1 /* 2 * xfrm_policy.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * Kazunori MIYAZAWA @USAGI 10 * YOSHIFUJI Hideaki 11 * Split up af-specific portion 12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor 13 * 14 */ 15 16 #include <linux/err.h> 17 #include <linux/slab.h> 18 #include <linux/kmod.h> 19 #include <linux/list.h> 20 #include <linux/spinlock.h> 21 #include <linux/workqueue.h> 22 #include <linux/notifier.h> 23 #include <linux/netdevice.h> 24 #include <linux/netfilter.h> 25 #include <linux/module.h> 26 #include <linux/cache.h> 27 #include <linux/audit.h> 28 #include <net/dst.h> 29 #include <net/flow.h> 30 #include <net/xfrm.h> 31 #include <net/ip.h> 32 #ifdef CONFIG_XFRM_STATISTICS 33 #include <net/snmp.h> 34 #endif 35 36 #include "xfrm_hash.h" 37 38 #define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10)) 39 #define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ)) 40 #define XFRM_MAX_QUEUE_LEN 100 41 42 struct xfrm_flo { 43 struct dst_entry *dst_orig; 44 u8 flags; 45 }; 46 47 static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock); 48 static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO] 49 __read_mostly; 50 51 static struct kmem_cache *xfrm_dst_cache __read_mostly; 52 53 static void xfrm_init_pmtu(struct dst_entry *dst); 54 static int stale_bundle(struct dst_entry *dst); 55 static int xfrm_bundle_ok(struct xfrm_dst *xdst); 56 static void xfrm_policy_queue_process(unsigned long arg); 57 58 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir); 59 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 60 int dir); 61 62 static inline bool 63 __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl) 64 { 65 const struct flowi4 *fl4 = &fl->u.ip4; 66 67 return addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) && 68 addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) && 69 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) && 70 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) && 71 (fl4->flowi4_proto == sel->proto || !sel->proto) && 72 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex); 73 } 74 75 static inline bool 76 __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl) 77 { 78 const struct flowi6 *fl6 = &fl->u.ip6; 79 80 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) && 81 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) && 82 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) && 83 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) && 84 (fl6->flowi6_proto == sel->proto || !sel->proto) && 85 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex); 86 } 87 88 bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl, 89 unsigned short family) 90 { 91 switch (family) { 92 case AF_INET: 93 return __xfrm4_selector_match(sel, fl); 94 case AF_INET6: 95 return __xfrm6_selector_match(sel, fl); 96 } 97 return false; 98 } 99 100 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family) 101 { 102 struct xfrm_policy_afinfo *afinfo; 103 104 if (unlikely(family >= NPROTO)) 105 return NULL; 106 rcu_read_lock(); 107 afinfo = rcu_dereference(xfrm_policy_afinfo[family]); 108 if (unlikely(!afinfo)) 109 rcu_read_unlock(); 110 return afinfo; 111 } 112 113 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo) 114 { 115 rcu_read_unlock(); 116 } 117 118 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, 119 int tos, int oif, 120 const xfrm_address_t *saddr, 121 const xfrm_address_t *daddr, 122 int family) 123 { 124 struct xfrm_policy_afinfo *afinfo; 125 struct dst_entry *dst; 126 127 afinfo = xfrm_policy_get_afinfo(family); 128 if (unlikely(afinfo == NULL)) 129 return ERR_PTR(-EAFNOSUPPORT); 130 131 dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr); 132 133 xfrm_policy_put_afinfo(afinfo); 134 135 return dst; 136 } 137 138 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, 139 int tos, int oif, 140 xfrm_address_t *prev_saddr, 141 xfrm_address_t *prev_daddr, 142 int family) 143 { 144 struct net *net = xs_net(x); 145 xfrm_address_t *saddr = &x->props.saddr; 146 xfrm_address_t *daddr = &x->id.daddr; 147 struct dst_entry *dst; 148 149 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) { 150 saddr = x->coaddr; 151 daddr = prev_daddr; 152 } 153 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) { 154 saddr = prev_saddr; 155 daddr = x->coaddr; 156 } 157 158 dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family); 159 160 if (!IS_ERR(dst)) { 161 if (prev_saddr != saddr) 162 memcpy(prev_saddr, saddr, sizeof(*prev_saddr)); 163 if (prev_daddr != daddr) 164 memcpy(prev_daddr, daddr, sizeof(*prev_daddr)); 165 } 166 167 return dst; 168 } 169 170 static inline unsigned long make_jiffies(long secs) 171 { 172 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 173 return MAX_SCHEDULE_TIMEOUT-1; 174 else 175 return secs*HZ; 176 } 177 178 static void xfrm_policy_timer(unsigned long data) 179 { 180 struct xfrm_policy *xp = (struct xfrm_policy *)data; 181 unsigned long now = get_seconds(); 182 long next = LONG_MAX; 183 int warn = 0; 184 int dir; 185 186 read_lock(&xp->lock); 187 188 if (unlikely(xp->walk.dead)) 189 goto out; 190 191 dir = xfrm_policy_id2dir(xp->index); 192 193 if (xp->lft.hard_add_expires_seconds) { 194 long tmo = xp->lft.hard_add_expires_seconds + 195 xp->curlft.add_time - now; 196 if (tmo <= 0) 197 goto expired; 198 if (tmo < next) 199 next = tmo; 200 } 201 if (xp->lft.hard_use_expires_seconds) { 202 long tmo = xp->lft.hard_use_expires_seconds + 203 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 204 if (tmo <= 0) 205 goto expired; 206 if (tmo < next) 207 next = tmo; 208 } 209 if (xp->lft.soft_add_expires_seconds) { 210 long tmo = xp->lft.soft_add_expires_seconds + 211 xp->curlft.add_time - now; 212 if (tmo <= 0) { 213 warn = 1; 214 tmo = XFRM_KM_TIMEOUT; 215 } 216 if (tmo < next) 217 next = tmo; 218 } 219 if (xp->lft.soft_use_expires_seconds) { 220 long tmo = xp->lft.soft_use_expires_seconds + 221 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 222 if (tmo <= 0) { 223 warn = 1; 224 tmo = XFRM_KM_TIMEOUT; 225 } 226 if (tmo < next) 227 next = tmo; 228 } 229 230 if (warn) 231 km_policy_expired(xp, dir, 0, 0); 232 if (next != LONG_MAX && 233 !mod_timer(&xp->timer, jiffies + make_jiffies(next))) 234 xfrm_pol_hold(xp); 235 236 out: 237 read_unlock(&xp->lock); 238 xfrm_pol_put(xp); 239 return; 240 241 expired: 242 read_unlock(&xp->lock); 243 if (!xfrm_policy_delete(xp, dir)) 244 km_policy_expired(xp, dir, 1, 0); 245 xfrm_pol_put(xp); 246 } 247 248 static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo) 249 { 250 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo); 251 252 if (unlikely(pol->walk.dead)) 253 flo = NULL; 254 else 255 xfrm_pol_hold(pol); 256 257 return flo; 258 } 259 260 static int xfrm_policy_flo_check(struct flow_cache_object *flo) 261 { 262 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo); 263 264 return !pol->walk.dead; 265 } 266 267 static void xfrm_policy_flo_delete(struct flow_cache_object *flo) 268 { 269 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo)); 270 } 271 272 static const struct flow_cache_ops xfrm_policy_fc_ops = { 273 .get = xfrm_policy_flo_get, 274 .check = xfrm_policy_flo_check, 275 .delete = xfrm_policy_flo_delete, 276 }; 277 278 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2 279 * SPD calls. 280 */ 281 282 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp) 283 { 284 struct xfrm_policy *policy; 285 286 policy = kzalloc(sizeof(struct xfrm_policy), gfp); 287 288 if (policy) { 289 write_pnet(&policy->xp_net, net); 290 INIT_LIST_HEAD(&policy->walk.all); 291 INIT_HLIST_NODE(&policy->bydst); 292 INIT_HLIST_NODE(&policy->byidx); 293 rwlock_init(&policy->lock); 294 atomic_set(&policy->refcnt, 1); 295 skb_queue_head_init(&policy->polq.hold_queue); 296 setup_timer(&policy->timer, xfrm_policy_timer, 297 (unsigned long)policy); 298 setup_timer(&policy->polq.hold_timer, xfrm_policy_queue_process, 299 (unsigned long)policy); 300 policy->flo.ops = &xfrm_policy_fc_ops; 301 } 302 return policy; 303 } 304 EXPORT_SYMBOL(xfrm_policy_alloc); 305 306 static void xfrm_policy_destroy_rcu(struct rcu_head *head) 307 { 308 struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu); 309 310 security_xfrm_policy_free(policy->security); 311 kfree(policy); 312 } 313 314 /* Destroy xfrm_policy: descendant resources must be released to this moment. */ 315 316 void xfrm_policy_destroy(struct xfrm_policy *policy) 317 { 318 BUG_ON(!policy->walk.dead); 319 320 if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer)) 321 BUG(); 322 323 call_rcu(&policy->rcu, xfrm_policy_destroy_rcu); 324 } 325 EXPORT_SYMBOL(xfrm_policy_destroy); 326 327 /* Rule must be locked. Release descentant resources, announce 328 * entry dead. The rule must be unlinked from lists to the moment. 329 */ 330 331 static void xfrm_policy_kill(struct xfrm_policy *policy) 332 { 333 policy->walk.dead = 1; 334 335 atomic_inc(&policy->genid); 336 337 if (del_timer(&policy->polq.hold_timer)) 338 xfrm_pol_put(policy); 339 skb_queue_purge(&policy->polq.hold_queue); 340 341 if (del_timer(&policy->timer)) 342 xfrm_pol_put(policy); 343 344 xfrm_pol_put(policy); 345 } 346 347 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024; 348 349 static inline unsigned int idx_hash(struct net *net, u32 index) 350 { 351 return __idx_hash(index, net->xfrm.policy_idx_hmask); 352 } 353 354 /* calculate policy hash thresholds */ 355 static void __get_hash_thresh(struct net *net, 356 unsigned short family, int dir, 357 u8 *dbits, u8 *sbits) 358 { 359 switch (family) { 360 case AF_INET: 361 *dbits = net->xfrm.policy_bydst[dir].dbits4; 362 *sbits = net->xfrm.policy_bydst[dir].sbits4; 363 break; 364 365 case AF_INET6: 366 *dbits = net->xfrm.policy_bydst[dir].dbits6; 367 *sbits = net->xfrm.policy_bydst[dir].sbits6; 368 break; 369 370 default: 371 *dbits = 0; 372 *sbits = 0; 373 } 374 } 375 376 static struct hlist_head *policy_hash_bysel(struct net *net, 377 const struct xfrm_selector *sel, 378 unsigned short family, int dir) 379 { 380 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 381 unsigned int hash; 382 u8 dbits; 383 u8 sbits; 384 385 __get_hash_thresh(net, family, dir, &dbits, &sbits); 386 hash = __sel_hash(sel, family, hmask, dbits, sbits); 387 388 return (hash == hmask + 1 ? 