xref: /openbmc/linux/include/net/xfrm.h (revision d7a3d85e)
1 #ifndef _NET_XFRM_H
2 #define _NET_XFRM_H
3 
4 #include <linux/compiler.h>
5 #include <linux/xfrm.h>
6 #include <linux/spinlock.h>
7 #include <linux/list.h>
8 #include <linux/skbuff.h>
9 #include <linux/socket.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/ipsec.h>
12 #include <linux/in6.h>
13 #include <linux/mutex.h>
14 #include <linux/audit.h>
15 #include <linux/slab.h>
16 
17 #include <net/sock.h>
18 #include <net/dst.h>
19 #include <net/ip.h>
20 #include <net/route.h>
21 #include <net/ipv6.h>
22 #include <net/ip6_fib.h>
23 #include <net/flow.h>
24 
25 #include <linux/interrupt.h>
26 
27 #ifdef CONFIG_XFRM_STATISTICS
28 #include <net/snmp.h>
29 #endif
30 
31 #define XFRM_PROTO_ESP		50
32 #define XFRM_PROTO_AH		51
33 #define XFRM_PROTO_COMP		108
34 #define XFRM_PROTO_IPIP		4
35 #define XFRM_PROTO_IPV6		41
36 #define XFRM_PROTO_ROUTING	IPPROTO_ROUTING
37 #define XFRM_PROTO_DSTOPTS	IPPROTO_DSTOPTS
38 
39 #define XFRM_ALIGN4(len)	(((len) + 3) & ~3)
40 #define XFRM_ALIGN8(len)	(((len) + 7) & ~7)
41 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
42 	MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
43 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
44 	MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
45 
46 #ifdef CONFIG_XFRM_STATISTICS
47 #define XFRM_INC_STATS(net, field)	SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
48 #define XFRM_INC_STATS_BH(net, field)	SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
49 #define XFRM_INC_STATS_USER(net, field)	SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
50 #else
51 #define XFRM_INC_STATS(net, field)	((void)(net))
52 #define XFRM_INC_STATS_BH(net, field)	((void)(net))
53 #define XFRM_INC_STATS_USER(net, field)	((void)(net))
54 #endif
55 
56 
57 /* Organization of SPD aka "XFRM rules"
58    ------------------------------------
59 
60    Basic objects:
61    - policy rule, struct xfrm_policy (=SPD entry)
62    - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
63    - instance of a transformer, struct xfrm_state (=SA)
64    - template to clone xfrm_state, struct xfrm_tmpl
65 
66    SPD is plain linear list of xfrm_policy rules, ordered by priority.
67    (To be compatible with existing pfkeyv2 implementations,
68    many rules with priority of 0x7fffffff are allowed to exist and
69    such rules are ordered in an unpredictable way, thanks to bsd folks.)
70 
71    Lookup is plain linear search until the first match with selector.
72 
73    If "action" is "block", then we prohibit the flow, otherwise:
74    if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
75    policy entry has list of up to XFRM_MAX_DEPTH transformations,
76    described by templates xfrm_tmpl. Each template is resolved
77    to a complete xfrm_state (see below) and we pack bundle of transformations
78    to a dst_entry returned to requestor.
79 
80    dst -. xfrm  .-> xfrm_state #1
81     |---. child .-> dst -. xfrm .-> xfrm_state #2
82                      |---. child .-> dst -. xfrm .-> xfrm_state #3
83                                       |---. child .-> NULL
84 
85    Bundles are cached at xrfm_policy struct (field ->bundles).
86 
87 
88    Resolution of xrfm_tmpl
89    -----------------------
90    Template contains:
91    1. ->mode		Mode: transport or tunnel
92    2. ->id.proto	Protocol: AH/ESP/IPCOMP
93    3. ->id.daddr	Remote tunnel endpoint, ignored for transport mode.
94       Q: allow to resolve security gateway?
95    4. ->id.spi          If not zero, static SPI.
96    5. ->saddr		Local tunnel endpoint, ignored for transport mode.
97    6. ->algos		List of allowed algos. Plain bitmask now.
98       Q: ealgos, aalgos, calgos. What a mess...
99    7. ->share		Sharing mode.
100       Q: how to implement private sharing mode? To add struct sock* to
101       flow id?
102 
103    Having this template we search through SAD searching for entries
104    with appropriate mode/proto/algo, permitted by selector.
105    If no appropriate entry found, it is requested from key manager.
106 
107    PROBLEMS:
108    Q: How to find all the bundles referring to a physical path for
109       PMTU discovery? Seems, dst should contain list of all parents...
110       and enter to infinite locking hierarchy disaster.
111       No! It is easier, we will not search for them, let them find us.
112       We add genid to each dst plus pointer to genid of raw IP route,
113       pmtu disc will update pmtu on raw IP route and increase its genid.
114       dst_check() will see this for top level and trigger resyncing
115       metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
116  */
117 
118 struct xfrm_state_walk {
119 	struct list_head	all;
120 	u8			state;
121 	u8			dying;
122 	u8			proto;
123 	u32			seq;
124 	struct xfrm_address_filter *filter;
125 };
126 
127 /* Full description of state of transformer. */
128 struct xfrm_state {
129 	possible_net_t		xs_net;
130 	union {
131 		struct hlist_node	gclist;
132 		struct hlist_node	bydst;
133 	};
134 	struct hlist_node	bysrc;
135 	struct hlist_node	byspi;
136 
137 	atomic_t		refcnt;
138 	spinlock_t		lock;
139 
140 	struct xfrm_id		id;
141 	struct xfrm_selector	sel;
142 	struct xfrm_mark	mark;
143 	u32			tfcpad;
144 
145 	u32			genid;
146 
147 	/* Key manager bits */
148 	struct xfrm_state_walk	km;
149 
150 	/* Parameters of this state. */
151 	struct {
152 		u32		reqid;
153 		u8		mode;
154 		u8		replay_window;
155 		u8		aalgo, ealgo, calgo;
156 		u8		flags;
157 		u16		family;
158 		xfrm_address_t	saddr;
159 		int		header_len;
160 		int		trailer_len;
161 		u32		extra_flags;
162 	} props;
163 
164 	struct xfrm_lifetime_cfg lft;
165 
166 	/* Data for transformer */
167 	struct xfrm_algo_auth	*aalg;
168 	struct xfrm_algo	*ealg;
169 	struct xfrm_algo	*calg;
170 	struct xfrm_algo_aead	*aead;
171 
172 	/* Data for encapsulator */
173 	struct xfrm_encap_tmpl	*encap;
174 
175 	/* Data for care-of address */
176 	xfrm_address_t	*coaddr;
177 
178 	/* IPComp needs an IPIP tunnel for handling uncompressed packets */
179 	struct xfrm_state	*tunnel;
180 
181 	/* If a tunnel, number of users + 1 */
182 	atomic_t		tunnel_users;
183 
184 	/* State for replay detection */
185 	struct xfrm_replay_state replay;
186 	struct xfrm_replay_state_esn *replay_esn;
187 
188 	/* Replay detection state at the time we sent the last notification */
189 	struct xfrm_replay_state preplay;
