510 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
1512 #ifdef CONFIG_XFRM_SUB_POLICY
1513 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1514 return xfrm_dst_alloc_copy((void **)&(xdst->partner),
1522 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1524 #ifdef CONFIG_XFRM_SUB_POLICY
1525 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1526 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
1532 static int stale_bundle(struct dst_entry *dst);
1534 /* Main function: finds/creates a bundle for given flow.
1536 * At the moment we eat a raw IP route. Mostly to speed up lookups
1537 * on interfaces with disabled IPsec.
1539 int __xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
1540 struct sock *sk, int flags)
1542 struct xfrm_policy *policy;
1543 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1548 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1549 struct dst_entry *dst, *dst_orig = *dst_p;
1554 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1557 genid = atomic_read(&flow_cache_genid);
1559 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
1565 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
1566 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1567 err = PTR_ERR(policy);
1568 if (IS_ERR(policy)) {
1569 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLERROR);
1575 /* To accelerate a bit... */
1576 if ((dst_orig->flags & DST_NOXFRM) ||
1577 !xfrm_policy_count[XFRM_POLICY_OUT])
1580 policy = flow_cache_lookup(fl, dst_orig->ops->family,
1581 dir, xfrm_policy_lookup);
1582 err = PTR_ERR(policy);
1583 if (IS_ERR(policy)) {
1584 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLERROR);
1592 family = dst_orig->ops->family;
1595 xfrm_nr += pols[0]->xfrm_nr;
1598 if ((flags & XFRM_LOOKUP_ICMP) && !(policy->flags & XFRM_POLICY_ICMP))
1601 policy->curlft.use_time = get_seconds();
1603 switch (policy->action) {
1605 case XFRM_POLICY_BLOCK:
1606 /* Prohibit the flow */
1607 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLBLOCK);
1611 case XFRM_POLICY_ALLOW:
1612 #ifndef CONFIG_XFRM_SUB_POLICY
1613 if (policy->xfrm_nr == 0) {
1614 /* Flow passes not transformed. */
1615 xfrm_pol_put(policy);
1620 /* Try to find matching bundle.
1622 * LATER: help from flow cache. It is optional, this
1623 * is required only for output policy.
1625 dst = xfrm_find_bundle(fl, policy, family);
1627 XFRM_INC_STATS(LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1635 #ifdef CONFIG_XFRM_SUB_POLICY
1636 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1637 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
1641 if (IS_ERR(pols[1])) {
1642 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLERROR);
1643 err = PTR_ERR(pols[1]);
1646 if (pols[1]->action == XFRM_POLICY_BLOCK) {
1647 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLBLOCK);
1652 xfrm_nr += pols[1]->xfrm_nr;
1657 * Because neither flowi nor bundle information knows about
1658 * transformation template size. On more than one policy usage
1659 * we can realize whether all of them is bypass or not after
1660 * they are searched. See above not-transformed bypass
1661 * is surrounded by non-sub policy configuration, too.
1664 /* Flow passes not transformed. */
1665 xfrm_pols_put(pols, npols);
1670 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1672 if (unlikely(nx<0)) {
1674 if (err == -EAGAIN && sysctl_xfrm_larval_drop) {
1675 /* EREMOTE tells the caller to generate
1676 * a one-shot blackhole route.