389 &net->xfrm.policy_inexact[dir] : 390 net->xfrm.policy_bydst[dir].table + hash); 391 } 392 393 static struct hlist_head *policy_hash_direct(struct net *net, 394 const xfrm_address_t *daddr, 395 const xfrm_address_t *saddr, 396 unsigned short family, int dir) 397 { 398 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 399 unsigned int hash; 400 u8 dbits; 401 u8 sbits; 402 403 __get_hash_thresh(net, family, dir, &dbits, &sbits); 404 hash = __addr_hash(daddr, saddr, family, hmask, dbits, sbits); 405 406 return net->xfrm.policy_bydst[dir].table + hash; 407 } 408 409 static void xfrm_dst_hash_transfer(struct net *net, 410 struct hlist_head *list, 411 struct hlist_head *ndsttable, 412 unsigned int nhashmask, 413 int dir) 414 { 415 struct hlist_node *tmp, *entry0 = NULL; 416 struct xfrm_policy *pol; 417 unsigned int h0 = 0; 418 u8 dbits; 419 u8 sbits; 420 421 redo: 422 hlist_for_each_entry_safe(pol, tmp, list, bydst) { 423 unsigned int h; 424 425 __get_hash_thresh(net, pol->family, dir, &dbits, &sbits); 426 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr, 427 pol->family, nhashmask, dbits, sbits); 428 if (!entry0) { 429 hlist_del(&pol->bydst); 430 hlist_add_head(&pol->bydst, ndsttable+h); 431 h0 = h; 432 } else { 433 if (h != h0) 434 continue; 435 hlist_del(&pol->bydst); 436 hlist_add_behind(&pol->bydst, entry0); 437 } 438 entry0 = &pol->bydst; 439 } 440 if (!hlist_empty(list)) { 441 entry0 = NULL; 442 goto redo; 443 } 444 } 445 446 static void xfrm_idx_hash_transfer(struct hlist_head *list, 447 struct hlist_head *nidxtable, 448 unsigned int nhashmask) 449 { 450 struct hlist_node *tmp; 451 struct xfrm_policy *pol; 452 453 hlist_for_each_entry_safe(pol, tmp, list, byidx) { 454 unsigned int h; 455 456 h = __idx_hash(pol->index, nhashmask); 457 hlist_add_head(&pol->byidx, nidxtable+h); 458 } 459 } 460 461 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask) 462 { 463 return ((old_hmask + 1) << 1) - 1; 464 } 465 466 static void xfrm_bydst_resize(struct net *net, int dir) 467 { 468 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 469 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 470 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 471 struct hlist_head *odst = net->xfrm.policy_bydst[dir].table; 472 struct hlist_head *ndst = xfrm_hash_alloc(nsize); 473 int i; 474 475 if (!ndst) 476 return; 477 478 write_lock_bh(&net->xfrm.xfrm_policy_lock); 479 480 for (i = hmask; i >= 0; i--) 481 xfrm_dst_hash_transfer(net, odst + i, ndst, nhashmask, dir); 482 483 net->xfrm.policy_bydst[dir].table = ndst; 484 net->xfrm.policy_bydst[dir].hmask = nhashmask; 485 486 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 487 488 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head)); 489 } 490 491 static void xfrm_byidx_resize(struct net *net, int total) 492 { 493 unsigned int hmask = net->xfrm.policy_idx_hmask; 494 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 495 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 496 struct hlist_head *oidx = net->xfrm.policy_byidx; 497 struct hlist_head *nidx = xfrm_hash_alloc(nsize); 498 int i; 499 500 if (!nidx) 501 return; 502 503 write_lock_bh(&net->xfrm.xfrm_policy_lock); 504 505 for (i = hmask; i >= 0; i--) 506 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask); 507 508 net->xfrm.policy_byidx = nidx; 509 net->xfrm.policy_idx_hmask = nhashmask; 510 511 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 512 513 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head)); 514 } 515 516 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total) 517 { 518 unsigned int cnt = net->xfrm.policy_count[dir]; 519 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 520 521 if (total) 522 *total += cnt; 523 524 if ((hmask + 1) < xfrm_policy_hashmax && 525 cnt > hmask) 526 return 1; 527 528 return 0; 529 } 530 531 static inline int xfrm_byidx_should_resize(struct net *net, int total) 532 { 533 unsigned int hmask = net->xfrm.policy_idx_hmask; 534 535 if ((hmask + 1) < xfrm_policy_hashmax && 536 total > hmask) 537 return 1; 538 539 return 0; 540 } 541 542 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si) 543 { 544 read_lock_bh(&net->xfrm.xfrm_policy_lock); 545 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN]; 546 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT]; 547 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD]; 548 si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX]; 549 si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX]; 550 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX]; 551 si->spdhcnt = net->xfrm.policy_idx_hmask; 552 si->spdhmcnt = xfrm_policy_hashmax; 553 read_unlock_bh(&net->xfrm.xfrm_policy_lock); 554 } 555 EXPORT_SYMBOL(xfrm_spd_getinfo); 556 557 static DEFINE_MUTEX(hash_resize_mutex); 558 static void xfrm_hash_resize(struct work_struct *work) 559 { 560 struct net *net = container_of(work, struct net, xfrm.policy_hash_work); 561 int dir, total; 562 563 mutex_lock(&hash_resize_mutex); 564 565 total = 0; 566 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 567 if (xfrm_bydst_should_resize(net, dir, &total)) 568 xfrm_bydst_resize(net, dir); 569 } 570 if (xfrm_byidx_should_resize(net, total)) 571 xfrm_byidx_resize(net, total); 572 573 mutex_unlock(&hash_resize_mutex); 574 } 575 576 static void xfrm_hash_rebuild(struct work_struct *work) 577 { 578 struct net *net = container_of(work, struct net, 579 xfrm.policy_hthresh.work); 580 unsigned int hmask; 581 struct xfrm_policy *pol; 582 struct xfrm_policy *policy; 583 struct hlist_head *chain; 584 struct hlist_head *odst; 585 struct hlist_node *newpos; 586 int i; 587 int dir; 588 unsigned seq; 589 u8 lbits4, rbits4, lbits6, rbits6; 590 591 mutex_lock(&hash_resize_mutex); 592 593 /* read selector prefixlen thresholds */ 594 do { 595 seq = read_seqbegin(&net->xfrm.policy_hthresh.lock); 596 597 lbits4 = net->xfrm.policy_hthresh.lbits4; 598 rbits4 = net->xfrm.policy_hthresh.rbits4; 599 lbits6 = net->xfrm.policy_hthresh.lbits6; 600 rbits6 = net->xfrm.policy_hthresh.rbits6; 601 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq)); 602 603 write_lock_bh(&net->xfrm.xfrm_policy_lock); 604 605 /* reset the bydst and inexact table in all directions */ 606 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 607 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); 608 hmask = net->xfrm.policy_bydst[dir].hmask; 609 odst = net->xfrm.policy_bydst[dir].table; 610 for (i = hmask; i >= 0; i--) 611 INIT_HLIST_HEAD(odst + i); 612 if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) { 613 /* dir out => dst = remote, src = local */ 614 net->xfrm.policy_bydst[dir].dbits4 = rbits4; 615 net->xfrm.policy_bydst[dir].sbits4 = lbits4; 616 net->xfrm.policy_bydst[dir].dbits6 = rbits6; 617 net->xfrm.policy_bydst[dir].sbits6 = lbits6; 618 } else { 619 /* dir in/fwd => dst = local, src = remote */ 620 net->xfrm.policy_bydst[dir].dbits4 = lbits4; 621 net->xfrm.policy_bydst[dir].sbits4 = rbits4; 622 net->xfrm.policy_bydst[dir].dbits6 = lbits6; 623 net->xfrm.policy_bydst[dir].sbits6 = rbits6; 624 } 625 } 626 627 /* re-insert all policies by order of creation */ 628 list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) { 629 if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) { 630 /* skip socket policies */ 631 continue; 632 } 633 newpos = NULL; 634 chain = policy_hash_bysel(net, &policy->selector, 635 policy->family, 636 xfrm_policy_id2dir(policy->index)); 637 hlist_for_each_entry(pol, chain, bydst) { 638 if (policy->priority >= pol->priority) 639 newpos = &pol->bydst; 640 else 641 break; 642 } 643 if (newpos) 644 hlist_add_behind(&policy->bydst, newpos); 645 else 646 hlist_add_head(&policy->bydst, chain); 647 } 648 649 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 650 651 mutex_unlock(&hash_resize_mutex); 652 } 653 654 void xfrm_policy_hash_rebuild(struct net *net) 655 { 656 schedule_work(&net->xfrm.policy_hthresh.work); 657 } 658 EXPORT_SYMBOL(xfrm_policy_hash_rebuild); 659 660 /* Generate new index... KAME seems to generate them ordered by cost 661 * of an absolute inpredictability of ordering of rules. This will not pass. */ 662 static u32 xfrm_gen_index(struct net *net, int dir, u32 index) 663 { 664 static u32 idx_generator; 665 666 for (;;) { 667 struct hlist_head *list; 668 struct xfrm_policy *p; 669 u32 idx; 670 int found; 671 672 if (!index) { 673 idx = (idx_generator | dir); 674 idx_generator += 8; 675 } else { 676 idx = index; 677 index = 0; 678 } 679 680 if (idx == 0) 681 idx = 8; 682 list = net->xfrm.policy_byidx + idx_hash(net, idx); 683 found = 0; 684 hlist_for_each_entry(p, list, byidx) { 685 if (p->index == idx) { 686 found = 1; 687 break; 688 } 689 } 690 if (!found) 691 return idx; 692 } 693 } 694 695 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2) 696 { 697 u32 *p1 = (u32 *) s1; 698 u32 *p2 = (u32 *) s2; 699 int len = sizeof(struct xfrm_selector) / sizeof(u32); 700 int i; 701 702 for (i = 0; i < len; i++) { 703 if (p1[i] != p2[i]) 704 return 1; 705 } 706 707 return 0; 708 } 709 710 static void xfrm_policy_requeue(struct xfrm_policy *old, 711 struct xfrm_policy *new) 712 { 713 struct xfrm_policy_queue *pq = &old->polq; 714 struct sk_buff_head list; 715 716 if (skb_queue_empty(&pq->hold_queue)) 717 return; 718 719 __skb_queue_head_init(&list); 720 721 spin_lock_bh(&pq->hold_queue.lock); 722 skb_queue_splice_init(&pq->hold_queue, &list); 723 if (del_timer(&pq->hold_timer)) 724 xfrm_pol_put(old); 725 spin_unlock_bh(&pq->hold_queue.lock); 726 727 pq = &new->polq; 728 729 spin_lock_bh(&pq->hold_queue.lock); 730 skb_queue_splice(&list, &pq->hold_queue); 731 pq->timeout = XFRM_QUEUE_TMO_MIN; 732 if (!mod_timer(&pq->hold_timer, jiffies)) 733 xfrm_pol_hold(new); 734 spin_unlock_bh(&pq->hold_queue.lock); 735 } 736 737 static bool xfrm_policy_mark_match(struct xfrm_policy *policy, 738 struct xfrm_policy *pol) 739 { 740 u32 mark = policy->mark.v & policy->mark.m; 741 742 if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m) 743 return true; 744 745 if ((mark & pol->mark.m) == pol->mark.v && 746 policy->priority == pol->priority) 747 return true; 748 749 return false; 750 } 751 752 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) 753 { 754 struct net *net = xp_net(policy); 755 struct xfrm_policy *pol; 756 struct xfrm_policy *delpol; 757 struct hlist_head *chain; 758 struct hlist_node *newpos; 759 760 write_lock_bh(&net->xfrm.xfrm_policy_lock); 761 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir); 762 delpol = NULL; 763 newpos = NULL; 764 hlist_for_each_entry(pol, chain, bydst) { 765 if (pol->type == policy->type && 766 !selector_cmp(&pol->selector, &policy->selector) && 767 xfrm_policy_mark_match(policy, pol) && 768 xfrm_sec_ctx_match(pol->security, policy->security) && 769 !WARN_ON(delpol)) { 770 if (excl) { 771 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 772 return -EEXIST; 773 } 774 delpol = pol; 775 if (policy->priority > pol->priority) 776 continue; 777 } else if (policy->priority >= pol->priority) { 778 newpos = &pol->bydst; 779 continue; 780 } 781 if (delpol) 782 break; 783 } 784 if (newpos) 785 hlist_add_behind(&policy->bydst, newpos); 786 else 787 hlist_add_head(&policy->bydst, chain); 788 __xfrm_policy_link(policy, dir); 789 atomic_inc(&net->xfrm.flow_cache_genid); 790 791 /* After previous checking, family can either be AF_INET or AF_INET6 */ 792 if (policy->family == AF_INET) 793 rt_genid_bump_ipv4(net); 794 else 795 rt_genid_bump_ipv6(net); 796 797 if (delpol) { 798 xfrm_policy_requeue(delpol, policy); 799 __xfrm_policy_unlink(delpol, dir); 800 } 801 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index); 802 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index)); 803 policy->curlft.add_time = get_seconds(); 804 policy->curlft.use_time = 0; 805 if (!mod_timer(&policy->timer, jiffies + HZ)) 806 xfrm_pol_hold(policy); 807 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 808 809 if (delpol) 810 xfrm_policy_kill(delpol); 811 else if (xfrm_bydst_should_resize(net, dir, NULL)) 812 schedule_work(&net->xfrm.policy_hash_work); 813 814 return 0; 815 } 816 EXPORT_SYMBOL(xfrm_policy_insert); 817 818 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type, 819 int dir, struct xfrm_selector *sel, 820 struct xfrm_sec_ctx *ctx, int delete, 821 int *err) 822 { 823 struct xfrm_policy *pol, *ret; 824 struct hlist_head *chain; 825 826 *err = 0; 827 write_lock_bh(&net->xfrm.xfrm_policy_lock); 828 chain = policy_hash_bysel(net, sel, sel->family, dir); 829 ret = NULL; 830 hlist_for_each_entry(pol, chain, bydst) { 831 if (pol->type == type && 832 (mark & pol->mark.m) == pol->mark.v && 833 !selector_cmp(sel, &pol->selector) && 834 xfrm_sec_ctx_match(ctx, pol->security)) { 835 xfrm_pol_hold(pol); 836 if (delete) { 837 *err = security_xfrm_policy_delete( 838 pol->security); 839 if (*err) { 840 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 841 return pol; 842 } 843 __xfrm_policy_unlink(pol, dir); 844 } 845 ret = pol; 846 break; 847 } 848 } 849 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 850 851 if (ret && delete) 852 xfrm_policy_kill(ret); 853 return ret; 854 } 855 EXPORT_SYMBOL(xfrm_policy_bysel_ctx); 856 857 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type, 858 int dir, u32 id, int delete, int *err) 859 { 860 struct xfrm_policy *pol, *ret; 861 struct hlist_head *chain; 862 863 *err = -ENOENT; 864 if (xfrm_policy_id2dir(id) != dir) 865 return NULL; 866 867 *err = 0; 868 write_lock_bh(&net->xfrm.xfrm_policy_lock); 869 chain = net->xfrm.policy_byidx + idx_hash(net, id); 870 ret = NULL; 871 hlist_for_each_entry(pol, chain, byidx) { 872 if (pol->type == type && pol->index == id && 873 (mark & pol->mark.m) == pol->mark.v) { 874 xfrm_pol_hold(pol); 875 if (delete) { 876 *err = security_xfrm_policy_delete( 877 pol->security); 878 if (*err) { 879 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 880 return pol; 881 } 882 __xfrm_policy_unlink(pol, dir); 883 } 884 ret = pol; 885 break; 886 } 887 } 888 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 889 890 if (ret && delete) 891 xfrm_policy_kill(ret); 892 return ret; 893 } 894 EXPORT_SYMBOL(xfrm_policy_byid); 895 896 #ifdef CONFIG_SECURITY_NETWORK_XFRM 897 static inline int 898 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid) 899 { 900 int dir, err = 0; 901 902 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 903 struct xfrm_policy *pol; 904 int i; 905 906 hlist_for_each_entry(pol, 907 &net->xfrm.policy_inexact[dir], bydst) { 908 if (pol->type != type) 909 continue; 910 err = security_xfrm_policy_delete(pol->security); 911 if (err) { 912 xfrm_audit_policy_delete(pol, 0, task_valid); 913 return err; 914 } 915 } 916 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) { 917 hlist_for_each_entry(pol, 918 net->xfrm.policy_bydst[dir].table + i, 919 bydst) { 920 if (pol->type != type) 921 continue; 922 err = security_xfrm_policy_delete( 923 pol->security); 924 if (err) { 925 xfrm_audit_policy_delete(pol, 0, 926 task_valid); 927 return err; 928 } 929 } 930 } 931 } 932 return err; 933 } 934 #else 935 static inline int 936 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid) 937 { 938 return 0; 939 } 940 #endif 941 942 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid) 943 { 944 int dir, err = 0, cnt = 0; 945 946 write_lock_bh(&net->xfrm.xfrm_policy_lock); 947 948 err = xfrm_policy_flush_secctx_check(net, type, task_valid); 949 if (err) 950 goto out; 951 952 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 953 struct xfrm_policy *pol; 954 int i; 955 956 again1: 957 hlist_for_each_entry(pol, 958 &net->xfrm.policy_inexact[dir], bydst) { 959 if (pol->type != type) 960 continue; 961 __xfrm_policy_unlink(pol, dir); 962 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 963 cnt++; 964 965 xfrm_audit_policy_delete(pol, 1, task_valid); 966 967 xfrm_policy_kill(pol); 968 969 write_lock_bh(&net->xfrm.xfrm_policy_lock); 970 goto again1; 971 } 972 973 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) { 974 again2: 975 hlist_for_each_entry(pol, 976 net->xfrm.policy_bydst[dir].table + i, 977 bydst) { 978 if (pol->type != type) 979 continue; 980 __xfrm_policy_unlink(pol, dir); 981 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 982 cnt++; 983 984 xfrm_audit_policy_delete(pol, 1, task_valid); 985 xfrm_policy_kill(pol); 986 987 write_lock_bh(&net->xfrm.xfrm_policy_lock); 988 goto again2; 989 } 990 } 991 992 } 993 if (!cnt) 994 err = -ESRCH; 995 out: 996 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 997 return err; 998 } 999 EXPORT_SYMBOL(xfrm_policy_flush); 1000 1001 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, 1002 int (*func)(struct xfrm_policy *, int, int, void*), 1003 void *data) 1004 { 1005 struct xfrm_policy *pol; 1006 struct xfrm_policy_walk_entry *x; 1007 int error = 0; 1008 1009 if (walk->type >= XFRM_POLICY_TYPE_MAX && 1010 walk->type != XFRM_POLICY_TYPE_ANY) 1011 return -EINVAL; 1012 1013 if (list_empty(&walk->walk.all) && walk->seq != 0) 1014 return 0; 1015 1016 write_lock_bh(&net->xfrm.xfrm_policy_lock); 1017 if (list_empty(&walk->walk.all)) 1018 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all); 1019 else 1020 x = list_first_entry(&walk->walk.all, 1021 struct xfrm_policy_walk_entry, all); 1022 1023 list_for_each_entry_from(x, &net->xfrm.policy_all, all) { 1024 if (x->dead) 1025 continue; 1026 pol = container_of(x, struct xfrm_policy, walk); 1027 if (walk->type != XFRM_POLICY_TYPE_ANY && 1028 walk->type != pol->type) 1029 continue; 1030 error = func(pol, xfrm_policy_id2dir(pol->index), 1031 walk->seq, data); 1032 if (error) { 1033 list_move_tail(&walk->walk.all, &x->all); 1034 goto out; 1035 } 1036 walk->seq++; 1037 } 1038 if (walk->seq == 0) { 1039 error = -ENOENT; 1040 goto out; 1041 } 1042 list_del_init(&walk->walk.all); 1043 out: 1044 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 1045 return error; 1046 } 1047 EXPORT_SYMBOL(xfrm_policy_walk); 1048 1049 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type) 1050 { 1051 INIT_LIST_HEAD(&walk->walk.all); 1052 walk->walk.dead = 1; 1053 walk->type = type; 1054 walk->seq = 0; 1055 } 1056 EXPORT_SYMBOL(xfrm_policy_walk_init); 1057 1058 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net) 1059 { 1060 if (list_empty(&walk->walk.all)) 1061 return; 1062 1063 write_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */ 1064 list_del(&walk->walk.all); 1065 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 1066 } 1067 EXPORT_SYMBOL(xfrm_policy_walk_done); 1068 1069 /* 1070 * Find policy to apply to this flow. 1071 * 1072 * Returns 0 if policy found, else an -errno. 1073 */ 1074 static int xfrm_policy_match(const struct xfrm_policy *pol, 1075 const struct flowi *fl, 1076 u8 type, u16 family, int dir) 1077 { 1078 const struct xfrm_selector *sel = &pol->selector; 1079 int ret = -ESRCH; 1080 bool match; 1081 1082 if (pol->family != family || 1083 (fl->flowi_mark & pol->mark.m) != pol->mark.v || 1084 pol->type != type) 1085 return ret; 1086 1087 match = xfrm_selector_match(sel, fl, family); 1088 if (match) 1089 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid, 1090 dir); 1091 1092 return ret; 1093 } 1094 1095 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, 1096 const struct flowi *fl, 1097 u16 family, u8 dir) 1098 { 1099 int err; 1100 struct xfrm_policy *pol, *ret; 1101 const xfrm_address_t *daddr, *saddr; 1102 struct hlist_head *chain; 1103 u32 priority = ~0U; 1104 1105 daddr = xfrm_flowi_daddr(fl, family); 1106 saddr = xfrm_flowi_saddr(fl, family); 1107 if (unlikely(!daddr || !saddr)) 1108 return NULL; 1109 1110 read_lock_bh(&net->xfrm.xfrm_policy_lock); 1111 chain = policy_hash_direct(net, daddr, saddr, family, dir); 1112 ret = NULL; 1113 hlist_for_each_entry(pol, chain, bydst) { 1114 err = xfrm_policy_match(pol, fl, type, family, dir); 1115 if (err) { 1116 if (err == -ESRCH) 1117 continue; 1118 else { 1119 ret = ERR_PTR(err); 1120 goto fail; 1121 } 1122 } else { 1123 ret = pol; 1124 priority = ret->priority; 1125 break; 1126 } 1127 } 1128 chain = &net->xfrm.policy_inexact[dir]; 1129 hlist_for_each_entry(pol, chain, bydst) { 1130 if ((pol->priority >= priority) && ret) 1131 break; 1132 1133 err = xfrm_policy_match(pol, fl, type, family, dir); 1134 if (err) { 1135 if (err == -ESRCH) 1136 continue; 1137 else { 1138 ret = ERR_PTR(err); 1139 goto fail; 1140 } 1141 } else { 1142 ret = pol; 1143 break; 1144 } 1145 } 1146 1147 xfrm_pol_hold(ret); 1148 fail: 1149 read_unlock_bh(&net->xfrm.xfrm_policy_lock); 1150 1151 return ret; 1152 } 1153 1154 static struct xfrm_policy * 1155 __xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir) 1156 { 1157 #ifdef CONFIG_XFRM_SUB_POLICY 1158 struct xfrm_policy *pol; 1159 1160 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir); 1161 if (pol != NULL) 1162 return pol; 1163 #endif 1164 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir); 1165 } 1166 1167 static int flow_to_policy_dir(int dir) 1168 { 1169 if (XFRM_POLICY_IN == FLOW_DIR_IN && 1170 XFRM_POLICY_OUT == FLOW_DIR_OUT && 1171 XFRM_POLICY_FWD == FLOW_DIR_FWD) 1172 return dir; 1173 1174 switch (dir) { 1175 default: 1176 case FLOW_DIR_IN: 1177 return XFRM_POLICY_IN; 1178 case FLOW_DIR_OUT: 1179 return XFRM_POLICY_OUT; 1180 case FLOW_DIR_FWD: 1181 return XFRM_POLICY_FWD; 1182 } 1183 } 1184 1185 static struct flow_cache_object * 1186 xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, 1187 u8 dir, struct flow_cache_object *old_obj, void *ctx) 1188 { 1189 struct xfrm_policy *pol; 1190 1191 if (old_obj) 1192 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo)); 1193 1194 pol = __xfrm_policy_lookup(net, fl, family, flow_to_policy_dir(dir)); 1195 if (IS_ERR_OR_NULL(pol)) 1196 return ERR_CAST(pol); 1197 1198 /* Resolver returns two references: 1199 * one for cache and one for caller of flow_cache_lookup() */ 1200 xfrm_pol_hold(pol); 1201 1202 return &pol->flo; 1203 } 1204 1205 static inline int policy_to_flow_dir(int dir) 1206 { 1207 if (XFRM_POLICY_IN == FLOW_DIR_IN && 1208 XFRM_POLICY_OUT == FLOW_DIR_OUT && 1209 XFRM_POLICY_FWD == FLOW_DIR_FWD) 1210 return dir; 1211 switch (dir) { 1212 default: 1213 case XFRM_POLICY_IN: 1214 return FLOW_DIR_IN; 1215 case XFRM_POLICY_OUT: 1216 return FLOW_DIR_OUT; 1217 case XFRM_POLICY_FWD: 1218 return FLOW_DIR_FWD; 1219 } 1220 } 1221 1222 static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, 1223 const struct flowi *fl) 1224 { 1225 struct xfrm_policy *pol; 1226 struct net *net = sock_net(sk); 1227 1228 rcu_read_lock(); 1229 read_lock_bh(&net->xfrm.xfrm_policy_lock); 1230 pol = rcu_dereference(sk->sk_policy[dir]); 1231 if (pol != NULL) { 1232 bool match = xfrm_selector_match(&pol->selector, fl, 1233 sk->sk_family); 1234 int err = 0; 1235 1236 if (match) { 1237 if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { 1238 pol = NULL; 1239 goto out; 1240 } 1241 err = security_xfrm_policy_lookup(pol->security, 1242 fl->flowi_secid, 1243 policy_to_flow_dir(dir)); 1244 if (!err) 1245 xfrm_pol_hold(pol); 1246 else if (err == -ESRCH) 1247 pol = NULL; 1248 else 1249 pol = ERR_PTR(err); 1250 } else 1251 pol = NULL; 1252 } 1253 out: 1254 read_unlock_bh(&net->xfrm.xfrm_policy_lock); 1255 rcu_read_unlock(); 1256 return pol; 1257 } 1258 1259 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir) 1260 { 1261 struct net *net = xp_net(pol); 1262 1263 list_add(&pol->walk.all, &net->xfrm.policy_all); 1264 net->xfrm.policy_count[dir]++; 1265 xfrm_pol_hold(pol); 1266 } 1267 1268 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 1269 int dir) 1270 { 1271 struct net *net = xp_net(pol); 1272 1273 if (list_empty(&pol->walk.all)) 1274 return NULL; 1275 1276 /* Socket policies are not hashed. */ 1277 if (!hlist_unhashed(&pol->bydst)) { 1278 hlist_del(&pol->bydst); 1279 hlist_del(&pol->byidx); 1280 } 1281 1282 list_del_init(&pol->walk.all); 1283 net->xfrm.policy_count[dir]--; 1284 1285 return pol; 1286 } 1287 1288 static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir) 1289 { 1290 __xfrm_policy_link(pol, XFRM_POLICY_MAX + dir); 1291 } 1292 1293 static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir) 1294 { 1295 __xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir); 1296 } 1297 1298 int xfrm_policy_delete(struct xfrm_policy *pol, int dir) 1299 { 1300 struct net *net = xp_net(pol); 1301 1302 write_lock_bh(&net->xfrm.xfrm_policy_lock); 1303 pol = __xfrm_policy_unlink(pol, dir); 1304 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 1305 if (pol) { 1306 xfrm_policy_kill(pol); 1307 return 0; 1308 } 1309 return -ENOENT; 1310 } 1311 EXPORT_SYMBOL(xfrm_policy_delete); 1312 1313 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) 1314 { 1315 struct net *net = xp_net(pol); 1316 struct xfrm_policy *old_pol; 1317 1318 #ifdef CONFIG_XFRM_SUB_POLICY 1319 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN) 1320 return -EINVAL; 1321 #endif 1322 1323 write_lock_bh(&net->xfrm.xfrm_policy_lock); 1324 old_pol = rcu_dereference_protected(sk->sk_policy[dir], 1325 lockdep_is_held(&net->xfrm.xfrm_policy_lock)); 1326 if (pol) { 1327 pol->curlft.add_time = get_seconds(); 1328 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0); 1329 xfrm_sk_policy_link(pol, dir); 1330 } 1331 rcu_assign_pointer(sk->sk_policy[dir], pol); 1332 if (old_pol) { 1333 if (pol) 1334 xfrm_policy_requeue(old_pol, pol); 1335 1336 /* Unlinking succeeds always. This is the only function 1337 * allowed to delete or replace socket policy. 