190 	struct xfrm_replay_state_esn *preplay_esn;
191 
192 	/* The functions for replay detection. */
193 	struct xfrm_replay	*repl;
194 
195 	/* internal flag that only holds state for delayed aevent at the
196 	 * moment
197 	*/
198 	u32			xflags;
199 
200 	/* Replay detection notification settings */
201 	u32			replay_maxage;
202 	u32			replay_maxdiff;
203 
204 	/* Replay detection notification timer */
205 	struct timer_list	rtimer;
206 
207 	/* Statistics */
208 	struct xfrm_stats	stats;
209 
210 	struct xfrm_lifetime_cur curlft;
211 	struct tasklet_hrtimer	mtimer;
212 
213 	/* used to fix curlft->add_time when changing date */
214 	long		saved_tmo;
215 
216 	/* Last used time */
217 	unsigned long		lastused;
218 
219 	/* Reference to data common to all the instances of this
220 	 * transformer. */
221 	const struct xfrm_type	*type;
222 	struct xfrm_mode	*inner_mode;
223 	struct xfrm_mode	*inner_mode_iaf;
224 	struct xfrm_mode	*outer_mode;
225 
226 	/* Security context */
227 	struct xfrm_sec_ctx	*security;
228 
229 	/* Private data of this transformer, format is opaque,
230 	 * interpreted by xfrm_type methods. */
231 	void			*data;
232 };
233 
234 static inline struct net *xs_net(struct xfrm_state *x)
235 {
236 	return read_pnet(&x->xs_net);
237 }
238 
239 /* xflags - make enum if more show up */
240 #define XFRM_TIME_DEFER	1
241 #define XFRM_SOFT_EXPIRE 2
242 
243 enum {
244 	XFRM_STATE_VOID,
245 	XFRM_STATE_ACQ,
246 	XFRM_STATE_VALID,
247 	XFRM_STATE_ERROR,
248 	XFRM_STATE_EXPIRED,
249 	XFRM_STATE_DEAD
250 };
251 
252 /* callback structure passed from either netlink or pfkey */
253 struct km_event {
254 	union {
255 		u32 hard;
256 		u32 proto;
257 		u32 byid;
258 		u32 aevent;
259 		u32 type;
260 	} data;
261 
262 	u32	seq;
263 	u32	portid;
264 	u32	event;
265 	struct net *net;
266 };
267 
268 struct xfrm_replay {
269 	void	(*advance)(struct xfrm_state *x, __be32 net_seq);
270 	int	(*check)(struct xfrm_state *x,
271 			 struct sk_buff *skb,
272 			 __be32 net_seq);
273 	int	(*recheck)(struct xfrm_state *x,
274 			   struct sk_buff *skb,
275 			   __be32 net_seq);
276 	void	(*notify)(struct xfrm_state *x, int event);
277 	int	(*overflow)(struct xfrm_state *x, struct sk_buff *skb);
278 };
279 
280 struct net_device;
281 struct xfrm_type;
282 struct xfrm_dst;
283 struct xfrm_policy_afinfo {
284 	unsigned short		family;
285 	struct dst_ops		*dst_ops;
286 	void			(*garbage_collect)(struct net *net);
287 	struct dst_entry	*(*dst_lookup)(struct net *net, int tos,
288 					       const xfrm_address_t *saddr,
289 					       const xfrm_address_t *daddr);
290 	int			(*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr);
291 	void			(*decode_session)(struct sk_buff *skb,
292 						  struct flowi *fl,
293 						  int reverse);
294 	int			(*get_tos)(const struct flowi *fl);
295 	void			(*init_dst)(struct net *net,
296 					    struct xfrm_dst *dst);
297 	int			(*init_path)(struct xfrm_dst *path,
298 					     struct dst_entry *dst,
299 					     int nfheader_len);
300 	int			(*fill_dst)(struct xfrm_dst *xdst,
301 					    struct net_device *dev,
302 					    const struct flowi *fl);
303 	struct dst_entry	*(*blackhole_route)(struct net *net, struct dst_entry *orig);
304 };
305 
306 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
307 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
308 void km_policy_notify(struct xfrm_policy *xp, int dir,
309 		      const struct km_event *c);
310 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
311 
312 struct xfrm_tmpl;
313 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
314 	     struct xfrm_policy *pol);
315 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
316 int __xfrm_state_delete(struct xfrm_state *x);
317 
318 struct xfrm_state_afinfo {
319 	unsigned int		family;
320 	unsigned int		proto;
321 	__be16			eth_proto;
322 	struct module		*owner;
323 	const struct xfrm_type	*type_map[IPPROTO_MAX];
324 	struct xfrm_mode	*mode_map[XFRM_MODE_MAX];
325 	int			(*init_flags)(struct xfrm_state *x);
326 	void			(*init_tempsel)(struct xfrm_selector *sel,
327 						const struct flowi *fl);
328 	void			(*init_temprop)(struct xfrm_state *x,
329 						const struct xfrm_tmpl *tmpl,
330 						const xfrm_address_t *daddr,
331 						const xfrm_address_t *saddr);
332 	int			(*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
333 	int			(*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
334 	int			(*output)(struct sock *sk, struct sk_buff *skb);
335 	int			(*output_finish)(struct sock *sk, struct sk_buff *skb);
336 	int			(*extract_input)(struct xfrm_state *x,
337 						 struct sk_buff *skb);
338 	int			(*extract_output)(struct xfrm_state *x,
339 						  struct sk_buff *skb);
340 	int			(*transport_finish)(struct sk_buff *skb,
341 						    int async);
342 	void			(*local_error)(struct sk_buff *skb, u32 mtu);
343 };
344 
345 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
346 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
347 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
348 void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
349 
350 struct xfrm_input_afinfo {
351 	unsigned int		family;
352 	struct module		*owner;
353 	int			(*callback)(struct sk_buff *skb, u8 protocol,
354 					    int err);
355 };
356 
357 int xfrm_input_register_afinfo(struct xfrm_input_afinfo *afinfo);
358 int xfrm_input_unregister_afinfo(struct xfrm_input_afinfo *afinfo);
359 
360 void xfrm_state_delete_tunnel(struct xfrm_state *x);
361 
362 struct xfrm_type {
363 	char			*description;
364 	struct module		*owner;
365 	u8			proto;
366 	u8			flags;
367 #define XFRM_TYPE_NON_FRAGMENT	1
368 #define XFRM_TYPE_REPLAY_PROT	2
369 #define XFRM_TYPE_LOCAL_COADDR	4
370 #define XFRM_TYPE_REMOTE_COADDR	8
371 
372 	int			(*init_state)(struct xfrm_state *x);
373 	void			(*destructor)(struct xfrm_state *);
374 	int			(*input)(struct xfrm_state *, struct sk_buff *skb);
375 	int			(*output)(struct xfrm_state *, struct sk_buff *pskb);
376 	int			(*reject)(struct xfrm_state *, struct sk_buff *,
377 					  const struct flowi *);
378 	int			(*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
379 	/* Estimate maximal size of result of transformation of a dgram */
380 	u32			(*get_mtu)(struct xfrm_state *, int size);
381 };
382 
383 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
384 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
385 
386 struct xfrm_mode {
387 	/*
388 	 * Remove encapsulation header.