1678 XFRM_INC_STATS(LINUX_MIB_XFRMOUTNOSTATES);
1679 xfrm_pol_put(policy);
1682 if (err == -EAGAIN && (flags & XFRM_LOOKUP_WAIT)) {
1683 DECLARE_WAITQUEUE(wait, current);
1685 add_wait_queue(&init_net.xfrm.km_waitq, &wait);
1686 set_current_state(TASK_INTERRUPTIBLE);
1688 set_current_state(TASK_RUNNING);
1689 remove_wait_queue(&init_net.xfrm.km_waitq, &wait);
1691 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1693 if (nx == -EAGAIN && signal_pending(current)) {
1694 XFRM_INC_STATS(LINUX_MIB_XFRMOUTNOSTATES);
1698 if (nx == -EAGAIN ||
1699 genid != atomic_read(&flow_cache_genid)) {
1700 xfrm_pols_put(pols, npols);
1706 XFRM_INC_STATS(LINUX_MIB_XFRMOUTNOSTATES);
1711 /* Flow passes not transformed. */
1712 xfrm_pols_put(pols, npols);
1716 dst = xfrm_bundle_create(policy, xfrm, nx, fl, dst_orig);
1719 XFRM_INC_STATS(LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1723 for (pi = 0; pi < npols; pi++) {
1724 read_lock_bh(&pols[pi]->lock);
1725 pol_dead |= pols[pi]->walk.dead;
1726 read_unlock_bh(&pols[pi]->lock);
1729 write_lock_bh(&policy->lock);
1730 if (unlikely(pol_dead || stale_bundle(dst))) {
1731 /* Wow! While we worked on resolving, this
1732 * policy has gone. Retry. It is not paranoia,
1733 * we just cannot enlist new bundle to dead object.
1734 * We can't enlist stable bundles either.
1736 write_unlock_bh(&policy->lock);
1740 XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLDEAD);
1742 XFRM_INC_STATS(LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1743 err = -EHOSTUNREACH;
1748 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1750 err = xfrm_dst_update_origin(dst, fl);
1751 if (unlikely(err)) {
1752 write_unlock_bh(&policy->lock);
1754 XFRM_INC_STATS(LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1758 dst->next = policy->bundles;
1759 policy->bundles = dst;
1761 write_unlock_bh(&policy->lock);
1764 dst_release(dst_orig);
1765 xfrm_pols_put(pols, npols);
1769 xfrm_pols_put(pols, npols);
1771 dst_release(dst_orig);
1777 if (flags & XFRM_LOOKUP_ICMP)
1781 EXPORT_SYMBOL(__xfrm_lookup);
1783 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
1784 struct sock *sk, int flags)
1786 int err = __xfrm_lookup(dst_p, fl, sk, flags);
1788 if (err == -EREMOTE) {
1789 dst_release(*dst_p);
1796 EXPORT_SYMBOL(xfrm_lookup);
1799 xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
1801 struct xfrm_state *x;
1803 if (!skb->sp || idx < 0 || idx >= skb->sp->len)
1805 x = skb->sp->xvec[idx];
1806 if (!x->type->reject)
1808 return x->type->reject(x, skb, fl);
1811 /* When skb is transformed back to its "native" form, we have to
1812 * check policy restrictions. At the moment we make this in maximally
1813 * stupid way. Shame on me. :-) Of course, connected sockets must
1814 * have policy cached at them.
1818 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1819 unsigned short family)
1821 if (xfrm_state_kern(x))
1822 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
1823 return x->id.proto == tmpl->id.proto &&
1824 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
1825 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
1826 x->props.mode == tmpl->mode &&
1827 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
1828 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
1829 !(x->props.mode != XFRM_MODE_TRANSPORT &&
1830 xfrm_state_addr_cmp(tmpl, x, family));
1834 * 0 or more than 0 is returned when validation is succeeded (either bypass
1835 * because of optional transport mode, or next index of the mathced secpath
1836 * state with the template.
1837 * -1 is returned when no matching template is found.
1838 * Otherwise "-2 - errored_index" is returned.