1338 */ 1339 xfrm_sk_policy_unlink(old_pol, dir); 1340 } 1341 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 1342 1343 if (old_pol) { 1344 xfrm_policy_kill(old_pol); 1345 } 1346 return 0; 1347 } 1348 1349 static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir) 1350 { 1351 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC); 1352 struct net *net = xp_net(old); 1353 1354 if (newp) { 1355 newp->selector = old->selector; 1356 if (security_xfrm_policy_clone(old->security, 1357 &newp->security)) { 1358 kfree(newp); 1359 return NULL; /* ENOMEM */ 1360 } 1361 newp->lft = old->lft; 1362 newp->curlft = old->curlft; 1363 newp->mark = old->mark; 1364 newp->action = old->action; 1365 newp->flags = old->flags; 1366 newp->xfrm_nr = old->xfrm_nr; 1367 newp->index = old->index; 1368 newp->type = old->type; 1369 memcpy(newp->xfrm_vec, old->xfrm_vec, 1370 newp->xfrm_nr*sizeof(struct xfrm_tmpl)); 1371 write_lock_bh(&net->xfrm.xfrm_policy_lock); 1372 xfrm_sk_policy_link(newp, dir); 1373 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 1374 xfrm_pol_put(newp); 1375 } 1376 return newp; 1377 } 1378 1379 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) 1380 { 1381 const struct xfrm_policy *p; 1382 struct xfrm_policy *np; 1383 int i, ret = 0; 1384 1385 rcu_read_lock(); 1386 for (i = 0; i < 2; i++) { 1387 p = rcu_dereference(osk->sk_policy[i]); 1388 if (p) { 1389 np = clone_policy(p, i); 1390 if (unlikely(!np)) { 1391 ret = -ENOMEM; 1392 break; 1393 } 1394 rcu_assign_pointer(sk->sk_policy[i], np); 1395 } 1396 } 1397 rcu_read_unlock(); 1398 return ret; 1399 } 1400 1401 static int 1402 xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local, 1403 xfrm_address_t *remote, unsigned short family) 1404 { 1405 int err; 1406 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1407 1408 if (unlikely(afinfo == NULL)) 1409 return -EINVAL; 1410 err = afinfo->get_saddr(net, oif, local, remote); 1411 xfrm_policy_put_afinfo(afinfo); 1412 return err; 1413 } 1414 1415 /* Resolve list of templates for the flow, given policy. */ 1416 1417 static int 1418 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, 1419 struct xfrm_state **xfrm, unsigned short family) 1420 { 1421 struct net *net = xp_net(policy); 1422 int nx; 1423 int i, error; 1424 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family); 1425 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family); 1426 xfrm_address_t tmp; 1427 1428 for (nx = 0, i = 0; i < policy->xfrm_nr; i++) { 1429 struct xfrm_state *x; 1430 xfrm_address_t *remote = daddr; 1431 xfrm_address_t *local = saddr; 1432 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i]; 1433 1434 if (tmpl->mode == XFRM_MODE_TUNNEL || 1435 tmpl->mode == XFRM_MODE_BEET) { 1436 remote = &tmpl->id.daddr; 1437 local = &tmpl->saddr; 1438 if (xfrm_addr_any(local, tmpl->encap_family)) { 1439 error = xfrm_get_saddr(net, fl->flowi_oif, 1440 &tmp, remote, 1441 tmpl->encap_family); 1442 if (error) 1443 goto fail; 1444 local = &tmp; 1445 } 1446 } 1447 1448 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family); 1449 1450 if (x && x->km.state == XFRM_STATE_VALID) { 1451 xfrm[nx++] = x; 1452 daddr = remote; 1453 saddr = local; 1454 continue; 1455 } 1456 if (x) { 1457 error = (x->km.state == XFRM_STATE_ERROR ? 1458 -EINVAL : -EAGAIN); 1459 xfrm_state_put(x); 1460 } else if (error == -ESRCH) { 1461 error = -EAGAIN; 1462 } 1463 1464 if (!tmpl->optional) 1465 goto fail; 1466 } 1467 return nx; 1468 1469 fail: 1470 for (nx--; nx >= 0; nx--) 1471 xfrm_state_put(xfrm[nx]); 1472 return error; 1473 } 1474 1475 static int 1476 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl, 1477 struct xfrm_state **xfrm, unsigned short family) 1478 { 1479 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1480 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1481 int cnx = 0; 1482 int error; 1483 int ret; 1484 int i; 1485 1486 for (i = 0; i < npols; i++) { 1487 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) { 1488 error = -ENOBUFS; 1489 goto fail; 1490 } 1491 1492 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family); 1493 if (ret < 0) { 1494 error = ret; 1495 goto fail; 1496 } else 1497 cnx += ret; 1498 } 1499 1500 /* found states are sorted for outbound processing */ 1501 if (npols > 1) 1502 xfrm_state_sort(xfrm, tpp, cnx, family); 1503 1504 return cnx; 1505 1506 fail: 1507 for (cnx--; cnx >= 0; cnx--) 1508 xfrm_state_put(tpp[cnx]); 1509 return error; 1510 1511 } 1512 1513 /* Check that the bundle accepts the flow and its components are 1514 * still valid. 1515 */ 1516 1517 static inline int xfrm_get_tos(const struct flowi *fl, int family) 1518 { 1519 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1520 int tos; 1521 1522 if (!afinfo) 1523 return -EINVAL; 1524 1525 tos = afinfo->get_tos(fl); 1526 1527 xfrm_policy_put_afinfo(afinfo); 1528 1529 return tos; 1530 } 1531 1532 static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo) 1533 { 1534 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo); 1535 struct dst_entry *dst = &xdst->u.dst; 1536 1537 if (xdst->route == NULL) { 1538 /* Dummy bundle - if it has xfrms we were not 1539 * able to build bundle as template resolution failed. 1540 * It means we need to try again resolving. */ 1541 if (xdst->num_xfrms > 0) 1542 return NULL; 1543 } else if (dst->flags & DST_XFRM_QUEUE) { 1544 return NULL; 1545 } else { 1546 /* Real bundle */ 1547 if (stale_bundle(dst)) 1548 return NULL; 1549 } 1550 1551 dst_hold(dst); 1552 return flo; 1553 } 1554 1555 static int xfrm_bundle_flo_check(struct flow_cache_object *flo) 1556 { 1557 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo); 1558 struct dst_entry *dst = &xdst->u.dst; 1559 1560 if (!xdst->route) 1561 return 0; 1562 if (stale_bundle(dst)) 1563 return 0; 1564 1565 return 1; 1566 } 1567 1568 static void xfrm_bundle_flo_delete(struct flow_cache_object *flo) 1569 { 1570 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo); 1571 struct dst_entry *dst = &xdst->u.dst; 1572 1573 dst_free(dst); 1574 } 1575 1576 static const struct flow_cache_ops xfrm_bundle_fc_ops = { 1577 .get = xfrm_bundle_flo_get, 1578 .check = xfrm_bundle_flo_check, 1579 .delete = xfrm_bundle_flo_delete, 1580 }; 1581 1582 static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family) 1583 { 1584 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1585 struct dst_ops *dst_ops; 1586 struct xfrm_dst *xdst; 1587 1588 if (!afinfo) 1589 return ERR_PTR(-EINVAL); 1590 1591 switch (family) { 1592 case AF_INET: 1593 dst_ops = &net->xfrm.xfrm4_dst_ops; 1594 break; 1595 #if IS_ENABLED(CONFIG_IPV6) 1596 case AF_INET6: 1597 dst_ops = &net->xfrm.xfrm6_dst_ops; 1598 break; 1599 #endif 1600 default: 1601 BUG(); 1602 } 1603 xdst = dst_alloc(dst_ops, NULL, 0, DST_OBSOLETE_NONE, 0); 1604 1605 if (likely(xdst)) { 1606 struct dst_entry *dst = &xdst->u.dst; 1607 1608 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst)); 1609 xdst->flo.ops = &xfrm_bundle_fc_ops; 1610 } else 1611 xdst = ERR_PTR(-ENOBUFS); 1612 1613 xfrm_policy_put_afinfo(afinfo); 1614 1615 return xdst; 1616 } 1617 1618 static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst, 1619 int nfheader_len) 1620 { 1621 struct xfrm_policy_afinfo *afinfo = 1622 xfrm_policy_get_afinfo(dst->ops->family); 1623 int err; 1624 1625 if (!afinfo) 1626 return -EINVAL; 1627 1628 err = afinfo->init_path(path, dst, nfheader_len); 1629 1630 xfrm_policy_put_afinfo(afinfo); 1631 1632 return err; 1633 } 1634 1635 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, 1636 const struct flowi *fl) 1637 { 1638 struct xfrm_policy_afinfo *afinfo = 1639 xfrm_policy_get_afinfo(xdst->u.dst.ops->family); 1640 int err; 1641 1642 if (!afinfo) 1643 return -EINVAL; 1644 1645 err = afinfo->fill_dst(xdst, dev, fl); 1646 1647 xfrm_policy_put_afinfo(afinfo); 1648 1649 return err; 1650 } 1651 1652 1653 /* Allocate chain of dst_entry's, attach known xfrm's, calculate 1654 * all the metrics... Shortly, bundle a bundle. 1655 */ 1656 1657 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 1658 struct xfrm_state **xfrm, int nx, 1659 const struct flowi *fl, 1660 struct dst_entry *dst) 1661 { 1662 struct net *net = xp_net(policy); 1663 unsigned long now = jiffies; 1664 struct net_device *dev; 1665 struct xfrm_mode *inner_mode; 1666 struct dst_entry *dst_prev = NULL; 1667 struct dst_entry *dst0 = NULL; 1668 int i = 0; 1669 int err; 1670 int header_len = 0; 1671 int nfheader_len = 0; 1672 int trailer_len = 0; 1673 int tos; 1674 int family = policy->selector.family; 1675 xfrm_address_t saddr, daddr; 1676 1677 xfrm_flowi_addr_get(fl, &saddr, &daddr, family); 1678 1679 tos = xfrm_get_tos(fl, family); 1680 err = tos; 1681 if (tos < 0) 1682 goto put_states; 1683 1684 dst_hold(dst); 1685 1686 for (; i < nx; i++) { 1687 struct xfrm_dst *xdst = xfrm_alloc_dst(net, family); 1688 struct dst_entry *dst1 = &xdst->u.dst; 1689 1690 err = PTR_ERR(xdst); 1691 if (IS_ERR(xdst)) { 1692 dst_release(dst); 1693 goto put_states; 1694 } 1695 1696 if (xfrm[i]->sel.family == AF_UNSPEC) { 1697 inner_mode = xfrm_ip2inner_mode(xfrm[i], 1698 xfrm_af2proto(family)); 1699 if (!inner_mode) { 1700 err = -EAFNOSUPPORT; 1701 dst_release(dst); 1702 goto put_states; 1703 } 1704 } else 1705 inner_mode = xfrm[i]->inner_mode; 1706 1707 if (!dst_prev) 1708 dst0 = dst1; 1709 else { 1710 dst_prev->child = dst_clone(dst1); 1711 dst1->flags |= DST_NOHASH; 1712 } 1713 1714 xdst->route = dst; 1715 dst_copy_metrics(dst1, dst); 1716 1717 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { 1718 family = xfrm[i]->props.family; 1719 dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif, 1720 &saddr, &daddr, family); 1721 err = PTR_ERR(dst); 1722 if (IS_ERR(dst)) 1723 goto put_states; 1724 } else 1725 dst_hold(dst); 1726 1727 dst1->xfrm = xfrm[i]; 1728 xdst->xfrm_genid = xfrm[i]->genid; 1729 1730 dst1->obsolete = DST_OBSOLETE_FORCE_CHK; 1731 dst1->flags |= DST_HOST; 1732 dst1->lastuse = now; 1733 1734 dst1->input = dst_discard; 1735 dst1->output = inner_mode->afinfo->output; 1736 1737 dst1->next = dst_prev; 1738 dst_prev = dst1; 1739 1740 header_len += xfrm[i]->props.header_len; 1741 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT) 1742 nfheader_len += xfrm[i]->props.header_len; 1743 trailer_len += xfrm[i]->props.trailer_len; 1744 } 1745 1746 dst_prev->child = dst; 1747 dst0->path = dst; 1748 1749 err = -ENODEV; 1750 dev = dst->dev; 1751 if (!dev) 1752 goto free_dst; 1753 1754 xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len); 1755 xfrm_init_pmtu(dst_prev); 1756 1757 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) { 1758 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev; 1759 1760 err = xfrm_fill_dst(xdst, dev, fl); 1761 if (err) 1762 goto free_dst; 1763 1764 dst_prev->header_len = header_len; 1765 dst_prev->trailer_len = trailer_len; 1766 header_len -= xdst->u.dst.xfrm->props.header_len; 1767 trailer_len -= xdst->u.dst.xfrm->props.trailer_len; 1768 } 1769 1770 out: 1771 return dst0; 1772 1773 put_states: 1774 for (; i < nx; i++) 1775 xfrm_state_put(xfrm[i]); 1776 free_dst: 1777 if (dst0) 1778 dst_free(dst0); 1779 dst0 = ERR_PTR(err); 1780 goto out; 1781 } 1782 1783 #ifdef CONFIG_XFRM_SUB_POLICY 1784 static int xfrm_dst_alloc_copy(void **target, const void *src, int size) 1785 { 1786 if (!