389 	 *
390 	 * The IP header will be moved over the top of the encapsulation
391 	 * header.
392 	 *
393 	 * On entry, the transport header shall point to where the IP header
394 	 * should be and the network header shall be set to where the IP
395 	 * header currently is.  skb->data shall point to the start of the
396 	 * payload.
397 	 */
398 	int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
399 
400 	/*
401 	 * This is the actual input entry point.
402 	 *
403 	 * For transport mode and equivalent this would be identical to
404 	 * input2 (which does not need to be set).  While tunnel mode
405 	 * and equivalent would set this to the tunnel encapsulation function
406 	 * xfrm4_prepare_input that would in turn call input2.
407 	 */
408 	int (*input)(struct xfrm_state *x, struct sk_buff *skb);
409 
410 	/*
411 	 * Add encapsulation header.
412 	 *
413 	 * On exit, the transport header will be set to the start of the
414 	 * encapsulation header to be filled in by x->type->output and
415 	 * the mac header will be set to the nextheader (protocol for
416 	 * IPv4) field of the extension header directly preceding the
417 	 * encapsulation header, or in its absence, that of the top IP
418 	 * header.  The value of the network header will always point
419 	 * to the top IP header while skb->data will point to the payload.
420 	 */
421 	int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
422 
423 	/*
424 	 * This is the actual output entry point.
425 	 *
426 	 * For transport mode and equivalent this would be identical to
427 	 * output2 (which does not need to be set).  While tunnel mode
428 	 * and equivalent would set this to a tunnel encapsulation function
429 	 * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
430 	 * call output2.
431 	 */
432 	int (*output)(struct xfrm_state *x, struct sk_buff *skb);
433 
434 	struct xfrm_state_afinfo *afinfo;
435 	struct module *owner;
436 	unsigned int encap;
437 	int flags;
438 };
439 
440 /* Flags for xfrm_mode. */
441 enum {
442 	XFRM_MODE_FLAG_TUNNEL = 1,
443 };
444 
445 int xfrm_register_mode(struct xfrm_mode *mode, int family);
446 int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
447 
448 static inline int xfrm_af2proto(unsigned int family)
449 {
450 	switch(family) {
451 	case AF_INET:
452 		return IPPROTO_IPIP;
453 	case AF_INET6:
454 		return IPPROTO_IPV6;
455 	default:
456 		return 0;
457 	}
458 }
459 
460 static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
461 {
462 	if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
463 	    (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
464 		return x->inner_mode;
465 	else
466 		return x->inner_mode_iaf;
467 }
468 
469 struct xfrm_tmpl {
470 /* id in template is interpreted as:
471  * daddr - destination of tunnel, may be zero for transport mode.
472  * spi   - zero to acquire spi. Not zero if spi is static, then
473  *	   daddr must be fixed too.
474  * proto - AH/ESP/IPCOMP
475  */
476 	struct xfrm_id		id;
477 
478 /* Source address of tunnel. Ignored, if it is not a tunnel. */
479 	xfrm_address_t		saddr;
480 
481 	unsigned short		encap_family;
482 
483 	u32			reqid;
484 
485 /* Mode: transport, tunnel etc. */
486 	u8			mode;
487 
488 /* Sharing mode: unique, this session only, this user only etc. */
489 	u8			share;
490 
491 /* May skip this transfomration if no SA is found */
492 	u8			optional;
493 
494 /* Skip aalgos/ealgos/calgos checks. */
495 	u8			allalgs;
496 
497 /* Bit mask of algos allowed for acquisition */
498 	u32			aalgos;
499 	u32			ealgos;
500 	u32			calgos;
501 };
502 
503 #define XFRM_MAX_DEPTH		6
504 
505 struct xfrm_policy_walk_entry {
506 	struct list_head	all;
507 	u8			dead;
508 };
509 
510 struct xfrm_policy_walk {
511 	struct xfrm_policy_walk_entry walk;
512 	u8 type;
513 	u32 seq;
514 };
515 
516 struct xfrm_policy_queue {
517 	struct sk_buff_head	hold_queue;
518 	struct timer_list	hold_timer;
519 	unsigned long		timeout;
520 };
521 
522 struct xfrm_policy {
523 	possible_net_t		xp_net;
524 	struct hlist_node	bydst;
525 	struct hlist_node	byidx;
526 
527 	/* This lock only affects elements except for entry. */
528 	rwlock_t		lock;
529 	atomic_t		refcnt;
530 	struct timer_list	timer;
531 
532 	struct flow_cache_object flo;
533 	atomic_t		genid;
534 	u32			priority;
535 	u32			index;
536 	struct xfrm_mark	mark;
537 	struct xfrm_selector	selector;
538 	struct xfrm_lifetime_cfg lft;
539 	struct xfrm_lifetime_cur curlft;
540 	struct xfrm_policy_walk_entry walk;
541 	struct xfrm_policy_queue polq;
542 	u8			type;
543 	u8			action;
544 	u8			flags;
545 	u8			xfrm_nr;
546 	u16			family;
547 	struct xfrm_sec_ctx	*security;
548 	struct xfrm_tmpl       	xfrm_vec[XFRM_MAX_DEPTH];
549 };
550 
551 static inline struct net *xp_net(const struct xfrm_policy *xp)
552 {
553 	return read_pnet(&xp->xp_net);
554 }
555 
556 struct xfrm_kmaddress {
557 	xfrm_address_t          local;
558 	xfrm_address_t          remote;
559 	u32			reserved;
560 	u16			family;
561 };
562 
563 struct xfrm_migrate {
564 	xfrm_address_t		old_daddr;
565 	xfrm_address_t		old_saddr;
566 	xfrm_address_t		new_daddr;
567 	xfrm_address_t		new_saddr;
568 	u8			proto;
569 	u8			mode;
570 	u16			reserved;
571 	u32			reqid;
572 	u16			old_family;
573 	u16			new_family;
574 };
575 
576 #define XFRM_KM_TIMEOUT                30
577 /* what happened */
578 #define XFRM_REPLAY_UPDATE	XFRM_AE_CR
579 #define XFRM_REPLAY_TIMEOUT	XFRM_AE_CE
580 
581 /* default aevent timeout in units of 100ms */
582 #define XFRM_AE_ETIME			10
583 /* Async Event timer multiplier */
584 #define XFRM_AE_ETH_M			10
585 /* default seq threshold size */
586 #define XFRM_AE_SEQT_SIZE		2
587 
588 struct xfrm_mgr {
589 	struct list_head	list;
590 	char			*id;
591 	int			(*notify)(struct xfrm_state *x, const struct km_event *c);
592 	int			(*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
593 	struct xfrm_policy	*(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
594 	int			(*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
595 	int			(*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
596 	int			(*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
597 	int			(*migrate)(const struct xfrm_selector *sel,
598 					   u8 dir, u8 type,
599 					   const struct xfrm_migrate *m,
600 					   int num_bundles,
601 					   const struct xfrm_kmaddress *k);
602 	bool			(*is_alive)(const struct km_event *c);
603 };
604 
605 int xfrm_register_km(struct xfrm_mgr *km);
606 int xfrm_unregister_km(struct xfrm_mgr *km);
607 
608 struct xfrm_tunnel_skb_cb {
609 	union {
610 		struct inet_skb_parm h4;
611 		struct inet6_skb_parm h6;
612 	} header;
613 
614 	union {
615 		struct ip_tunnel *ip4;
616 		struct ip6_tnl *ip6;
617 	} tunnel;
618 };
619 
620 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
621 
622 /*
623  * This structure is used for the duration where packets are being
624  * transformed by IPsec.  As soon as the packet leaves IPsec the
625  * area beyond the generic IP part may be overwritten.