1841 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
1842 unsigned short family)
1846 if (tmpl->optional) {
1847 if (tmpl->mode == XFRM_MODE_TRANSPORT)
1851 for (; idx < sp->len; idx++) {
1852 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
1854 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
1863 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1864 unsigned int family, int reverse)
1866 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1869 if (unlikely(afinfo == NULL))
1870 return -EAFNOSUPPORT;
1872 afinfo->decode_session(skb, fl, reverse);
1873 err = security_xfrm_decode_session(skb, &fl->secid);
1874 xfrm_policy_put_afinfo(afinfo);
1877 EXPORT_SYMBOL(__xfrm_decode_session);
1879 static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
1881 for (; k < sp->len; k++) {
1882 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
1891 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1892 unsigned short family)
1894 struct xfrm_policy *pol;
1895 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1904 reverse = dir & ~XFRM_POLICY_MASK;
1905 dir &= XFRM_POLICY_MASK;
1906 fl_dir = policy_to_flow_dir(dir);
1908 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) {
1909 XFRM_INC_STATS(LINUX_MIB_XFRMINHDRERROR);
1913 nf_nat_decode_session(skb, &fl, family);
1915 /* First, check used SA against their selectors. */
1919 for (i=skb->sp->len-1; i>=0; i--) {
1920 struct xfrm_state *x = skb->sp->xvec[i];
1921 if (!xfrm_selector_match(&x->sel, &fl, family)) {
1922 XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMISMATCH);
1929 if (sk && sk->sk_policy[dir]) {
1930 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
1932 XFRM_INC_STATS(LINUX_MIB_XFRMINPOLERROR);
1938 pol = flow_cache_lookup(&fl, family, fl_dir,
1939 xfrm_policy_lookup);
1942 XFRM_INC_STATS(LINUX_MIB_XFRMINPOLERROR);
1947 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
1948 xfrm_secpath_reject(xerr_idx, skb, &fl);
1949 XFRM_INC_STATS(LINUX_MIB_XFRMINNOPOLS);
1955 pol->curlft.use_time = get_seconds();
1959 #ifdef CONFIG_XFRM_SUB_POLICY
1960 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1961 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
1965 if (IS_ERR(pols[1])) {
1966 XFRM_INC_STATS(LINUX_MIB_XFRMINPOLERROR);
1969 pols[1]->curlft.use_time = get_seconds();
1975 if (pol->action == XFRM_POLICY_ALLOW) {
1976 struct sec_path *sp;
1977 static struct sec_path dummy;
1978 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
1979 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
1980 struct xfrm_tmpl **tpp = tp;
1984 if ((sp = skb->sp) == NULL)
1987 for (pi = 0; pi < npols; pi++) {
1988 if (pols[pi] != pol &&
1989 pols[pi]->action != XFRM_POLICY_ALLOW) {
1990 XFRM_INC_STATS(LINUX_MIB_XFRMINPOLBLOCK);
1993 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
1994 XFRM_INC_STATS(LINUX_MIB_XFRMINBUFFERERROR);
1997 for (i = 0; i < pols[pi]->xfrm_nr; i++)
1998 tpp[ti++] = &pols[pi]->xfrm_vec[i];
2002 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
2006 /* For each tunnel xfrm, find the first matching tmpl.
2007 * For each tmpl before that, find corresponding xfrm.
2008 * Order is _important_. Later we will implement
2009 * some barriers, but at the moment barriers
2010 * are implied between each two transformations.
2012 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
2013 k = xfrm_policy_ok(tpp[i], sp, k, family);
2016 /* "-2 - errored_index" returned */
2018 XFRM_INC_STATS(LINUX_MIB_XFRMINTMPLMISMATCH);
2023 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
2024 XFRM_INC_STATS(LINUX_MIB_XFRMINTMPLMISMATCH);
2028 xfrm_pols_put(pols, npols);
2031 XFRM_INC_STATS(LINUX_MIB_XFRMINPOLBLOCK);
2034 xfrm_secpath_reject(xerr_idx, skb, &fl);
2036 xfrm_pols_put(pols, npols);
2039 EXPORT_SYMBOL(__xfrm_policy_check);
2041 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2045 if (xfrm_decode_session(skb, &fl, family) < 0) {
2046 /* XXX: we should have something like FWDHDRERROR here. */
2047 XFRM_INC_STATS(LINUX_MIB_XFRMINHDRERROR);
2051 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
2053 EXPORT_SYMBOL(__xfrm_route_forward);
2055 /* Optimize later using cookies and generation ids. */
2057 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2059 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
2060 * to "-1" to force all XFRM destinations to get validated by
2061 * dst_ops->check on every use. We do this because when a
2062 * normal route referenced by an XFRM dst is obsoleted we do
2063 * not go looking around for all parent referencing XFRM dsts
2064 * so that we can invalidate them. It is just too much work.