*target) { 1787 *target = kmalloc(size, GFP_ATOMIC); 1788 if (!*target) 1789 return -ENOMEM; 1790 } 1791 1792 memcpy(*target, src, size); 1793 return 0; 1794 } 1795 #endif 1796 1797 static int xfrm_dst_update_parent(struct dst_entry *dst, 1798 const struct xfrm_selector *sel) 1799 { 1800 #ifdef CONFIG_XFRM_SUB_POLICY 1801 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1802 return xfrm_dst_alloc_copy((void **)&(xdst->partner), 1803 sel, sizeof(*sel)); 1804 #else 1805 return 0; 1806 #endif 1807 } 1808 1809 static int xfrm_dst_update_origin(struct dst_entry *dst, 1810 const struct flowi *fl) 1811 { 1812 #ifdef CONFIG_XFRM_SUB_POLICY 1813 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1814 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); 1815 #else 1816 return 0; 1817 #endif 1818 } 1819 1820 static int xfrm_expand_policies(const struct flowi *fl, u16 family, 1821 struct xfrm_policy **pols, 1822 int *num_pols, int *num_xfrms) 1823 { 1824 int i; 1825 1826 if (*num_pols == 0 || !pols[0]) { 1827 *num_pols = 0; 1828 *num_xfrms = 0; 1829 return 0; 1830 } 1831 if (IS_ERR(pols[0])) 1832 return PTR_ERR(pols[0]); 1833 1834 *num_xfrms = pols[0]->xfrm_nr; 1835 1836 #ifdef CONFIG_XFRM_SUB_POLICY 1837 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW && 1838 pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 1839 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]), 1840 XFRM_POLICY_TYPE_MAIN, 1841 fl, family, 1842 XFRM_POLICY_OUT); 1843 if (pols[1]) { 1844 if (IS_ERR(pols[1])) { 1845 xfrm_pols_put(pols, *num_pols); 1846 return PTR_ERR(pols[1]); 1847 } 1848 (*num_pols)++; 1849 (*num_xfrms) += pols[1]->xfrm_nr; 1850 } 1851 } 1852 #endif 1853 for (i = 0; i < *num_pols; i++) { 1854 if (pols[i]->action != XFRM_POLICY_ALLOW) { 1855 *num_xfrms = -1; 1856 break; 1857 } 1858 } 1859 1860 return 0; 1861 1862 } 1863 1864 static struct xfrm_dst * 1865 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, 1866 const struct flowi *fl, u16 family, 1867 struct dst_entry *dst_orig) 1868 { 1869 struct net *net = xp_net(pols[0]); 1870 struct xfrm_state *xfrm[XFRM_MAX_DEPTH]; 1871 struct dst_entry *dst; 1872 struct xfrm_dst *xdst; 1873 int err; 1874 1875 /* Try to instantiate a bundle */ 1876 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family); 1877 if (err <= 0) { 1878 if (err != 0 && err != -EAGAIN) 1879 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 1880 return ERR_PTR(err); 1881 } 1882 1883 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig); 1884 if (IS_ERR(dst)) { 1885 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR); 1886 return ERR_CAST(dst); 1887 } 1888 1889 xdst = (struct xfrm_dst *)dst; 1890 xdst->num_xfrms = err; 1891 if (num_pols > 1) 1892 err = xfrm_dst_update_parent(dst, &pols[1]->selector); 1893 else 1894 err = xfrm_dst_update_origin(dst, fl); 1895 if (unlikely(err)) { 1896 dst_free(dst); 1897 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR); 1898 return ERR_PTR(err); 1899 } 1900 1901 xdst->num_pols = num_pols; 1902 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); 1903 xdst->policy_genid = atomic_read(&pols[0]->genid); 1904 1905 return xdst; 1906 } 1907 1908 static void xfrm_policy_queue_process(unsigned long arg) 1909 { 1910 struct sk_buff *skb; 1911 struct sock *sk; 1912 struct dst_entry *dst; 1913 struct xfrm_policy *pol = (struct xfrm_policy *)arg; 1914 struct net *net = xp_net(pol); 1915 struct xfrm_policy_queue *pq = &pol->polq; 1916 struct flowi fl; 1917 struct sk_buff_head list; 1918 1919 spin_lock(&pq->hold_queue.lock); 1920 skb = skb_peek(&pq->hold_queue); 1921 if (!skb) { 1922 spin_unlock(&pq->hold_queue.lock); 1923 goto out; 1924 } 1925 dst = skb_dst(skb); 1926 sk = skb->sk; 1927 xfrm_decode_session(skb, &fl, dst->ops->family); 1928 spin_unlock(&pq->hold_queue.lock); 1929 1930 dst_hold(dst->path); 1931 dst = xfrm_lookup(net, dst->path, &fl, sk, 0); 1932 if (IS_ERR(dst)) 1933 goto purge_queue; 1934 1935 if (dst->flags & DST_XFRM_QUEUE) { 1936 dst_release(dst); 1937 1938 if (pq->timeout >= XFRM_QUEUE_TMO_MAX) 1939 goto purge_queue; 1940 1941 pq->timeout = pq->timeout << 1; 1942 if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout)) 1943 xfrm_pol_hold(pol); 1944 goto out; 1945 } 1946 1947 dst_release(dst); 1948 1949 __skb_queue_head_init(&list); 1950 1951 spin_lock(&pq->hold_queue.lock); 1952 pq->timeout = 0; 1953 skb_queue_splice_init(&pq->hold_queue, &list); 1954 spin_unlock(&pq->hold_queue.lock); 1955 1956 while (!skb_queue_empty(&list)) { 1957 skb = __skb_dequeue(&list); 1958 1959 xfrm_decode_session(skb, &fl, skb_dst(skb)->ops->family); 1960 dst_hold(skb_dst(skb)->path); 1961 dst = xfrm_lookup(net, skb_dst(skb)->path, &fl, skb->sk, 0); 1962 if (IS_ERR(dst)) { 1963 kfree_skb(skb); 1964 continue; 1965 } 1966 1967 nf_reset(skb); 1968 skb_dst_drop(skb); 1969 skb_dst_set(skb, dst); 1970 1971 dst_output(net, skb->sk, skb); 1972 } 1973 1974 out: 1975 xfrm_pol_put(pol); 1976 return; 1977 1978 purge_queue: 1979 pq->timeout = 0; 1980 skb_queue_purge(&pq->hold_queue); 1981 xfrm_pol_put(pol); 1982 } 1983 1984 static int xdst_queue_output(struct net *net, struct sock *sk, struct sk_buff *skb) 1985 { 1986 unsigned long sched_next; 1987 struct dst_entry *dst = skb_dst(skb); 1988 struct xfrm_dst *xdst = (struct xfrm_dst *) dst; 1989 struct xfrm_policy *pol = xdst->pols[0]; 1990 struct xfrm_policy_queue *pq = &pol->polq; 1991 1992 if (unlikely(skb_fclone_busy(sk, skb))) { 1993 kfree_skb(skb); 1994 return 0; 1995 } 1996 1997 if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) { 1998 kfree_skb(skb); 1999 return -EAGAIN; 2000 } 2001 2002 skb_dst_force(skb); 2003 2004 spin_lock_bh(&pq->hold_queue.lock); 2005 2006 if (!pq->timeout) 2007 pq->timeout = XFRM_QUEUE_TMO_MIN; 2008 2009 sched_next = jiffies + pq->timeout; 2010 2011 if (del_timer(&pq->hold_timer)) { 2012 if (time_before(pq->hold_timer.expires, sched_next)) 2013 sched_next = pq->hold_timer.expires; 2014 xfrm_pol_put(pol); 2015 } 2016 2017 __skb_queue_tail(&pq->hold_queue, skb); 2018 if (!mod_timer(&pq->hold_timer, sched_next)) 2019 xfrm_pol_hold(pol); 2020 2021 spin_unlock_bh(&pq->hold_queue.lock); 2022 2023 return 0; 2024 } 2025 2026 static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net, 2027 struct xfrm_flo *xflo, 2028 const struct flowi *fl, 2029 int num_xfrms, 2030 u16 family) 2031 { 2032 int err; 2033 struct net_device *dev; 2034 struct dst_entry *dst; 2035 struct dst_entry *dst1; 2036 struct xfrm_dst *xdst; 2037 2038 xdst = xfrm_alloc_dst(net, family); 2039 if (IS_ERR(xdst)) 2040 return xdst; 2041 2042 if (!(xflo->flags & XFRM_LOOKUP_QUEUE) || 2043 net->xfrm.sysctl_larval_drop || 2044 num_xfrms <= 0) 2045 return xdst; 2046 2047 dst = xflo->dst_orig; 2048 dst1 = &xdst->u.dst; 2049 dst_hold(dst); 2050 xdst->route = dst; 2051 2052 dst_copy_metrics(dst1, dst); 2053 2054 dst1->obsolete = DST_OBSOLETE_FORCE_CHK; 2055 dst1->flags |= DST_HOST | DST_XFRM_QUEUE; 2056 dst1->lastuse = jiffies; 2057 2058 dst1->input = dst_discard; 2059 dst1->output = xdst_queue_output; 2060 2061 dst_hold(dst); 2062 dst1->child = dst; 2063 dst1->path = dst; 2064 2065 xfrm_init_path((struct xfrm_dst *)dst1, dst, 0); 2066 2067 err = -ENODEV; 2068 dev = dst->dev; 2069 if (!dev) 2070 goto free_dst; 2071 2072 err = xfrm_fill_dst(xdst, dev, fl); 2073 if (err) 2074 goto free_dst; 2075 2076 out: 2077 return xdst; 2078 2079 free_dst: 2080 dst_release(dst1); 2081 xdst = ERR_PTR(err); 2082 goto out; 2083 } 2084 2085 static struct flow_cache_object * 2086 xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir, 2087 struct flow_cache_object *oldflo, void *ctx) 2088 { 2089 struct xfrm_flo *xflo = (struct xfrm_flo *)ctx; 2090 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 2091 struct xfrm_dst *xdst, *new_xdst; 2092 int num_pols = 0, num_xfrms = 0, i, err, pol_dead; 2093 2094 /* Check if the policies from old bundle are usable */ 2095 xdst = NULL; 2096 if (oldflo) { 2097 xdst = container_of(oldflo, struct xfrm_dst, flo); 2098 num_pols = xdst->num_pols; 2099 num_xfrms = xdst->num_xfrms; 2100 pol_dead = 0; 2101 for (i = 0; i < num_pols; i++) { 2102 pols[i] = xdst->pols[i]; 2103 pol_dead |= pols[i]->walk.dead; 2104 } 2105 if (pol_dead) { 2106 dst_free(&xdst->u.dst); 2107 xdst = NULL; 2108 num_pols = 0; 2109 num_xfrms = 0; 2110 oldflo = NULL; 2111 } 2112 } 2113 2114 /* Resolve policies to use if we couldn't get them from 2115 * previous cache entry */ 2116 if (xdst == NULL) { 2117 num_pols = 1; 2118 pols[0] = __xfrm_policy_lookup(net, fl, family, 2119 flow_to_policy_dir(dir)); 2120 err = xfrm_expand_policies(fl, family, pols, 2121 &num_pols, &num_xfrms); 2122 if (err < 0) 2123 goto inc_error; 2124 if (num_pols == 0) 2125 return NULL; 2126 if (num_xfrms <= 0) 2127 goto make_dummy_bundle; 2128 } 2129 2130 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, 2131 xflo->dst_orig); 2132 if (IS_ERR(new_xdst)) { 2133 err = PTR_ERR(new_xdst); 2134 if (err != -EAGAIN) 2135 goto error; 2136 if (oldflo == NULL) 2137 goto make_dummy_bundle; 2138 dst_hold(&xdst->u.dst); 2139 return oldflo; 2140 } else if (new_xdst == NULL) { 2141 num_xfrms = 0; 2142 if (oldflo == NULL) 2143 goto make_dummy_bundle; 2144 xdst->num_xfrms = 0; 2145 dst_hold(&xdst->u.dst); 2146 return oldflo; 2147 } 2148 2149 /* Kill the previous bundle */ 2150 if (xdst) { 2151 /* The policies were stolen for newly generated bundle */ 2152 xdst->num_pols = 0; 2153 dst_free(&xdst->u.dst); 2154 } 2155 2156 /* Flow cache does not have reference, it dst_free()'s, 2157 * but we do need to return one reference for original caller */ 2158 dst_hold(&new_xdst->u.dst); 2159 return &new_xdst->flo; 2160 2161 make_dummy_bundle: 2162 /* We found policies, but there's no bundles to instantiate: 2163 * either because the policy blocks, has no transformations or 2164 * we could not build template (no xfrm_states).