626  */
627 struct xfrm_skb_cb {
628 	struct xfrm_tunnel_skb_cb header;
629 
630         /* Sequence number for replay protection. */
631 	union {
632 		struct {
633 			__u32 low;
634 			__u32 hi;
635 		} output;
636 		struct {
637 			__be32 low;
638 			__be32 hi;
639 		} input;
640 	} seq;
641 };
642 
643 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
644 
645 /*
646  * This structure is used by the afinfo prepare_input/prepare_output functions
647  * to transmit header information to the mode input/output functions.
648  */
649 struct xfrm_mode_skb_cb {
650 	struct xfrm_tunnel_skb_cb header;
651 
652 	/* Copied from header for IPv4, always set to zero and DF for IPv6. */
653 	__be16 id;
654 	__be16 frag_off;
655 
656 	/* IP header length (excluding options or extension headers). */
657 	u8 ihl;
658 
659 	/* TOS for IPv4, class for IPv6. */
660 	u8 tos;
661 
662 	/* TTL for IPv4, hop limitfor IPv6. */
663 	u8 ttl;
664 
665 	/* Protocol for IPv4, NH for IPv6. */
666 	u8 protocol;
667 
668 	/* Option length for IPv4, zero for IPv6. */
669 	u8 optlen;
670 
671 	/* Used by IPv6 only, zero for IPv4. */
672 	u8 flow_lbl[3];
673 };
674 
675 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
676 
677 /*
678  * This structure is used by the input processing to locate the SPI and
679  * related information.
680  */
681 struct xfrm_spi_skb_cb {
682 	struct xfrm_tunnel_skb_cb header;
683 
684 	unsigned int daddroff;
685 	unsigned int family;
686 };
687 
688 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
689 
690 #ifdef CONFIG_AUDITSYSCALL
691 static inline struct audit_buffer *xfrm_audit_start(const char *op)
692 {
693 	struct audit_buffer *audit_buf = NULL;
694 
695 	if (audit_enabled == 0)
696 		return NULL;
697 	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
698 				    AUDIT_MAC_IPSEC_EVENT);
699 	if (audit_buf == NULL)
700 		return NULL;
701 	audit_log_format(audit_buf, "op=%s", op);
702 	return audit_buf;
703 }
704 
705 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
706 					     struct audit_buffer *audit_buf)
707 {
708 	const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
709 					    audit_get_loginuid(current) :
710 					    INVALID_UID);
711 	const unsigned int ses = task_valid ? audit_get_sessionid(current) :
712 		(unsigned int) -1;
713 
714 	audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
715 	audit_log_task_context(audit_buf);
716 }
717 
718 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
719 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
720 			      bool task_valid);
721 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
722 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
723 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
724 				      struct sk_buff *skb);
725 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
726 			     __be32 net_seq);
727 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
728 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
729 			       __be32 net_seq);
730 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
731 			      u8 proto);
732 #else
733 
734 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
735 					 bool task_valid)
736 {
737 }
738 
739 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
740 					    bool task_valid)
741 {
742 }
743 
744 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
745 					bool task_valid)
746 {
747 }
748 
749 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
750 					   bool task_valid)
751 {
752 }
753 
754 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
755 					     struct sk_buff *skb)
756 {
757 }
758 
759 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
760 					   struct sk_buff *skb, __be32 net_seq)
761 {
762 }
763 
764 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
765 				      u16 family)
766 {
767 }
768 
769 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
770 				      __be32 net_spi, __be32 net_seq)
771 {
772 }
773 
774 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
775 				     struct sk_buff *skb, u8 proto)
776 {
777 }
778 #endif /* CONFIG_AUDITSYSCALL */
779 
780 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
781 {
782 	if (likely(policy != NULL))
783 		atomic_inc(&policy->refcnt);
784 }
785 
786 void xfrm_policy_destroy(struct xfrm_policy *policy);
787 
788 static inline void xfrm_pol_put(struct xfrm_policy *policy)
789 {
790 	if (atomic_dec_and_test(&policy->refcnt))
791 		xfrm_policy_destroy(policy);
792 }
793 
794 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
795 {
796 	int i;
797 	for (i = npols - 1; i >= 0; --i)
798 		xfrm_pol_put(pols[i]);
799 }
800 
801 void __xfrm_state_destroy(struct xfrm_state *);
802 
803 static inline void __xfrm_state_put(struct xfrm_state *x)
804 {
805 	atomic_dec(&x->refcnt);
806 }
807 
808 static inline void xfrm_state_put(struct xfrm_state *x)
809 {
810 	if (atomic_dec_and_test(&x->refcnt))
811 		__xfrm_state_destroy(x);
812 }
813 
814 static inline void xfrm_state_hold(struct xfrm_state *x)
815 {
816 	atomic_inc(&x->refcnt);
817 }
818 
819 static inline bool addr_match(const void *token1, const void *token2,
820 			      int prefixlen)
821 {
822 	const __be32 *a1 = token1;
823 	const __be32 *a2 = token2;
824 	int pdw;
825 	int pbi;
826 
827 	pdw = prefixlen >> 5;	  /* num of whole u32 in prefix */
828 	pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
829 
830 	if (pdw)
831 		if (memcmp(a1, a2, pdw << 2))
832 			return false;
833 
834 	if (pbi) {
835 		__be32 mask;
836 
837 		mask = htonl((0xffffffff) << (32 - pbi));
838 
839 		if ((a1[pdw] ^ a2[pdw]) & mask)
840 			return false;
841 	}
842 
843 	return true;
844 }
845 
846 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
847 {
848 	/* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
849 	if (prefixlen == 0)
850 		return true;
851 	return !((a1 ^ a2) & htonl(0xFFFFFFFFu << (32 - prefixlen)));
852 }
853 
854 static __inline__
855 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
856 {
857 	__be16 port;
858 	switch(fl->flowi_proto) {
859 	case IPPROTO_TCP:
860 	case IPPROTO_UDP:
861 	case IPPROTO_UDPLITE:
862 	case IPPROTO_SCTP:
863 		port = uli->ports.sport;
864 		break;
865 	case IPPROTO_ICMP:
866 	case IPPROTO_ICMPV6:
867 		port = htons(uli->icmpt.type);
868 		break;
869 	case IPPROTO_MH:
870 		port = htons(uli->mht.type);
871 		break;
872 	case IPPROTO_GRE:
873 		port = htons(ntohl(uli->gre_key) >> 16);
874 		break;
875 	default:
876 		port = 0;	/*XXX*/
877 	}
878 	return port;
879 }
880 
881 static __inline__
882 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
883 {
884 	__be16 port;
885 	switch(fl->flowi_proto) {
886 	case IPPROTO_TCP:
887 	case IPPROTO_UDP:
888 	case IPPROTO_UDPLITE:
889 	case IPPROTO_SCTP:
890 		port = uli->ports.dport;
891 		break;
892 	case IPPROTO_ICMP:
893 	case IPPROTO_ICMPV6:
894 		port = htons(uli->icmpt.code);
895 		break;
896 	case IPPROTO_GRE:
897 		port = htons(ntohl(uli->gre_key) & 0xffff);
898 		break;