2065 * Instead we make the checks here on every use. For example:
2067 * XFRM dst A --> IPv4 dst X
2069 * X is the "xdst->route" of A (X is also the "dst->path" of A
2070 * in this example). If X is marked obsolete, "A" will not
2071 * notice. That's what we are validating here via the
2072 * stale_bundle() check.
2074 * When a policy's bundle is pruned, we dst_free() the XFRM
2075 * dst which causes it's ->obsolete field to be set to a
2076 * positive non-zero integer. If an XFRM dst has been pruned
2077 * like this, we want to force a new route lookup.
2079 if (dst->obsolete < 0 && !stale_bundle(dst))
2085 static int stale_bundle(struct dst_entry *dst)
2087 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
2090 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
2092 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
2093 dst->dev = dev_net(dev)->loopback_dev;
2098 EXPORT_SYMBOL(xfrm_dst_ifdown);
2100 static void xfrm_link_failure(struct sk_buff *skb)
2102 /* Impossible. Such dst must be popped before reaches point of failure. */
2106 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2109 if (dst->obsolete) {
2117 static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p)
2119 struct dst_entry *dst, **dstp;
2121 write_lock(&pol->lock);
2122 dstp = &pol->bundles;
2123 while ((dst=*dstp) != NULL) {
2126 dst->next = *gc_list_p;
2132 write_unlock(&pol->lock);
2135 static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
2137 struct dst_entry *gc_list = NULL;
2140 read_lock_bh(&xfrm_policy_lock);
2141 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2142 struct xfrm_policy *pol;
2143 struct hlist_node *entry;
2144 struct hlist_head *table;
2147 hlist_for_each_entry(pol, entry,
2148 &init_net.xfrm.policy_inexact[dir], bydst)
2149 prune_one_bundle(pol, func, &gc_list);
2151 table = init_net.xfrm.policy_bydst[dir].table;
2152 for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
2153 hlist_for_each_entry(pol, entry, table + i, bydst)
2154 prune_one_bundle(pol, func, &gc_list);
2157 read_unlock_bh(&xfrm_policy_lock);
2160 struct dst_entry *dst = gc_list;
2161 gc_list = dst->next;
2166 static int unused_bundle(struct dst_entry *dst)
2168 return !atomic_read(&dst->__refcnt);
2171 static void __xfrm_garbage_collect(void)
2173 xfrm_prune_bundles(unused_bundle);
2176 static int xfrm_flush_bundles(void)
2178 xfrm_prune_bundles(stale_bundle);
2182 static void xfrm_init_pmtu(struct dst_entry *dst)
2185 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2186 u32 pmtu, route_mtu_cached;
2188 pmtu = dst_mtu(dst->child);
2189 xdst->child_mtu_cached = pmtu;
2191 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
2193 route_mtu_cached = dst_mtu(xdst->route);
2194 xdst->route_mtu_cached = route_mtu_cached;
2196 if (pmtu > route_mtu_cached)
2197 pmtu = route_mtu_cached;
2199 dst->metrics[RTAX_MTU-1] = pmtu;
2200 } while ((dst = dst->next));
2203 /* Check that the bundle accepts the flow and its components are
2207 int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2208 struct flowi *fl, int family, int strict)
2210 struct dst_entry *dst = &first->u.dst;
2211 struct xfrm_dst *last;
2214 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2215 (dst->dev && !netif_running(dst->dev)))
2217 #ifdef CONFIG_XFRM_SUB_POLICY
2219 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2221 if (first->partner &&
2222 !xfrm_selector_match(first->partner, fl, family))
2230 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2232 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2235 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2237 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2239 if (xdst->genid != dst->xfrm->genid)
2243 !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2244 !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
2247 mtu = dst_mtu(dst->child);
2248 if (xdst->child_mtu_cached != mtu) {
2250 xdst->child_mtu_cached = mtu;
2253 if (!dst_check(xdst->route, xdst->route_cookie))