*/ 2165 xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family); 2166 if (IS_ERR(xdst)) { 2167 xfrm_pols_put(pols, num_pols); 2168 return ERR_CAST(xdst); 2169 } 2170 xdst->num_pols = num_pols; 2171 xdst->num_xfrms = num_xfrms; 2172 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); 2173 2174 dst_hold(&xdst->u.dst); 2175 return &xdst->flo; 2176 2177 inc_error: 2178 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 2179 error: 2180 if (xdst != NULL) 2181 dst_free(&xdst->u.dst); 2182 else 2183 xfrm_pols_put(pols, num_pols); 2184 return ERR_PTR(err); 2185 } 2186 2187 static struct dst_entry *make_blackhole(struct net *net, u16 family, 2188 struct dst_entry *dst_orig) 2189 { 2190 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 2191 struct dst_entry *ret; 2192 2193 if (!afinfo) { 2194 dst_release(dst_orig); 2195 return ERR_PTR(-EINVAL); 2196 } else { 2197 ret = afinfo->blackhole_route(net, dst_orig); 2198 } 2199 xfrm_policy_put_afinfo(afinfo); 2200 2201 return ret; 2202 } 2203 2204 /* Main function: finds/creates a bundle for given flow. 2205 * 2206 * At the moment we eat a raw IP route. Mostly to speed up lookups 2207 * on interfaces with disabled IPsec. 2208 */ 2209 struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, 2210 const struct flowi *fl, 2211 const struct sock *sk, int flags) 2212 { 2213 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 2214 struct flow_cache_object *flo; 2215 struct xfrm_dst *xdst; 2216 struct dst_entry *dst, *route; 2217 u16 family = dst_orig->ops->family; 2218 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 2219 int i, err, num_pols, num_xfrms = 0, drop_pols = 0; 2220 2221 dst = NULL; 2222 xdst = NULL; 2223 route = NULL; 2224 2225 sk = sk_const_to_full_sk(sk); 2226 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) { 2227 num_pols = 1; 2228 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 2229 err = xfrm_expand_policies(fl, family, pols, 2230 &num_pols, &num_xfrms); 2231 if (err < 0) 2232 goto dropdst; 2233 2234 if (num_pols) { 2235 if (num_xfrms <= 0) { 2236 drop_pols = num_pols; 2237 goto no_transform; 2238 } 2239 2240 xdst = xfrm_resolve_and_create_bundle( 2241 pols, num_pols, fl, 2242 family, dst_orig); 2243 if (IS_ERR(xdst)) { 2244 xfrm_pols_put(pols, num_pols); 2245 err = PTR_ERR(xdst); 2246 goto dropdst; 2247 } else if (xdst == NULL) { 2248 num_xfrms = 0; 2249 drop_pols = num_pols; 2250 goto no_transform; 2251 } 2252 2253 dst_hold(&xdst->u.dst); 2254 xdst->u.dst.flags |= DST_NOCACHE; 2255 route = xdst->route; 2256 } 2257 } 2258 2259 if (xdst == NULL) { 2260 struct xfrm_flo xflo; 2261 2262 xflo.dst_orig = dst_orig; 2263 xflo.flags = flags; 2264 2265 /* To accelerate a bit... */ 2266 if ((dst_orig->flags & DST_NOXFRM) || 2267 !net->xfrm.policy_count[XFRM_POLICY_OUT]) 2268 goto nopol; 2269 2270 flo = flow_cache_lookup(net, fl, family, dir, 2271 xfrm_bundle_lookup, &xflo); 2272 if (flo == NULL) 2273 goto nopol; 2274 if (IS_ERR(flo)) { 2275 err = PTR_ERR(flo); 2276 goto dropdst; 2277 } 2278 xdst = container_of(flo, struct xfrm_dst, flo); 2279 2280 num_pols = xdst->num_pols; 2281 num_xfrms = xdst->num_xfrms; 2282 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols); 2283 route = xdst->route; 2284 } 2285 2286 dst = &xdst->u.dst; 2287 if (route == NULL && num_xfrms > 0) { 2288 /* The only case when xfrm_bundle_lookup() returns a 2289 * bundle with null route, is when the template could 2290 * not be resolved. It means policies are there, but 2291 * bundle could not be created, since we don't yet 2292 * have the xfrm_state's. We need to wait for KM to 2293 * negotiate new SA's or bail out with error.*/ 2294 if (net->xfrm.sysctl_larval_drop) { 2295 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); 2296 err = -EREMOTE; 2297 goto error; 2298 } 2299 2300 err = -EAGAIN; 2301 2302 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); 2303 goto error; 2304 } 2305 2306 no_transform: 2307 if (num_pols == 0) 2308 goto nopol; 2309 2310 if ((flags & XFRM_LOOKUP_ICMP) && 2311 !(pols[0]->flags & XFRM_POLICY_ICMP)) { 2312 err = -ENOENT; 2313 goto error; 2314 } 2315 2316 for (i = 0; i < num_pols; i++) 2317 pols[i]->curlft.use_time = get_seconds(); 2318 2319 if (num_xfrms < 0) { 2320 /* Prohibit the flow */ 2321 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK); 2322 err = -EPERM; 2323 goto error; 2324 } else if (num_xfrms > 0) { 2325 /* Flow transformed */ 2326 dst_release(dst_orig); 2327 } else { 2328 /* Flow passes untransformed */ 2329 dst_release(dst); 2330 dst = dst_orig; 2331 } 2332 ok: 2333 xfrm_pols_put(pols, drop_pols); 2334 if (dst && dst->xfrm && 2335 dst->xfrm->props.mode == XFRM_MODE_TUNNEL) 2336 dst->flags |= DST_XFRM_TUNNEL; 2337 return dst; 2338 2339 nopol: 2340 if (!(flags & XFRM_LOOKUP_ICMP)) { 2341 dst = dst_orig; 2342 goto ok; 2343 } 2344 err = -ENOENT; 2345 error: 2346 dst_release(dst); 2347 dropdst: 2348 if (!(flags & XFRM_LOOKUP_KEEP_DST_REF)) 2349 dst_release(dst_orig); 2350 xfrm_pols_put(pols, drop_pols); 2351 return ERR_PTR(err); 2352 } 2353 EXPORT_SYMBOL(xfrm_lookup); 2354 2355 /* Callers of xfrm_lookup_route() must ensure a call to dst_output(). 2356 * Otherwise we may send out blackholed packets. 2357 */ 2358 struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, 2359 const struct flowi *fl, 2360 const struct sock *sk, int flags) 2361 { 2362 struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk, 2363 flags | XFRM_LOOKUP_QUEUE | 2364 XFRM_LOOKUP_KEEP_DST_REF); 2365 2366 if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) 2367 return make_blackhole(net, dst_orig->ops->family, dst_orig); 2368 2369 return dst; 2370 } 2371 EXPORT_SYMBOL(xfrm_lookup_route); 2372 2373 static inline int 2374 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) 2375 { 2376 struct xfrm_state *x; 2377 2378 if (!skb->sp || idx < 0 || idx >= skb->sp->len) 2379 return 0; 2380 x = skb->sp->xvec[idx]; 2381 if (!x->type->reject) 2382 return 0; 2383 return x->type->reject(x, skb, fl); 2384 } 2385 2386 /* When skb is transformed back to its "native" form, we have to 2387 * check policy restrictions. At the moment we make this in maximally 2388 * stupid way. Shame on me. :-) Of course, connected sockets must 2389 * have policy cached at them. 2390 */ 2391 2392 static inline int 2393 xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, 2394 unsigned short family) 2395 { 2396 if (xfrm_state_kern(x)) 2397 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family); 2398 return x->id.proto == tmpl->id.proto && 2399 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && 2400 (x->props.reqid == tmpl->reqid || !tmpl->reqid) && 2401 x->props.mode == tmpl->mode && 2402 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) || 2403 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && 2404 !(x->props.mode != XFRM_MODE_TRANSPORT && 2405 xfrm_state_addr_cmp(tmpl, x, family)); 2406 } 2407 2408 /* 2409 * 0 or more than 0 is returned when validation is succeeded (either bypass 2410 * because of optional transport mode, or next index of the mathced secpath 2411 * state with the template. 2412 * -1 is returned when no matching template is found. 2413 * Otherwise "-2 - errored_index" is returned. 2414 */ 2415 static inline int 2416 xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start, 2417 unsigned short family) 2418 { 2419 int idx = start; 2420 2421 if (tmpl->optional) { 2422 if (tmpl->mode == XFRM_MODE_TRANSPORT) 2423 return start; 2424 } else 2425 start = -1; 2426 for (; idx < sp->len; idx++) { 2427 if (xfrm_state_ok(tmpl, sp->xvec[idx], family)) 2428 return ++idx; 2429 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { 2430 if (start == -1) 2431 start = -2-idx; 2432 break; 2433 } 2434 } 2435 return start; 2436 } 2437 2438 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, 2439 unsigned int family, int reverse) 2440 { 2441 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 2442 int err; 2443 2444 if (unlikely(afinfo == NULL)) 2445 return -EAFNOSUPPORT; 2446 2447 afinfo->decode_session(skb, fl, reverse); 2448 err = security_xfrm_decode_session(skb, &fl->flowi_secid); 2449 xfrm_policy_put_afinfo(afinfo); 2450 return err; 2451 } 2452 EXPORT_SYMBOL(__xfrm_decode_session); 2453 2454 static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp) 2455 { 2456 for (; k < sp->len; k++) { 2457 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 2458 *idxp = k; 2459 return 1; 2460 } 2461 } 2462 2463 return 0; 2464 } 2465 2466 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, 2467 unsigned short family) 2468 { 2469 struct net *net = dev_net(skb->dev); 2470 struct xfrm_policy *pol; 2471 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 2472 int npols = 0; 2473 int xfrm_nr; 2474 int pi; 2475 int reverse; 2476 struct flowi fl; 2477 u8 fl_dir; 2478 int xerr_idx = -1; 2479 2480 reverse = dir & ~XFRM_POLICY_MASK; 2481 dir &= XFRM_POLICY_MASK; 2482 fl_dir = policy_to_flow_dir(dir); 2483 2484 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) { 2485 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR); 2486 return 0; 2487 } 2488 2489 nf_nat_decode_session(skb, &fl, family); 2490 2491 /* First, check used SA against their selectors. */ 2492 if (skb->sp) { 2493 int i; 2494 2495 for (i = skb->sp->len-1; i >= 0; i--) { 2496 struct xfrm_state *x = skb->sp->xvec[i]; 2497 if (!xfrm_selector_match(&x->sel, &fl, family)) { 2498 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH); 2499 return 0; 2500 } 2501 } 2502 } 2503 2504 pol = NULL; 2505 sk = sk_to_full_sk(sk); 2506 if (sk && sk->sk_policy[dir]) { 2507 pol = xfrm_sk_policy_lookup(sk, dir, &fl); 2508 if (IS_ERR(pol)) { 2509 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); 2510 return 0; 2511 } 2512 } 2513 2514 if (!pol) { 2515 struct flow_cache_object *flo; 2516 2517 flo = flow_cache_lookup(net, &fl, family, fl_dir, 2518 xfrm_policy_lookup, NULL); 2519 if (IS_ERR_OR_NULL(flo)) 2520 pol = ERR_CAST(flo); 2521 else 2522 pol = container_of(flo, struct xfrm_policy, flo); 2523 } 2524 2525 if (IS_ERR(pol)) { 2526 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); 2527 return 0; 2528 } 2529 2530 if (!pol) { 2531 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) { 2532 xfrm_secpath_reject(xerr_idx, skb, &fl); 2533 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS); 2534 return 0; 2535 } 2536 return 1; 2537 } 2538 2539 pol->curlft.use_time = get_seconds(); 2540 2541 pols[0] = pol; 2542 npols++; 2543 #ifdef CONFIG_XFRM_SUB_POLICY 2544 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 2545 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, 2546 &fl, family, 2547 XFRM_POLICY_IN); 2548 if (pols[1]) { 2549 if (IS_ERR(pols[1])) { 2550 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); 2551 return 0; 2552 } 2553 pols[1]->curlft.use_time = get_seconds(); 2554 npols++; 2555 } 2556 } 2557 #endif 2558 2559 if (pol->action == XFRM_POLICY_ALLOW) { 2560 struct sec_path *sp; 2561 static struct sec_path dummy; 2562 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH]; 2563 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH]; 2564 struct xfrm_tmpl **tpp = tp; 2565 int ti = 0; 2566 int i, k; 2567 2568 if ((sp = skb->sp) == NULL) 2569 sp = &dummy; 2570 2571 for (pi = 0; pi < npols; pi++) { 2572 if (pols[pi] != pol && 2573 pols[pi]->action != XFRM_POLICY_ALLOW) { 2574 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK); 2575 goto reject; 2576 } 2577 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) { 2578 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR); 2579 goto reject_error; 2580 } 2581 for (i = 0; i < pols[pi]->xfrm_nr; i++) 2582 tpp[ti++] = &pols[pi]->xfrm_vec[i]; 2583 } 2584 xfrm_nr = ti; 2585 if (npols > 1) { 2586 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family, net); 2587 tpp = stp; 2588 } 2589 2590 /* For each tunnel xfrm, find the first matching tmpl. 2591 * For each tmpl before that, find corresponding xfrm. 2592 * Order is _important_. Later we will implement 2593 * some barriers, but at the moment barriers 2594 * are implied between each two transformations. 