899 	default:
900 		port = 0;	/*XXX*/
901 	}
902 	return port;
903 }
904 
905 bool xfrm_selector_match(const struct xfrm_selector *sel,
906 			 const struct flowi *fl, unsigned short family);
907 
908 #ifdef CONFIG_SECURITY_NETWORK_XFRM
909 /*	If neither has a context --> match
910  * 	Otherwise, both must have a context and the sids, doi, alg must match
911  */
912 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
913 {
914 	return ((!s1 && !s2) ||
915 		(s1 && s2 &&
916 		 (s1->ctx_sid == s2->ctx_sid) &&
917 		 (s1->ctx_doi == s2->ctx_doi) &&
918 		 (s1->ctx_alg == s2->ctx_alg)));
919 }
920 #else
921 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
922 {
923 	return true;
924 }
925 #endif
926 
927 /* A struct encoding bundle of transformations to apply to some set of flow.
928  *
929  * dst->child points to the next element of bundle.
930  * dst->xfrm  points to an instanse of transformer.
931  *
932  * Due to unfortunate limitations of current routing cache, which we
933  * have no time to fix, it mirrors struct rtable and bound to the same
934  * routing key, including saddr,daddr. However, we can have many of
935  * bundles differing by session id. All the bundles grow from a parent
936  * policy rule.
937  */
938 struct xfrm_dst {
939 	union {
940 		struct dst_entry	dst;
941 		struct rtable		rt;
942 		struct rt6_info		rt6;
943 	} u;
944 	struct dst_entry *route;
945 	struct flow_cache_object flo;
946 	struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
947 	int num_pols, num_xfrms;
948 #ifdef CONFIG_XFRM_SUB_POLICY
949 	struct flowi *origin;
950 	struct xfrm_selector *partner;
951 #endif
952 	u32 xfrm_genid;
953 	u32 policy_genid;
954 	u32 route_mtu_cached;
955 	u32 child_mtu_cached;
956 	u32 route_cookie;
957 	u32 path_cookie;
958 };
959 
960 #ifdef CONFIG_XFRM
961 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
962 {
963 	xfrm_pols_put(xdst->pols, xdst->num_pols);
964 	dst_release(xdst->route);
965 	if (likely(xdst->u.dst.xfrm))
966 		xfrm_state_put(xdst->u.dst.xfrm);
967 #ifdef CONFIG_XFRM_SUB_POLICY
968 	kfree(xdst->origin);
969 	xdst->origin = NULL;
970 	kfree(xdst->partner);
971 	xdst->partner = NULL;
972 #endif
973 }
974 #endif
975 
976 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
977 
978 struct sec_path {
979 	atomic_t		refcnt;
980 	int			len;
981 	struct xfrm_state	*xvec[XFRM_MAX_DEPTH];
982 };
983 
984 static inline int secpath_exists(struct sk_buff *skb)
985 {
986 #ifdef CONFIG_XFRM
987 	return skb->sp != NULL;
988 #else
989 	return 0;
990 #endif
991 }
992 
993 static inline struct sec_path *
994 secpath_get(struct sec_path *sp)
995 {
996 	if (sp)
997 		atomic_inc(&sp->refcnt);
998 	return sp;
999 }
1000 
1001 void __secpath_destroy(struct sec_path *sp);
1002 
1003 static inline void
1004 secpath_put(struct sec_path *sp)
1005 {
1006 	if (sp && atomic_dec_and_test(&sp->refcnt))
1007 		__secpath_destroy(sp);
1008 }
1009 
1010 struct sec_path *secpath_dup(struct sec_path *src);
1011 
1012 static inline void
1013 secpath_reset(struct sk_buff *skb)
1014 {
1015 #ifdef CONFIG_XFRM
1016 	secpath_put(skb->sp);
1017 	skb->sp = NULL;
1018 #endif
1019 }
1020 
1021 static inline int
1022 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1023 {
1024 	switch (family) {
1025 	case AF_INET:
1026 		return addr->a4 == 0;
1027 	case AF_INET6:
1028 		return ipv6_addr_any(&addr->in6);
1029 	}
1030 	return 0;
1031 }
1032 
1033 static inline int
1034 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1035 {
1036 	return	(tmpl->saddr.a4 &&
1037 		 tmpl->saddr.a4 != x->props.saddr.a4);
1038 }
1039 
1040 static inline int
1041 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1042 {
1043 	return	(!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1044 		 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1045 }
1046 
1047 static inline int
1048 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1049 {
1050 	switch (family) {
1051 	case AF_INET:
1052 		return __xfrm4_state_addr_cmp(tmpl, x);
1053 	case AF_INET6:
1054 		return __xfrm6_state_addr_cmp(tmpl, x);
1055 	}
1056 	return !0;
1057 }
1058 
1059 #ifdef CONFIG_XFRM
1060 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1061 			unsigned short family);
1062 
1063 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1064 				       struct sk_buff *skb,
1065 				       unsigned int family, int reverse)
1066 {
1067 	struct net *net = dev_net(skb->dev);
1068 	int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1069 
1070 	if (sk && sk->sk_policy[XFRM_POLICY_IN])
1071 		return __xfrm_policy_check(sk, ndir, skb, family);
1072 
1073 	return	(!net->xfrm.policy_count[dir] && !skb->sp) ||
1074 		(skb_dst(skb)->flags & DST_NOPOLICY) ||
1075 		__xfrm_policy_check(sk, ndir, skb, family);
1076 }
1077 
1078 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1079 {
1080 	return __xfrm_policy_check2(sk, dir, skb, family, 0);
1081 }
1082 
1083 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1084 {
1085 	return xfrm_policy_check(sk, dir, skb, AF_INET);
1086 }
1087 
1088 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1089 {
1090 	return xfrm_policy_check(sk, dir, skb, AF_INET6);
1091 }
1092 
1093 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1094 					     struct sk_buff *skb)
1095 {
1096 	return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1097 }
1098 
1099 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1100 					     struct sk_buff *skb)
1101 {
1102 	return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1103 }
1104 
1105 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1106 			  unsigned int family, int reverse);
1107 
1108 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1109 				      unsigned int family)
1110 {
1111 	return __xfrm_decode_session(skb, fl, family, 0);
1112 }
1113 
1114 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1115 					      struct flowi *fl,
1116 					      unsigned int family)
1117 {
1118 	return __xfrm_decode_session(skb, fl, family, 1);
1119 }
1120 
1121 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1122 
1123 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1124 {
1125 	struct net *net = dev_net(skb->dev);
1126 
1127 	return	!net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1128 		(skb_dst(skb)->flags & DST_NOXFRM) ||
1129 		__xfrm_route_forward(skb, family);
1130 }
1131 
1132 static inline int xfrm4_route_forward(struct sk_buff *skb)
1133 {
1134 	return xfrm_route_forward(skb, AF_INET);
1135 }
1136 
1137 static inline int xfrm6_route_forward(struct sk_buff *skb)
1138 {
1139 	return xfrm_route_forward(skb, AF_INET6);
1140 }
1141 
1142 int __xfrm_sk_clone_policy(struct sock *sk);
1143 
1144 static inline int xfrm_sk_clone_policy(struct sock *sk)
1145 {
1146 	if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1147 		return __xfrm_sk_clone_policy(sk);
1148 	return 0;
1149 }
1150 
1151 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1152 
1153 static inline void xfrm_sk_free_policy(struct sock *sk)