2255 mtu = dst_mtu(xdst->route);
2256 if (xdst->route_mtu_cached != mtu) {
2258 xdst->route_mtu_cached = mtu;
2262 } while (dst->xfrm);
2267 mtu = last->child_mtu_cached;
2271 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2272 if (mtu > last->route_mtu_cached)
2273 mtu = last->route_mtu_cached;
2274 dst->metrics[RTAX_MTU-1] = mtu;
2279 last = (struct xfrm_dst *)last->u.dst.next;
2280 last->child_mtu_cached = mtu;
2286 EXPORT_SYMBOL(xfrm_bundle_ok);
2288 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2291 if (unlikely(afinfo == NULL))
2293 if (unlikely(afinfo->family >= NPROTO))
2294 return -EAFNOSUPPORT;
2295 write_lock_bh(&xfrm_policy_afinfo_lock);
2296 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
2299 struct dst_ops *dst_ops = afinfo->dst_ops;
2300 if (likely(dst_ops->kmem_cachep == NULL))
2301 dst_ops->kmem_cachep = xfrm_dst_cache;
2302 if (likely(dst_ops->check == NULL))
2303 dst_ops->check = xfrm_dst_check;
2304 if (likely(dst_ops->negative_advice == NULL))
2305 dst_ops->negative_advice = xfrm_negative_advice;
2306 if (likely(dst_ops->link_failure == NULL))
2307 dst_ops->link_failure = xfrm_link_failure;
2308 if (likely(afinfo->garbage_collect == NULL))
2309 afinfo->garbage_collect = __xfrm_garbage_collect;
2310 xfrm_policy_afinfo[afinfo->family] = afinfo;
2312 write_unlock_bh(&xfrm_policy_afinfo_lock);
2315 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
2317 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
2320 if (unlikely(afinfo == NULL))
2322 if (unlikely(afinfo->family >= NPROTO))
2323 return -EAFNOSUPPORT;
2324 write_lock_bh(&xfrm_policy_afinfo_lock);
2325 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
2326 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
2329 struct dst_ops *dst_ops = afinfo->dst_ops;
2330 xfrm_policy_afinfo[afinfo->family] = NULL;
2331 dst_ops->kmem_cachep = NULL;
2332 dst_ops->check = NULL;
2333 dst_ops->negative_advice = NULL;
2334 dst_ops->link_failure = NULL;
2335 afinfo->garbage_collect = NULL;
2338 write_unlock_bh(&xfrm_policy_afinfo_lock);
2341 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
2343 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
2345 struct xfrm_policy_afinfo *afinfo;
2346 if (unlikely(family >= NPROTO))
2348 read_lock(&xfrm_policy_afinfo_lock);
2349 afinfo = xfrm_policy_afinfo[family];
2350 if (unlikely(!afinfo))
2351 read_unlock(&xfrm_policy_afinfo_lock);
2355 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
2357 read_unlock(&xfrm_policy_afinfo_lock);
2360 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
2362 struct net_device *dev = ptr;
2364 if (!net_eq(dev_net(dev), &init_net))
2369 xfrm_flush_bundles();
2374 static struct notifier_block xfrm_dev_notifier = {
2375 .notifier_call = xfrm_dev_event,
2378 #ifdef CONFIG_XFRM_STATISTICS
2379 static int __init xfrm_statistics_init(void)
2381 if (snmp_mib_init((void **)xfrm_statistics,
2382 sizeof(struct linux_xfrm_mib)) < 0)
2388 static int __net_init xfrm_policy_init(struct net *net)
2390 unsigned int hmask, sz;
2393 if (net_eq(net, &init_net))
2394 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
2395 sizeof(struct xfrm_dst),
2396 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2400 sz = (hmask+1) * sizeof(struct hlist_head);
2402 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
2403 if (!net->xfrm.policy_byidx)
2405 net->xfrm.policy_idx_hmask = hmask;
2407 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2408 struct xfrm_policy_hash *htab;
2410 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
2412 htab = &net->xfrm.policy_bydst[dir];
2413 htab->table = xfrm_hash_alloc(sz);
2416 htab->hmask = hmask;
2419 INIT_LIST_HEAD(&net->xfrm.policy_all);
2420 if (net_eq(net, &init_net))
2421 register_netdevice_notifier(&xfrm_dev_notifier);
2425 for (dir--; dir >= 0; dir--) {
2426 struct xfrm_policy_hash *htab;
2428 htab = &net->xfrm.policy_bydst[dir];
2429 xfrm_hash_free(htab->table, sz);
2431 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2436 static void xfrm_policy_fini(struct net *net)