2595 */ 2596 for (i = xfrm_nr-1, k = 0; i >= 0; i--) { 2597 k = xfrm_policy_ok(tpp[i], sp, k, family); 2598 if (k < 0) { 2599 if (k < -1) 2600 /* "-2 - errored_index" returned */ 2601 xerr_idx = -(2+k); 2602 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH); 2603 goto reject; 2604 } 2605 } 2606 2607 if (secpath_has_nontransport(sp, k, &xerr_idx)) { 2608 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH); 2609 goto reject; 2610 } 2611 2612 xfrm_pols_put(pols, npols); 2613 return 1; 2614 } 2615 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK); 2616 2617 reject: 2618 xfrm_secpath_reject(xerr_idx, skb, &fl); 2619 reject_error: 2620 xfrm_pols_put(pols, npols); 2621 return 0; 2622 } 2623 EXPORT_SYMBOL(__xfrm_policy_check); 2624 2625 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) 2626 { 2627 struct net *net = dev_net(skb->dev); 2628 struct flowi fl; 2629 struct dst_entry *dst; 2630 int res = 1; 2631 2632 if (xfrm_decode_session(skb, &fl, family) < 0) { 2633 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); 2634 return 0; 2635 } 2636 2637 skb_dst_force(skb); 2638 2639 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); 2640 if (IS_ERR(dst)) { 2641 res = 0; 2642 dst = NULL; 2643 } 2644 skb_dst_set(skb, dst); 2645 return res; 2646 } 2647 EXPORT_SYMBOL(__xfrm_route_forward); 2648 2649 /* Optimize later using cookies and generation ids. */ 2650 2651 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie) 2652 { 2653 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete 2654 * to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to 2655 * get validated by dst_ops->check on every use. We do this 2656 * because when a normal route referenced by an XFRM dst is 2657 * obsoleted we do not go looking around for all parent 2658 * referencing XFRM dsts so that we can invalidate them. It 2659 * is just too much work. Instead we make the checks here on 2660 * every use. For example: 2661 * 2662 * XFRM dst A --> IPv4 dst X 2663 * 2664 * X is the "xdst->route" of A (X is also the "dst->path" of A 2665 * in this example). If X is marked obsolete, "A" will not 2666 * notice. That's what we are validating here via the 2667 * stale_bundle() check. 2668 * 2669 * When a policy's bundle is pruned, we dst_free() the XFRM 2670 * dst which causes it's ->obsolete field to be set to 2671 * DST_OBSOLETE_DEAD. If an XFRM dst has been pruned like 2672 * this, we want to force a new route lookup. 2673 */ 2674 if (dst->obsolete < 0 && !stale_bundle(dst)) 2675 return dst; 2676 2677 return NULL; 2678 } 2679 2680 static int stale_bundle(struct dst_entry *dst) 2681 { 2682 return !xfrm_bundle_ok((struct xfrm_dst *)dst); 2683 } 2684 2685 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 2686 { 2687 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) { 2688 dst->dev = dev_net(dev)->loopback_dev; 2689 dev_hold(dst->dev); 2690 dev_put(dev); 2691 } 2692 } 2693 EXPORT_SYMBOL(xfrm_dst_ifdown); 2694 2695 static void xfrm_link_failure(struct sk_buff *skb) 2696 { 2697 /* Impossible. Such dst must be popped before reaches point of failure. */ 2698 } 2699 2700 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) 2701 { 2702 if (dst) { 2703 if (dst->obsolete) { 2704 dst_release(dst); 2705 dst = NULL; 2706 } 2707 } 2708 return dst; 2709 } 2710 2711 void xfrm_garbage_collect(struct net *net) 2712 { 2713 flow_cache_flush(net); 2714 } 2715 EXPORT_SYMBOL(xfrm_garbage_collect); 2716 2717 static void xfrm_garbage_collect_deferred(struct net *net) 2718 { 2719 flow_cache_flush_deferred(net); 2720 } 2721 2722 static void xfrm_init_pmtu(struct dst_entry *dst) 2723 { 2724 do { 2725 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2726 u32 pmtu, route_mtu_cached; 2727 2728 pmtu = dst_mtu(dst->child); 2729 xdst->child_mtu_cached = pmtu; 2730 2731 pmtu = xfrm_state_mtu(dst->xfrm, pmtu); 2732 2733 route_mtu_cached = dst_mtu(xdst->route); 2734 xdst->route_mtu_cached = route_mtu_cached; 2735 2736 if (pmtu > route_mtu_cached) 2737 pmtu = route_mtu_cached; 2738 2739 dst_metric_set(dst, RTAX_MTU, pmtu); 2740 } while ((dst = dst->next)); 2741 } 2742 2743 /* Check that the bundle accepts the flow and its components are 2744 * still valid. 2745 */ 2746 2747 static int xfrm_bundle_ok(struct xfrm_dst *first) 2748 { 2749 struct dst_entry *dst = &first->u.dst; 2750 struct xfrm_dst *last; 2751 u32 mtu; 2752 2753 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 2754 (dst->dev && !netif_running(dst->dev))) 2755 return 0; 2756 2757 if (dst->flags & DST_XFRM_QUEUE) 2758 return 1; 2759 2760 last = NULL; 2761 2762 do { 2763 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2764 2765 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2766 return 0; 2767 if (xdst->xfrm_genid != dst->xfrm->genid) 2768 return 0; 2769 if (xdst->num_pols > 0 && 2770 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid)) 2771 return 0; 2772 2773 mtu = dst_mtu(dst->child); 2774 if (xdst->child_mtu_cached != mtu) { 2775 last = xdst; 2776 xdst->child_mtu_cached = mtu; 2777 } 2778 2779 if (!dst_check(xdst->route, xdst->route_cookie)) 2780 return 0; 2781 mtu = dst_mtu(xdst->route); 2782 if (xdst->route_mtu_cached != mtu) { 2783 last = xdst; 2784 xdst->route_mtu_cached = mtu; 2785 } 2786 2787 dst = dst->child; 2788 } while (dst->xfrm); 2789 2790 if (likely(!last)) 2791 return 1; 2792 2793 mtu = last->child_mtu_cached; 2794 for (;;) { 2795 dst = &last->u.dst; 2796 2797 mtu = xfrm_state_mtu(dst->xfrm, mtu); 2798 if (mtu > last->route_mtu_cached) 2799 mtu = last->route_mtu_cached; 2800 dst_metric_set(dst, RTAX_MTU, mtu); 2801 2802 if (last == first) 2803 break; 2804 2805 last = (struct xfrm_dst *)last->u.dst.next; 2806 last->child_mtu_cached = mtu; 2807 } 2808 2809 return 1; 2810 } 2811 2812 static unsigned int xfrm_default_advmss(const struct dst_entry *dst) 2813 { 2814 return dst_metric_advmss(dst->path); 2815 } 2816 2817 static unsigned int xfrm_mtu(const struct dst_entry *dst) 2818 { 2819 unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); 2820 2821 return mtu ? : dst_mtu(dst->path); 2822 } 2823 2824 static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst, 2825 struct sk_buff *skb, 2826 const void *daddr) 2827 { 2828 return dst->path->ops->neigh_lookup(dst, skb, daddr); 2829 } 2830 2831 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2832 { 2833 int err = 0; 2834 if (unlikely(afinfo == NULL)) 2835 return -EINVAL; 2836 if (unlikely(afinfo->family >= NPROTO)) 2837 return -EAFNOSUPPORT; 2838 spin_lock(&xfrm_policy_afinfo_lock); 2839 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL)) 2840 err = -EEXIST; 2841 else { 2842 struct dst_ops *dst_ops = afinfo->dst_ops; 2843 if (likely(dst_ops->kmem_cachep == NULL)) 2844 dst_ops->kmem_cachep = xfrm_dst_cache; 2845 if (likely(dst_ops->check == NULL)) 2846 dst_ops->check = xfrm_dst_check; 2847 if (likely(dst_ops->default_advmss == NULL)) 2848 dst_ops->default_advmss = xfrm_default_advmss; 2849 if (likely(dst_ops->mtu == NULL)) 2850 dst_ops->mtu = xfrm_mtu; 2851 if (likely(dst_ops->negative_advice == NULL)) 2852 dst_ops->negative_advice = xfrm_negative_advice; 2853 if (likely(dst_ops->link_failure == NULL)) 2854 dst_ops->link_failure = xfrm_link_failure; 2855 if (likely(dst_ops->neigh_lookup == NULL)) 2856 dst_ops->neigh_lookup = xfrm_neigh_lookup; 2857 if (likely(afinfo->garbage_collect == NULL)) 2858 afinfo->garbage_collect = xfrm_garbage_collect_deferred; 2859 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo); 2860 } 2861 spin_unlock(&xfrm_policy_afinfo_lock); 2862 2863 return err; 2864 } 2865 EXPORT_SYMBOL(xfrm_policy_register_afinfo); 2866 2867 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) 2868 { 2869 int err = 0; 2870 if (unlikely(afinfo == NULL)) 2871 return -EINVAL; 2872 if (unlikely(afinfo->family >= NPROTO)) 2873 return -EAFNOSUPPORT; 2874 spin_lock(&xfrm_policy_afinfo_lock); 2875 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) { 2876 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo)) 2877 err = -EINVAL; 2878 else 2879 RCU_INIT_POINTER(xfrm_policy_afinfo[afinfo->family], 2880 NULL); 2881 } 2882 spin_unlock(&xfrm_policy_afinfo_lock); 2883 if (!err) { 2884 struct dst_ops *dst_ops = afinfo->dst_ops; 2885 2886 synchronize_rcu(); 2887 2888 dst_ops->kmem_cachep = NULL; 2889 dst_ops->check = NULL; 2890 dst_ops->negative_advice = NULL; 2891 dst_ops->link_failure = NULL; 2892 afinfo->garbage_collect = NULL; 2893 } 2894 return err; 2895 } 2896 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo); 2897 2898 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 2899 { 2900 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 2901 2902 switch (event) { 2903 case NETDEV_DOWN: 2904 xfrm_garbage_collect(dev_net(dev)); 2905 } 2906 return NOTIFY_DONE; 2907 } 2908 2909 static struct notifier_block xfrm_dev_notifier = { 2910 .notifier_call = xfrm_dev_event, 2911 }; 2912 2913 #ifdef CONFIG_XFRM_STATISTICS 2914 static int __net_init xfrm_statistics_init(struct net *net) 2915 { 2916 int rv; 2917 net->mib.xfrm_statistics = alloc_percpu(struct linux_xfrm_mib); 2918 if (!net->mib.xfrm_statistics) 2919 return -ENOMEM; 2920 rv = xfrm_proc_init(net); 2921 if (rv < 0) 2922 free_percpu(net->mib.xfrm_statistics); 2923 return rv; 2924 } 2925 2926 static void xfrm_statistics_fini(struct net *net) 2927 { 2928 xfrm_proc_fini(net); 2929 free_percpu(net->mib.xfrm_statistics); 2930 } 2931 #else 2932 static int __net_init xfrm_statistics_init(struct net *net) 2933 { 2934 return 0; 2935 } 2936 2937 static void xfrm_statistics_fini(struct net *net) 2938 { 2939 } 2940 #endif 2941 2942 static int __net_init xfrm_policy_init(struct net *net) 2943 { 2944 unsigned int hmask, sz; 2945 int dir; 2946 2947 if (net_eq(net, &init_net)) 2948 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache", 2949 sizeof(struct xfrm_dst), 2950 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, 2951 NULL); 2952 2953 hmask = 8 - 1; 2954 sz = (hmask+1) * sizeof(struct hlist_head); 2955 2956 net->xfrm.policy_byidx = xfrm_hash_alloc(sz); 2957 if (!net->xfrm.policy_byidx) 2958 goto out_byidx; 2959 net->xfrm.policy_idx_hmask = hmask; 2960 2961 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 2962 struct xfrm_policy_hash *htab; 2963 2964 net->xfrm.policy_count[dir] = 0; 2965 net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0; 2966 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]); 2967 2968 htab = &net->xfrm.policy_bydst[dir]; 2969 htab->table = xfrm_hash_alloc(sz); 2970 if (!htab->table) 2971 goto out_bydst; 2972 htab->hmask = hmask; 2973 htab->dbits4 = 32; 2974 htab->sbits4 = 32; 2975 htab->dbits6 = 128; 2976 htab->sbits6 = 128; 2977 } 2978 net->xfrm.policy_hthresh.lbits4 = 32; 2979 net->xfrm.policy_hthresh.rbits4 = 32; 2980 net->xfrm.policy_hthresh.lbits6 = 128; 2981 net->xfrm.policy_hthresh.rbits6 = 128; 2982 2983 seqlock_init(&net->xfrm.policy_hthresh.lock); 2984 2985 INIT_LIST_HEAD(&net->xfrm.policy_all); 2986 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize); 2987 INIT_WORK(&net->xfrm.policy_hthresh.work, xfrm_hash_rebuild); 2988 if (net_eq(net, &init_net)) 2989 register_netdevice_notifier(&xfrm_dev_notifier); 2990 return 0; 2991 2992 out_bydst: 2993 for (dir--; dir >= 0; dir--) { 2994 struct xfrm_policy_hash *htab; 2995 2996 htab = &net->xfrm.policy_bydst[dir]; 2997 xfrm_hash_free(htab->table, sz); 2998 } 2999 xfrm_hash_free(net->xfrm.policy_byidx, sz); 3000 out_byidx: 3001 return -ENOMEM; 3002 } 3003 3004 static void xfrm_policy_fini(struct net *net) 3005 { 3006 unsigned int sz; 3007 int dir; 3008 3009 flush_work(&net->xfrm.policy_hash_work); 3010 #ifdef CONFIG_XFRM_SUB_POLICY 3011 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false); 3012 #endif 3013 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); 3014 3015 WARN_ON(!list_empty(&net->xfrm.policy_all)); 3016 3017 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 3018 struct xfrm_policy_hash *htab; 3019 3020 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir])); 3021 3022 htab = &net->xfrm.policy_bydst[dir]; 3023 sz = (htab->hmask + 1) * sizeof(struct hlist_head); 3024 WARN_ON(!hlist_empty(htab->table)); 3025 xfrm_hash_free(htab->table, sz); 3026 } 3027 3028 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head); 3029 WARN_ON(!hlist_empty(net->xfrm.policy_byidx)); 3030 xfrm_hash_free(net->xfrm.policy_byidx, sz); 3031 } 3032 3033 static int __net_init xfrm_net_init(struct net *net) 3034 { 3035 int rv; 3036 3037 rv = xfrm_statistics_init(net); 3038 if (rv < 0) 3039 goto out_statistics; 3040 rv = xfrm_state_init(net); 3041 if (rv < 0) 3042 goto out_state; 3043 rv = xfrm_policy_init(net); 3044 if (rv < 0) 3045 goto out_policy; 3046 rv = xfrm_sysctl_init(net); 3047 if (rv < 0) 3048 goto out_sysctl; 3049 rv = flow_cache_init(net); 3050 if (rv < 0) 3051 goto out; 3052 3053 /* Initialize the per-net locks here */ 3054 spin_lock_init(&net->xfrm.xfrm_state_lock); 3055 rwlock_init(&net->xfrm.xfrm_policy_lock); 3056 mutex_init(&net->xfrm.xfrm_cfg_mutex); 3057 3058 return 0; 3059 3060 out: 3061 xfrm_sysctl_fini(net); 3062 out_sysctl: 3063 xfrm_policy_fini(net); 3064 out_policy: 3065 xfrm_state_fini(net); 3066 out_state: 3067 xfrm_statistics_fini(net); 3068 out_statistics: 3069 return rv; 3070 } 3071 3072 static void __net_exit xfrm_net_exit(struct net *net) 3073 { 3074 flow_cache_fini(net); 3075 xfrm_sysctl_fini(net); 3076 xfrm_policy_fini(net); 3077 xfrm_state_fini(net); 3078 xfrm_statistics_fini(net); 3079 } 3080 3081 static struct pernet_operations __net_initdata xfrm_net_ops = { 3082 .init = xfrm_net_init, 3083 .exit = xfrm_net_exit, 3084 }; 3085 3086 void __init xfrm_init(void) 3087 { 3088 register_pernet_subsys(&xfrm_net_ops); 3089 xfrm_input_init(); 3090 } 3091 3092 #ifdef CONFIG_AUDITSYSCALL 3093 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, 3094 struct audit_buffer *audit_buf) 3095 { 3096 struct xfrm_sec_ctx *ctx = xp->security; 3097 struct xfrm_selector *sel = &xp->selector; 3098 3099 if (ctx) 3100 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 3101 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 3102 3103 switch (sel->family) { 3104 case AF_INET: 3105 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4); 3106 if (sel->prefixlen_s != 32) 3107 audit_log_format(audit_buf, " src_prefixlen=%d", 3108 sel->prefixlen_s); 3109 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4); 3110 if (sel->prefixlen_d != 32) 3111 audit_log_format(audit_buf, " dst_prefixlen=%d", 3112 sel->prefixlen_d); 3113 break; 3114 case AF_INET6: 3115 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6); 3116 if (sel->prefixlen_s != 128) 3117 audit_log_format(audit_buf, " src_prefixlen=%d", 3118 sel->prefixlen_s); 3119 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6); 3120 if (sel->prefixlen_d != 128) 3121 audit_log_format(audit_buf, " dst_prefixlen=%d", 3122 sel->prefixlen_d); 3123 break; 3124 } 3125 } 3126 3127 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid) 3128 { 3129 struct audit_buffer *audit_buf; 3130 3131 audit_buf = xfrm_audit_start("SPD-add"); 3132 if (audit_buf == NULL) 3133 return; 3134 xfrm_audit_helper_usrinfo(task_valid, audit_buf); 3135 audit_log_format(audit_buf, " res=%u", result); 3136 xfrm_audit_common_policyinfo(xp, audit_buf); 3137 audit_log_end(audit_buf); 3138 } 3139 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 3140 3141 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 3142 bool task_valid) 3143 { 3144 struct audit_buffer *audit_buf; 3145 3146 audit_buf = xfrm_audit_start("SPD-delete"); 3147 if (audit_buf == NULL) 3148 return; 3149 xfrm_audit_helper_usrinfo(task_valid, audit_buf); 3150 audit_log_format(audit_buf, " res=%u", result); 3151 xfrm_audit_common_policyinfo(xp, audit_buf); 3152 audit_log_end(audit_buf); 3153 } 3154 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete); 3155 #endif 3156 3157 #ifdef CONFIG_XFRM_MIGRATE 3158 static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp, 3159 const struct xfrm_selector *sel_tgt) 3160 { 3161 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 3162 if (sel_tgt->family == sel_cmp->family && 3163 xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr, 3164 sel_cmp->family) && 3165 xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr, 3166 sel_cmp->family) && 3167 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d && 3168 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) { 3169 return true; 3170 } 3171 } else { 3172 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) { 3173 return true; 3174 } 3175 } 3176 return false; 3177 } 3178 3179 static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel, 3180 u8 dir, u8 type, struct net *net) 3181 { 3182 struct xfrm_policy *pol, *ret = NULL; 3183 struct hlist_head *chain; 3184 u32 priority = ~0U; 3185 3186 read_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME*/ 3187 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir); 3188 hlist_for_each_entry(pol, chain, bydst) { 3189 if (xfrm_migrate_selector_match(sel, &pol->selector) && 3190 pol->type == type) { 3191 ret = pol; 3192 priority = ret->priority; 3193 break; 3194 } 3195 } 3196 chain = &net->xfrm.policy_inexact[dir]; 3197 hlist_for_each_entry(pol, chain, bydst) { 3198 if ((pol->priority >= priority) && ret) 3199 break; 3200 3201 if (xfrm_migrate_selector_match(sel, &pol->selector) && 3202 pol->type == type) { 3203 ret = pol; 3204 break; 3205 } 3206 } 3207 3208 xfrm_pol_hold(ret); 3209 3210 read_unlock_bh(&net->xfrm.xfrm_policy_lock); 3211 3212 return ret; 3213 } 3214 3215 static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t) 3216 { 3217 int match = 0; 3218 3219 if (t->mode == m->mode && t->id.proto == m->proto && 3220 (m->reqid == 0 || t->reqid == m->reqid)) { 3221 switch (t->mode) { 3222 case XFRM_MODE_TUNNEL: 3223 case XFRM_MODE_BEET: 3224 if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr, 3225 m->old_family) && 3226 xfrm_addr_equal(&t->saddr, &m->old_saddr, 3227 m->old_family)) { 3228 match = 1; 3229 } 3230 break; 3231 case XFRM_MODE_TRANSPORT: 3232 /* in case of transport mode, template does not store 3233 any IP addresses, hence we just compare mode and 3234 protocol */ 3235 match = 1; 3236 break; 3237 default: 3238 break; 3239 } 3240 } 3241 return match; 3242 } 3243 3244 /* update endpoint address(es) of template(s) */ 3245 static int xfrm_policy_migrate(struct xfrm_policy *pol, 3246 struct xfrm_migrate *m, int num_migrate) 3247 { 3248 struct xfrm_migrate *mp; 3249 int i, j, n = 0; 3250 3251 write_lock_bh(&pol->lock); 3252 if (unlikely(pol->walk.dead)) { 3253 /* target policy has been deleted */ 3254 write_unlock_bh(&pol->lock); 3255 return -ENOENT; 3256 } 3257 3258 for (i = 0; i < pol->xfrm_nr; i++) { 3259 for (j = 0, mp = m; j < num_migrate; j++, mp++) { 3260 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i])) 3261 continue; 3262 n++; 3263 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL && 3264 pol->xfrm_vec[i].mode != XFRM_MODE_BEET) 3265 continue; 3266 /* update endpoints */ 3267 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr, 3268 sizeof(pol->xfrm_vec[i].id.daddr)); 3269 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr, 3270 sizeof(pol->xfrm_vec[i].saddr)); 3271 pol->xfrm_vec[i].encap_family = mp->new_family; 3272 /* flush bundles */ 3273 atomic_inc(&pol->genid); 3274 } 3275 } 3276 3277 write_unlock_bh(&pol->lock); 3278 3279 if (!n) 3280 return -ENODATA; 3281 3282 return 0; 3283 } 3284 3285 static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate) 3286 { 3287 int i, j; 3288 3289 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) 3290 return -EINVAL; 3291 3292 for (i = 0; i < num_migrate; i++) { 3293 if (xfrm_addr_equal(&m[i].old_daddr, &m[i].new_daddr, 3294 m[i].old_family) && 3295 xfrm_addr_equal(&m[i].old_saddr, &m[i].new_saddr, 3296 m[i].old_family)) 3297 return -EINVAL; 3298 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) || 3299 xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) 3300 return -EINVAL; 3301 3302 /* check if there is any duplicated entry */ 3303 for (j = i + 1; j < num_migrate; j++) { 3304 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr, 3305 sizeof(m[i].old_daddr)) && 3306 !memcmp(&m[i].old_saddr, &m[j].old_saddr, 3307 sizeof(m[i].old_saddr)) && 3308 m[i].proto == m[j].proto && 3309 m[i].mode == m[j].mode && 3310 m[i].reqid == m[j].reqid && 3311 m[i].old_family == m[j].old_family) 3312 return -EINVAL; 3313 } 3314 } 3315 3316 return 0; 3317 } 3318 3319 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3320 struct xfrm_migrate *m, int num_migrate, 3321 struct xfrm_kmaddress *k, struct net *net) 3322 { 3323 int i, err, nx_cur = 0, nx_new = 0; 3324 struct xfrm_policy *pol = NULL; 3325 struct xfrm_state *x, *xc; 3326 struct xfrm_state *x_cur[XFRM_MAX_DEPTH]; 3327 struct xfrm_state *x_new[XFRM_MAX_DEPTH]; 3328 struct xfrm_migrate *mp; 3329 3330 if ((err = xfrm_migrate_check(m, num_migrate)) < 0) 3331 goto out; 3332 3333 /* Stage 1 - find policy */ 3334 if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { 3335 err = -ENOENT; 3336 goto out; 3337 } 3338 3339 /* Stage 2 - find and update state(s) */ 3340 for (i = 0, mp = m; i < num_migrate; i++, mp++) { 3341 if ((x = xfrm_migrate_state_find(mp, net))) { 3342 x_cur[nx_cur] = x; 3343 nx_cur++; 3344 if ((xc = xfrm_state_migrate(x, mp))) { 3345 x_new[nx_new] = xc; 3346 nx_new++; 3347 } else { 3348 err = -ENODATA; 3349 goto restore_state; 3350 } 3351 } 3352 } 3353 3354 /* Stage 3 - update policy */ 3355 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0) 3356 goto restore_state; 3357 3358 /* Stage 4 - delete old state(s) */ 3359 if (nx_cur) { 3360 xfrm_states_put(x_cur, nx_cur); 3361 xfrm_states_delete(x_cur, nx_cur); 3362 } 3363 3364 /* Stage 5 - announce */ 3365 km_migrate(sel, dir, type, m, num_migrate, k); 3366 3367 xfrm_pol_put(pol); 3368 3369 return 0; 3370 out: 3371 return err; 3372 3373 restore_state: 3374 if (pol) 3375 xfrm_pol_put(pol); 3376 if (nx_cur) 3377 xfrm_states_put(x_cur, nx_cur); 3378 if (nx_new) 3379 xfrm_states_delete(x_new, nx_new); 3380 3381 return err; 3382 } 3383 EXPORT_SYMBOL(xfrm_migrate); 3384 #endif 3385