1154 {
1155 	if (unlikely(sk->sk_policy[0] != NULL)) {
1156 		xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1157 		sk->sk_policy[0] = NULL;
1158 	}
1159 	if (unlikely(sk->sk_policy[1] != NULL)) {
1160 		xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1161 		sk->sk_policy[1] = NULL;
1162 	}
1163 }
1164 
1165 void xfrm_garbage_collect(struct net *net);
1166 
1167 #else
1168 
1169 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1170 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1171 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1172 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1173 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1174 {
1175 	return 1;
1176 }
1177 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1178 {
1179 	return 1;
1180 }
1181 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1182 {
1183 	return 1;
1184 }
1185 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1186 					      struct flowi *fl,
1187 					      unsigned int family)
1188 {
1189 	return -ENOSYS;
1190 }
1191 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1192 					     struct sk_buff *skb)
1193 {
1194 	return 1;
1195 }
1196 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1197 					     struct sk_buff *skb)
1198 {
1199 	return 1;
1200 }
1201 static inline void xfrm_garbage_collect(struct net *net)
1202 {
1203 }
1204 #endif
1205 
1206 static __inline__
1207 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1208 {
1209 	switch (family){
1210 	case AF_INET:
1211 		return (xfrm_address_t *)&fl->u.ip4.daddr;
1212 	case AF_INET6:
1213 		return (xfrm_address_t *)&fl->u.ip6.daddr;
1214 	}
1215 	return NULL;
1216 }
1217 
1218 static __inline__
1219 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1220 {
1221 	switch (family){
1222 	case AF_INET:
1223 		return (xfrm_address_t *)&fl->u.ip4.saddr;
1224 	case AF_INET6:
1225 		return (xfrm_address_t *)&fl->u.ip6.saddr;
1226 	}
1227 	return NULL;
1228 }
1229 
1230 static __inline__
1231 void xfrm_flowi_addr_get(const struct flowi *fl,
1232 			 xfrm_address_t *saddr, xfrm_address_t *daddr,
1233 			 unsigned short family)
1234 {
1235 	switch(family) {
1236 	case AF_INET:
1237 		memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1238 		memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1239 		break;
1240 	case AF_INET6:
1241 		saddr->in6 = fl->u.ip6.saddr;
1242 		daddr->in6 = fl->u.ip6.daddr;
1243 		break;
1244 	}
1245 }
1246 
1247 static __inline__ int
1248 __xfrm4_state_addr_check(const struct xfrm_state *x,
1249 			 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1250 {
1251 	if (daddr->a4 == x->id.daddr.a4 &&
1252 	    (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1253 		return 1;
1254 	return 0;
1255 }
1256 
1257 static __inline__ int
1258 __xfrm6_state_addr_check(const struct xfrm_state *x,
1259 			 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1260 {
1261 	if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1262 	    (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1263 	     ipv6_addr_any((struct in6_addr *)saddr) ||
1264 	     ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1265 		return 1;
1266 	return 0;
1267 }
1268 
1269 static __inline__ int
1270 xfrm_state_addr_check(const struct xfrm_state *x,
1271 		      const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1272 		      unsigned short family)
1273 {
1274 	switch (family) {
1275 	case AF_INET:
1276 		return __xfrm4_state_addr_check(x, daddr, saddr);
1277 	case AF_INET6:
1278 		return __xfrm6_state_addr_check(x, daddr, saddr);
1279 	}
1280 	return 0;
1281 }
1282 
1283 static __inline__ int
1284 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1285 			   unsigned short family)
1286 {
1287 	switch (family) {
1288 	case AF_INET:
1289 		return __xfrm4_state_addr_check(x,
1290 						(const xfrm_address_t *)&fl->u.ip4.daddr,
1291 						(const xfrm_address_t *)&fl->u.ip4.saddr);
1292 	case AF_INET6:
1293 		return __xfrm6_state_addr_check(x,
1294 						(const xfrm_address_t *)&fl->u.ip6.daddr,
1295 						(const xfrm_address_t *)&fl->u.ip6.saddr);
1296 	}
1297 	return 0;
1298 }
1299 
1300 static inline int xfrm_state_kern(const struct xfrm_state *x)
1301 {
1302 	return atomic_read(&x->tunnel_users);
1303 }
1304 
1305 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1306 {
1307 	return (!userproto || proto == userproto ||
1308 		(userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1309 						  proto == IPPROTO_ESP ||
1310 						  proto == IPPROTO_COMP)));
1311 }
1312 
1313 /*
1314  * xfrm algorithm information
1315  */
1316 struct xfrm_algo_aead_info {
1317 	u16 icv_truncbits;
1318 };
1319 
1320 struct xfrm_algo_auth_info {
1321 	u16 icv_truncbits;
1322 	u16 icv_fullbits;
1323 };
1324 
1325 struct xfrm_algo_encr_info {
1326 	u16 blockbits;
1327 	u16 defkeybits;
1328 };
1329 
1330 struct xfrm_algo_comp_info {
1331 	u16 threshold;
1332 };
1333 
1334 struct xfrm_algo_desc {
1335 	char *name;
1336 	char *compat;
1337 	u8 available:1;
1338 	u8 pfkey_supported:1;
1339 	union {
1340 		struct xfrm_algo_aead_info aead;
1341 		struct xfrm_algo_auth_info auth;
1342 		struct xfrm_algo_encr_info encr;
1343 		struct xfrm_algo_comp_info comp;
1344 	} uinfo;
1345 	struct sadb_alg desc;
1346 };
1347 
1348 /* XFRM protocol handlers.  */
1349 struct xfrm4_protocol {
1350 	int (*handler)(struct sk_buff *skb);
1351 	int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1352 			     int encap_type);
1353 	int (*cb_handler)(struct sk_buff *skb, int err);
1354 	int (*err_handler)(struct sk_buff *skb, u32 info);
1355 
1356 	struct xfrm4_protocol __rcu *next;
1357 	int priority;
1358 };
1359 
1360 struct xfrm6_protocol {
1361 	int (*handler)(struct sk_buff *skb);
1362 	int (*cb_handler)(struct sk_buff *skb, int err);
1363 	int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1364 			   u8 type, u8 code, int offset, __be32 info);
1365 
1366 	struct xfrm6_protocol __rcu *next;
1367 	int priority;
1368 };
1369 
1370 /* XFRM tunnel handlers.  */
1371 struct xfrm_tunnel {
1372 	int (*handler)(struct sk_buff *skb);
1373 	int (*err_handler)(struct sk_buff *skb, u32 info);
1374 
1375 	struct xfrm_tunnel __rcu *next;
1376 	int priority;
1377 };
1378 
1379 struct xfrm6_tunnel {
1380 	int (*handler)(struct sk_buff *skb);
1381 	int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1382 			   u8 type, u8 code, int offset, __be32 info);
1383 	struct xfrm6_tunnel __rcu *next;
1384 	int priority;
1385 };
1386 
1387 void xfrm_init(void);
1388 void xfrm4_init(void);
1389 int xfrm_state_init(struct net *net);
1390 void xfrm_state_fini(struct net *net);
1391 void xfrm4_state_init(void);
1392 void xfrm4_protocol_init(void);
1393 #ifdef CONFIG_XFRM
1394 int xfrm6_init(void);
1395 void xfrm6_fini(void);
1396 int xfrm6_state_init(void);
1397 void xfrm6_state_fini(void);
1398 int xfrm6_protocol_init(void);
1399 void xfrm6_protocol_fini(void);
1400 #else
1401 static inline int xfrm6_init(void)