2441 WARN_ON(!list_empty(&net->xfrm.policy_all));
2443 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2444 struct xfrm_policy_hash *htab;
2446 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
2448 htab = &net->xfrm.policy_bydst[dir];
2449 sz = (htab->hmask + 1);
2450 WARN_ON(!hlist_empty(htab->table));
2451 xfrm_hash_free(htab->table, sz);
2454 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
2455 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
2456 xfrm_hash_free(net->xfrm.policy_byidx, sz);
2459 static int __net_init xfrm_net_init(struct net *net)
2463 rv = xfrm_state_init(net);
2466 rv = xfrm_policy_init(net);
2472 xfrm_state_fini(net);
2477 static void __net_exit xfrm_net_exit(struct net *net)
2479 xfrm_policy_fini(net);
2480 xfrm_state_fini(net);
2483 static struct pernet_operations __net_initdata xfrm_net_ops = {
2484 .init = xfrm_net_init,
2485 .exit = xfrm_net_exit,
2488 void __init xfrm_init(void)
2490 register_pernet_subsys(&xfrm_net_ops);
2491 #ifdef CONFIG_XFRM_STATISTICS
2492 xfrm_statistics_init();
2495 #ifdef CONFIG_XFRM_STATISTICS
2500 #ifdef CONFIG_AUDITSYSCALL
2501 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2502 struct audit_buffer *audit_buf)
2504 struct xfrm_sec_ctx *ctx = xp->security;
2505 struct xfrm_selector *sel = &xp->selector;
2508 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2509 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2511 switch(sel->family) {
2513 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
2514 if (sel->prefixlen_s != 32)
2515 audit_log_format(audit_buf, " src_prefixlen=%d",
2517 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
2518 if (sel->prefixlen_d != 32)
2519 audit_log_format(audit_buf, " dst_prefixlen=%d",
2523 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
2524 if (sel->prefixlen_s != 128)
2525 audit_log_format(audit_buf, " src_prefixlen=%d",
2527 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
2528 if (sel->prefixlen_d != 128)
2529 audit_log_format(audit_buf, " dst_prefixlen=%d",
2535 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2536 uid_t auid, u32 sessionid, u32 secid)
2538 struct audit_buffer *audit_buf;
2540 audit_buf = xfrm_audit_start("SPD-add");
2541 if (audit_buf == NULL)
2543 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2544 audit_log_format(audit_buf, " res=%u", result);
2545 xfrm_audit_common_policyinfo(xp, audit_buf);
2546 audit_log_end(audit_buf);
2548 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2550 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2551 uid_t auid, u32 sessionid, u32 secid)
2553 struct audit_buffer *audit_buf;
2555 audit_buf = xfrm_audit_start("SPD-delete");
2556 if (audit_buf == NULL)
2558 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2559 audit_log_format(audit_buf, " res=%u", result);
2560 xfrm_audit_common_policyinfo(xp, audit_buf);
2561 audit_log_end(audit_buf);
2563 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2566 #ifdef CONFIG_XFRM_MIGRATE
2567 static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2568 struct xfrm_selector *sel_tgt)
2570 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2571 if (sel_tgt->family == sel_cmp->family &&
2572 xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr,
2573 sel_cmp->family) == 0 &&
2574 xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr,
2575 sel_cmp->family) == 0 &&
2576 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
2577 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
2581 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
2588 static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
2591 struct xfrm_policy *pol, *ret = NULL;
2592 struct hlist_node *entry;
2593 struct hlist_head *chain;
2596 read_lock_bh(&xfrm_policy_lock);
2597 chain = policy_hash_direct(&sel->daddr, &sel->saddr, sel->family, dir);
2598 hlist_for_each_entry(pol, entry, chain, bydst) {
2599 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2600 pol->type == type) {