1402 {
1403 	return 0;
1404 }
1405 static inline void xfrm6_fini(void)
1406 {
1407 	;
1408 }
1409 #endif
1410 
1411 #ifdef CONFIG_XFRM_STATISTICS
1412 int xfrm_proc_init(struct net *net);
1413 void xfrm_proc_fini(struct net *net);
1414 #endif
1415 
1416 int xfrm_sysctl_init(struct net *net);
1417 #ifdef CONFIG_SYSCTL
1418 void xfrm_sysctl_fini(struct net *net);
1419 #else
1420 static inline void xfrm_sysctl_fini(struct net *net)
1421 {
1422 }
1423 #endif
1424 
1425 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1426 			  struct xfrm_address_filter *filter);
1427 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1428 		    int (*func)(struct xfrm_state *, int, void*), void *);
1429 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1430 struct xfrm_state *xfrm_state_alloc(struct net *net);
1431 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1432 				   const xfrm_address_t *saddr,
1433 				   const struct flowi *fl,
1434 				   struct xfrm_tmpl *tmpl,
1435 				   struct xfrm_policy *pol, int *err,
1436 				   unsigned short family);
1437 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1438 				       xfrm_address_t *daddr,
1439 				       xfrm_address_t *saddr,
1440 				       unsigned short family,
1441 				       u8 mode, u8 proto, u32 reqid);
1442 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1443 					      unsigned short family);
1444 int xfrm_state_check_expire(struct xfrm_state *x);
1445 void xfrm_state_insert(struct xfrm_state *x);
1446 int xfrm_state_add(struct xfrm_state *x);
1447 int xfrm_state_update(struct xfrm_state *x);
1448 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1449 				     const xfrm_address_t *daddr, __be32 spi,
1450 				     u8 proto, unsigned short family);
1451 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1452 					    const xfrm_address_t *daddr,
1453 					    const xfrm_address_t *saddr,
1454 					    u8 proto,
1455 					    unsigned short family);
1456 #ifdef CONFIG_XFRM_SUB_POLICY
1457 int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1458 		   unsigned short family, struct net *net);
1459 int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1460 		    unsigned short family);
1461 #else
1462 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1463 				 int n, unsigned short family, struct net *net)
1464 {
1465 	return -ENOSYS;
1466 }
1467 
1468 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1469 				  int n, unsigned short family)
1470 {
1471 	return -ENOSYS;
1472 }
1473 #endif
1474 
1475 struct xfrmk_sadinfo {
1476 	u32 sadhcnt; /* current hash bkts */
1477 	u32 sadhmcnt; /* max allowed hash bkts */
1478 	u32 sadcnt; /* current running count */
1479 };
1480 
1481 struct xfrmk_spdinfo {
1482 	u32 incnt;
1483 	u32 outcnt;
1484 	u32 fwdcnt;
1485 	u32 inscnt;
1486 	u32 outscnt;
1487 	u32 fwdscnt;
1488 	u32 spdhcnt;
1489 	u32 spdhmcnt;
1490 };
1491 
1492 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1493 int xfrm_state_delete(struct xfrm_state *x);
1494 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
1495 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1496 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1497 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1498 int xfrm_init_replay(struct xfrm_state *x);
1499 int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1500 int __xfrm_init_state(struct xfrm_state *x, bool init_replay);
1501 int xfrm_init_state(struct xfrm_state *x);
1502 int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1503 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1504 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1505 int xfrm_output_resume(struct sk_buff *skb, int err);
1506 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1507 int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1508 void xfrm_local_error(struct sk_buff *skb, int mtu);
1509 int xfrm4_extract_header(struct sk_buff *skb);
1510 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1511 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1512 		    int encap_type);
1513 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1514 int xfrm4_rcv(struct sk_buff *skb);
1515 
1516 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1517 {
1518 	XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1519 	XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1520 	XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1521 	return xfrm_input(skb, nexthdr, spi, 0);
1522 }
1523 
1524 int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1525 int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1526 int xfrm4_output(struct sock *sk, struct sk_buff *skb);
1527 int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);
1528 int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err);
1529 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1530 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1531 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1532 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1533 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1534 int xfrm6_extract_header(struct sk_buff *skb);
1535 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1536 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1537 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1538 int xfrm6_rcv(struct sk_buff *skb);
1539 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1540 		     xfrm_address_t *saddr, u8 proto);
1541 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1542 int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err);
1543 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1544 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1545 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1546 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1547 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1548 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1549 int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1550 int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1551 int xfrm6_output(struct sock *sk, struct sk_buff *skb);
1552 int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);
1553 int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1554 			  u8 **prevhdr);
1555 
1556 #ifdef CONFIG_XFRM
1557 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1558 int xfrm_user_policy(struct sock *sk, int optname,
1559 		     u8 __user *optval, int optlen);
1560 #else
1561 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1562 {
1563  	return -ENOPROTOOPT;
1564 }
1565 
1566 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1567 {
1568  	/* should not happen */
1569  	kfree_skb(skb);
1570 	return 0;
1571 }
1572 #endif
1573 
1574 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1575 
1576 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1577 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1578 		     int (*func)(struct xfrm_policy *, int, int, void*),
1579 		     void *);
1580 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1581 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1582 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1583 					  u8 type, int dir,
1584 					  struct xfrm_selector *sel,
1585 					  struct xfrm_sec_ctx *ctx, int delete,
1586 					  int *err);
1587 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir,
1588 				     u32 id, int delete, int *err);
1589 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1590 void xfrm_policy_hash_rebuild(struct net *net);
1591 u32 xfrm_get_acqseq(void);
1592 int verify_spi_info(u8 proto, u32 min, u32 max);
1593 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1594 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1595 				 u8 mode, u32 reqid, u8 proto,
1596 				 const xfrm_address_t *daddr,
1597 				 const xfrm_address_t *saddr, int create,
1598 				 unsigned short family);
1599 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1600 
1601 #ifdef CONFIG_XFRM_MIGRATE
1602 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1603 	       const struct xfrm_migrate *m, int num_bundles,
1604 	       const struct xfrm_kmaddress *k);
1605 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1606 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1607 				      struct xfrm_migrate *m);
1608 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1609 		 struct xfrm_migrate *m, int num_bundles,
1610 		 struct xfrm_kmaddress *k, struct net *net);
1611 #endif
1612 
1613 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1614 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1615 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1616 	      xfrm_address_t *addr);
1617 
1618 void xfrm_input_init(void);
1619 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1620 
1621 void xfrm_probe_algs(void);
1622 int xfrm_count_pfkey_auth_supported(void);
1623 int xfrm_count_pfkey_enc_supported(void);
1624 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1625 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1626 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1627 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1628 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1629 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1630 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1631 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1632 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1633 					    int probe);
1634 
1635 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1636 				    const xfrm_address_t *b)
1637 {
1638 	return ipv6_addr_equal((const struct in6_addr *)a,
1639 			       (const struct in6_addr *)b);
1640 }
1641 
1642 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1643 				   const xfrm_address_t *b,
1644 				   sa_family_t family)
1645 {
1646 	switch (family) {
1647 	default:
1648 	case AF_INET:
1649 		return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1650 	case AF_INET6:
1651 		return xfrm6_addr_equal(a, b);
1652 	}
1653 }
1654 
1655 static inline int xfrm_policy_id2dir(u32 index)
1656 {
1657 	return index & 7;
1658 }
1659 
1660 #ifdef CONFIG_XFRM
1661 static inline int xfrm_aevent_is_on(struct net *net)
1662 {
1663 	struct sock *nlsk;
1664 	int ret = 0;
1665 
1666 	rcu_read_lock();
1667 	nlsk = rcu_dereference(net->xfrm.nlsk);
1668 	if (nlsk)
1669 		ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1670 	rcu_read_unlock();
1671 	return ret;
1672 }
1673 
1674 static inline int xfrm_acquire_is_on(struct net *net)
1675 {
1676 	struct sock *nlsk;
1677 	int ret = 0;
1678 
1679 	rcu_read_lock();
1680 	nlsk = rcu_dereference(net->xfrm.nlsk);
1681 	if (nlsk)
1682 		ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1683 	rcu_read_unlock();
1684 
1685 	return ret;
1686 }
1687 #endif
1688 
1689 static inline int aead_len(struct xfrm_algo_aead *alg)
1690 {
1691 	return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1692 }
1693 
1694 static inline int xfrm_alg_len(const struct xfrm_algo *alg)
1695 {
1696 	return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1697 }
1698 
1699 static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1700 {
1701 	return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1702 }
1703 
1704 static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1705 {
1706 	return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1707 }
1708 
1709 #ifdef CONFIG_XFRM_MIGRATE
1710 static inline int xfrm_replay_clone(struct xfrm_state *x,
1711 				     struct xfrm_state *orig)
1712 {
1713 	x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1714 				GFP_KERNEL);
1715 	if (!x->replay_esn)
1716 		return -ENOMEM;
1717 
1718 	x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1719 	x->replay_esn->replay_window = orig->replay_esn->replay_window;
1720 
1721 	x->preplay_esn = kmemdup(x->replay_esn,
1722 				 xfrm_replay_state_esn_len(x->replay_esn),
1723 				 GFP_KERNEL);
1724 	if (!x->preplay_esn) {
1725 		kfree(x->replay_esn);
1726 		return -ENOMEM;
1727 	}
1728 
1729 	return 0;
1730 }
1731 
1732 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1733 {
1734 	return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1735 }
1736 
1737 
1738 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1739 {
1740 	return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1741 }
1742 
1743 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1744 {
1745 	return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1746 }
1747 
1748 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1749 {
1750 	int i;
1751 	for (i = 0; i < n; i++)
1752 		xfrm_state_put(*(states + i));
1753 }
1754 
1755 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1756 {
1757 	int i;
1758 	for (i = 0; i < n; i++)
1759 		xfrm_state_delete(*(states + i));
1760 }
1761 #endif
1762 
1763 #ifdef CONFIG_XFRM
1764 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1765 {
1766 	return skb->sp->xvec[skb->sp->len - 1];
1767 }
1768 #endif
1769 
1770 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1771 {
1772 	if (attrs[XFRMA_MARK])
1773 		memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1774 	else
1775 		m->v = m->m = 0;
1776 
1777 	return m->v & m->m;
1778 }
1779 
1780 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1781 {
1782 	int ret = 0;
1783 
1784 	if (m->m | m->v)
1785 		ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1786 	return ret;
1787 }
1788 
1789 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1790 				    unsigned int family)
1791 {
1792 	bool tunnel = false;
1793 
1794 	switch(family) {
1795 	case AF_INET:
1796 		if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1797 			tunnel = true;
1798 		break;
1799 	case AF_INET6:
1800 		if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1801 			tunnel = true;
1802 		break;
1803 	}
1804 	if (tunnel && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL))
1805 		return -EINVAL;
1806 
1807 	return 0;
1808 }
1809 #endif	/* _NET_XFRM_H */
1810