2602 priority = ret->priority;
2606 chain = &init_net.xfrm.policy_inexact[dir];
2607 hlist_for_each_entry(pol, entry, chain, bydst) {
2608 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
2609 pol->type == type &&
2610 pol->priority < priority) {
2619 read_unlock_bh(&xfrm_policy_lock);
2624 static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t)
2628 if (t->mode == m->mode && t->id.proto == m->proto &&
2629 (m->reqid == 0 || t->reqid == m->reqid)) {
2631 case XFRM_MODE_TUNNEL:
2632 case XFRM_MODE_BEET:
2633 if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr,
2634 m->old_family) == 0 &&
2635 xfrm_addr_cmp(&t->saddr, &m->old_saddr,
2636 m->old_family) == 0) {
2640 case XFRM_MODE_TRANSPORT:
2641 /* in case of transport mode, template does not store
2642 any IP addresses, hence we just compare mode and
2653 /* update endpoint address(es) of template(s) */
2654 static int xfrm_policy_migrate(struct xfrm_policy *pol,
2655 struct xfrm_migrate *m, int num_migrate)
2657 struct xfrm_migrate *mp;
2658 struct dst_entry *dst;
2661 write_lock_bh(&pol->lock);
2662 if (unlikely(pol->walk.dead)) {
2663 /* target policy has been deleted */
2664 write_unlock_bh(&pol->lock);
2668 for (i = 0; i < pol->xfrm_nr; i++) {
2669 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
2670 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
2673 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
2674 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
2676 /* update endpoints */
2677 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
2678 sizeof(pol->xfrm_vec[i].id.daddr));
2679 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
2680 sizeof(pol->xfrm_vec[i].saddr));
2681 pol->xfrm_vec[i].encap_family = mp->new_family;
2683 while ((dst = pol->bundles) != NULL) {
2684 pol->bundles = dst->next;
2690 write_unlock_bh(&pol->lock);
2698 static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
2702 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
2705 for (i = 0; i < num_migrate; i++) {
2706 if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr,
2707 m[i].old_family) == 0) &&
2708 (xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr,
2709 m[i].old_family) == 0))
2711 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
2712 xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
2715 /* check if there is any duplicated entry */
2716 for (j = i + 1; j < num_migrate; j++) {
2717 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
2718 sizeof(m[i].old_daddr)) &&
2719 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
2720 sizeof(m[i].old_saddr)) &&
2721 m[i].proto == m[j].proto &&
2722 m[i].mode == m[j].mode &&
2723 m[i].reqid == m[j].reqid &&
2724 m[i].old_family == m[j].old_family)
2732 int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
2733 struct xfrm_migrate *m, int num_migrate,
2734 struct xfrm_kmaddress *k)
2736 int i, err, nx_cur = 0, nx_new = 0;
2737 struct xfrm_policy *pol = NULL;
2738 struct xfrm_state *x, *xc;
2739 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
2740 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
2741 struct xfrm_migrate *mp;
2743 if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
2746 /* Stage 1 - find policy */
2747 if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) {
2752 /* Stage 2 - find and update state(s) */
2753 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
2754 if ((x = xfrm_migrate_state_find(mp))) {
2757 if ((xc = xfrm_state_migrate(x, mp))) {
2767 /* Stage 3 - update policy */
2768 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
2771 /* Stage 4 - delete old state(s) */
2773 xfrm_states_put(x_cur, nx_cur);
2774 xfrm_states_delete(x_cur, nx_cur);
2777 /* Stage 5 - announce */
2778 km_migrate(sel, dir, type, m, num_migrate, k);
2790 xfrm_states_put(x_cur, nx_cur);
2792 xfrm_states_delete(x_new, nx_new);
2796 EXPORT_SYMBOL(xfrm_migrate);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob