6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/config.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/netfilter.h>
25 #include <linux/module.h>
29 DEFINE_MUTEX(xfrm_cfg_mutex);
30 EXPORT_SYMBOL(xfrm_cfg_mutex);
32 static DEFINE_RWLOCK(xfrm_policy_lock);
34 struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
35 EXPORT_SYMBOL(xfrm_policy_list);
37 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
38 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
40 static kmem_cache_t *xfrm_dst_cache __read_mostly;
42 static struct work_struct xfrm_policy_gc_work;
43 static struct list_head xfrm_policy_gc_list =
44 LIST_HEAD_INIT(xfrm_policy_gc_list);
45 static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
47 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
48 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
49 static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family);
50 static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo);
52 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
54 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
55 struct xfrm_type **typemap;
58 if (unlikely(afinfo == NULL))
60 typemap = afinfo->type_map;
62 if (likely(typemap[type->proto] == NULL))
63 typemap[type->proto] = type;
66 xfrm_policy_unlock_afinfo(afinfo);
69 EXPORT_SYMBOL(xfrm_register_type);
71 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
73 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
74 struct xfrm_type **typemap;
77 if (unlikely(afinfo == NULL))
79 typemap = afinfo->type_map;
81 if (unlikely(typemap[type->proto] != type))
84 typemap[type->proto] = NULL;
85 xfrm_policy_unlock_afinfo(afinfo);
88 EXPORT_SYMBOL(xfrm_unregister_type);
90 struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
92 struct xfrm_policy_afinfo *afinfo;
93 struct xfrm_type **typemap;
94 struct xfrm_type *type;
95 int modload_attempted = 0;
98 afinfo = xfrm_policy_get_afinfo(family);
99 if (unlikely(afinfo == NULL))
101 typemap = afinfo->type_map;
103 type = typemap[proto];
104 if (unlikely(type && !try_module_get(type->owner)))
106 if (!type && !modload_attempted) {
107 xfrm_policy_put_afinfo(afinfo);
108 request_module("xfrm-type-%d-%d",
109 (int) family, (int) proto);
110 modload_attempted = 1;
114 xfrm_policy_put_afinfo(afinfo);
118 int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
119 unsigned short family)
121 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
124 if (unlikely(afinfo == NULL))
125 return -EAFNOSUPPORT;
127 if (likely(afinfo->dst_lookup != NULL))
128 err = afinfo->dst_lookup(dst, fl);
131 xfrm_policy_put_afinfo(afinfo);
134 EXPORT_SYMBOL(xfrm_dst_lookup);
136 void xfrm_put_type(struct xfrm_type *type)
138 module_put(type->owner);
141 static inline unsigned long make_jiffies(long secs)
143 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
144 return MAX_SCHEDULE_TIMEOUT-1;
149 static void xfrm_policy_timer(unsigned long data)
151 struct xfrm_policy *xp = (struct xfrm_policy*)data;
152 unsigned long now = (unsigned long)xtime.tv_sec;
153 long next = LONG_MAX;
157 read_lock(&xp->lock);
162 dir = xfrm_policy_id2dir(xp->index);
164 if (xp->lft.hard_add_expires_seconds) {
165 long tmo = xp->lft.hard_add_expires_seconds +
166 xp->curlft.add_time - now;
172 if (xp->lft.hard_use_expires_seconds) {
173 long tmo = xp->lft.hard_use_expires_seconds +
174 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
180 if (xp->lft.soft_add_expires_seconds) {
181 long tmo = xp->lft.soft_add_expires_seconds +
182 xp->curlft.add_time - now;
185 tmo = XFRM_KM_TIMEOUT;
190 if (xp->lft.soft_use_expires_seconds) {
191 long tmo = xp->lft.soft_use_expires_seconds +
192 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
195 tmo = XFRM_KM_TIMEOUT;
202 km_policy_expired(xp, dir, 0, 0);
203 if (next != LONG_MAX &&
204 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
208 read_unlock(&xp->lock);
213 read_unlock(&xp->lock);
214 if (!xfrm_policy_delete(xp, dir))
215 km_policy_expired(xp, dir, 1, 0);
220 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
224 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp)
226 struct xfrm_policy *policy;
228 policy = kmalloc(sizeof(struct xfrm_policy), gfp);
231 memset(policy, 0, sizeof(struct xfrm_policy));
232 atomic_set(&policy->refcnt, 1);
233 rwlock_init(&policy->lock);
234 init_timer(&policy->timer);
235 policy->timer.data = (unsigned long)policy;
236 policy->timer.function = xfrm_policy_timer;
240 EXPORT_SYMBOL(xfrm_policy_alloc);
242 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
244 void __xfrm_policy_destroy(struct xfrm_policy *policy)
246 BUG_ON(!policy->dead);
248 BUG_ON(policy->bundles);
250 if (del_timer(&policy->timer))
253 security_xfrm_policy_free(policy);
256 EXPORT_SYMBOL(__xfrm_policy_destroy);
258 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
260 struct dst_entry *dst;
262 while ((dst = policy->bundles) != NULL) {
263 policy->bundles = dst->next;
267 if (del_timer(&policy->timer))
268 atomic_dec(&policy->refcnt);
270 if (atomic_read(&policy->refcnt) > 1)
273 xfrm_pol_put(policy);
276 static void xfrm_policy_gc_task(void *data)
278 struct xfrm_policy *policy;
279 struct list_head *entry, *tmp;
280 struct list_head gc_list = LIST_HEAD_INIT(gc_list);
282 spin_lock_bh(&xfrm_policy_gc_lock);
283 list_splice_init(&xfrm_policy_gc_list, &gc_list);
284 spin_unlock_bh(&xfrm_policy_gc_lock);
286 list_for_each_safe(entry, tmp, &gc_list) {
287 policy = list_entry(entry, struct xfrm_policy, list);
288 xfrm_policy_gc_kill(policy);
292 /* Rule must be locked. Release descentant resources, announce
293 * entry dead. The rule must be unlinked from lists to the moment.
296 static void xfrm_policy_kill(struct xfrm_policy *policy)
300 write_lock_bh(&policy->lock);
303 write_unlock_bh(&policy->lock);
305 if (unlikely(dead)) {
310 spin_lock(&xfrm_policy_gc_lock);
311 list_add(&policy->list, &xfrm_policy_gc_list);
312 spin_unlock(&xfrm_policy_gc_lock);
314 schedule_work(&xfrm_policy_gc_work);
317 /* Generate new index... KAME seems to generate them ordered by cost
318 * of an absolute inpredictability of ordering of rules. This will not pass. */
319 static u32 xfrm_gen_index(int dir)
322 struct xfrm_policy *p;
323 static u32 idx_generator;
326 idx = (idx_generator | dir);
330 for (p = xfrm_policy_list[dir]; p; p = p->next) {
339 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
341 struct xfrm_policy *pol, **p;
342 struct xfrm_policy *delpol = NULL;
343 struct xfrm_policy **newpos = NULL;
344 struct dst_entry *gc_list;
346 write_lock_bh(&xfrm_policy_lock);
347 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL;) {
348 if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0 &&
349 xfrm_sec_ctx_match(pol->security, policy->security)) {
351 write_unlock_bh(&xfrm_policy_lock);
356 if (policy->priority > pol->priority)
358 } else if (policy->priority >= pol->priority) {
370 xfrm_pol_hold(policy);
373 atomic_inc(&flow_cache_genid);
374 policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
375 policy->curlft.add_time = (unsigned long)xtime.tv_sec;
376 policy->curlft.use_time = 0;
377 if (!mod_timer(&policy->timer, jiffies + HZ))
378 xfrm_pol_hold(policy);
379 write_unlock_bh(&xfrm_policy_lock);
382 xfrm_policy_kill(delpol);
384 read_lock_bh(&xfrm_policy_lock);
386 for (policy = policy->next; policy; policy = policy->next) {
387 struct dst_entry *dst;
389 write_lock(&policy->lock);
390 dst = policy->bundles;
392 struct dst_entry *tail = dst;
395 tail->next = gc_list;
398 policy->bundles = NULL;
400 write_unlock(&policy->lock);
402 read_unlock_bh(&xfrm_policy_lock);
405 struct dst_entry *dst = gc_list;
413 EXPORT_SYMBOL(xfrm_policy_insert);
415 struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
416 struct xfrm_sec_ctx *ctx, int delete)
418 struct xfrm_policy *pol, **p;
420 write_lock_bh(&xfrm_policy_lock);
421 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
422 if ((memcmp(sel, &pol->selector, sizeof(*sel)) == 0) &&
423 (xfrm_sec_ctx_match(ctx, pol->security))) {
430 write_unlock_bh(&xfrm_policy_lock);
433 atomic_inc(&flow_cache_genid);
434 xfrm_policy_kill(pol);
438 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
440 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete)
442 struct xfrm_policy *pol, **p;
444 write_lock_bh(&xfrm_policy_lock);
445 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
446 if (pol->index == id) {
453 write_unlock_bh(&xfrm_policy_lock);
456 atomic_inc(&flow_cache_genid);
457 xfrm_policy_kill(pol);
461 EXPORT_SYMBOL(xfrm_policy_byid);
463 void xfrm_policy_flush(void)
465 struct xfrm_policy *xp;
468 write_lock_bh(&xfrm_policy_lock);
469 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
470 while ((xp = xfrm_policy_list[dir]) != NULL) {
471 xfrm_policy_list[dir] = xp->next;
472 write_unlock_bh(&xfrm_policy_lock);
474 xfrm_policy_kill(xp);
476 write_lock_bh(&xfrm_policy_lock);
479 atomic_inc(&flow_cache_genid);
480 write_unlock_bh(&xfrm_policy_lock);
482 EXPORT_SYMBOL(xfrm_policy_flush);
484 int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*),
487 struct xfrm_policy *xp;
492 read_lock_bh(&xfrm_policy_lock);
493 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
494 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next)
503 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
504 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next) {
505 error = func(xp, dir%XFRM_POLICY_MAX, --count, data);
512 read_unlock_bh(&xfrm_policy_lock);
515 EXPORT_SYMBOL(xfrm_policy_walk);
517 /* Find policy to apply to this flow. */
519 static void xfrm_policy_lookup(struct flowi *fl, u32 sk_sid, u16 family, u8 dir,
520 void **objp, atomic_t **obj_refp)
522 struct xfrm_policy *pol;
524 read_lock_bh(&xfrm_policy_lock);
525 for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
526 struct xfrm_selector *sel = &pol->selector;
529 if (pol->family != family)
532 match = xfrm_selector_match(sel, fl, family);
535 if (!security_xfrm_policy_lookup(pol, sk_sid, dir)) {
541 read_unlock_bh(&xfrm_policy_lock);
542 if ((*objp = (void *) pol) != NULL)
543 *obj_refp = &pol->refcnt;
546 static inline int policy_to_flow_dir(int dir)
548 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
549 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
550 XFRM_POLICY_FWD == FLOW_DIR_FWD)
556 case XFRM_POLICY_OUT:
558 case XFRM_POLICY_FWD:
563 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl, u32 sk_sid)
565 struct xfrm_policy *pol;
567 read_lock_bh(&xfrm_policy_lock);
568 if ((pol = sk->sk_policy[dir]) != NULL) {
569 int match = xfrm_selector_match(&pol->selector, fl,
574 err = security_xfrm_policy_lookup(pol, sk_sid, policy_to_flow_dir(dir));
581 read_unlock_bh(&xfrm_policy_lock);
585 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
587 pol->next = xfrm_policy_list[dir];
588 xfrm_policy_list[dir] = pol;
592 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
595 struct xfrm_policy **polp;
597 for (polp = &xfrm_policy_list[dir];
598 *polp != NULL; polp = &(*polp)->next) {
607 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
609 write_lock_bh(&xfrm_policy_lock);
610 pol = __xfrm_policy_unlink(pol, dir);
611 write_unlock_bh(&xfrm_policy_lock);
613 if (dir < XFRM_POLICY_MAX)
614 atomic_inc(&flow_cache_genid);
615 xfrm_policy_kill(pol);
620 EXPORT_SYMBOL(xfrm_policy_delete);
622 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
624 struct xfrm_policy *old_pol;
626 write_lock_bh(&xfrm_policy_lock);
627 old_pol = sk->sk_policy[dir];
628 sk->sk_policy[dir] = pol;
630 pol->curlft.add_time = (unsigned long)xtime.tv_sec;
631 pol->index = xfrm_gen_index(XFRM_POLICY_MAX+dir);
632 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
635 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
636 write_unlock_bh(&xfrm_policy_lock);
639 xfrm_policy_kill(old_pol);
644 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
646 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
649 newp->selector = old->selector;
650 if (security_xfrm_policy_clone(old, newp)) {
652 return NULL; /* ENOMEM */
654 newp->lft = old->lft;
655 newp->curlft = old->curlft;
656 newp->action = old->action;
657 newp->flags = old->flags;
658 newp->xfrm_nr = old->xfrm_nr;
659 newp->index = old->index;
660 memcpy(newp->xfrm_vec, old->xfrm_vec,
661 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
662 write_lock_bh(&xfrm_policy_lock);
663 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
664 write_unlock_bh(&xfrm_policy_lock);
670 int __xfrm_sk_clone_policy(struct sock *sk)
672 struct xfrm_policy *p0 = sk->sk_policy[0],
673 *p1 = sk->sk_policy[1];
675 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
676 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
678 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
683 /* Resolve list of templates for the flow, given policy. */
686 xfrm_tmpl_resolve(struct xfrm_policy *policy, struct flowi *fl,
687 struct xfrm_state **xfrm,
688 unsigned short family)
692 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
693 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
695 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
696 struct xfrm_state *x;
697 xfrm_address_t *remote = daddr;
698 xfrm_address_t *local = saddr;
699 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
702 remote = &tmpl->id.daddr;
703 local = &tmpl->saddr;
706 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
708 if (x && x->km.state == XFRM_STATE_VALID) {
715 error = (x->km.state == XFRM_STATE_ERROR ?
726 for (nx--; nx>=0; nx--)
727 xfrm_state_put(xfrm[nx]);
731 /* Check that the bundle accepts the flow and its components are
735 static struct dst_entry *
736 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
739 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
740 if (unlikely(afinfo == NULL))
741 return ERR_PTR(-EINVAL);
742 x = afinfo->find_bundle(fl, policy);
743 xfrm_policy_put_afinfo(afinfo);
747 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
748 * all the metrics... Shortly, bundle a bundle.
752 xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
753 struct flowi *fl, struct dst_entry **dst_p,
754 unsigned short family)
757 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
758 if (unlikely(afinfo == NULL))
760 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
761 xfrm_policy_put_afinfo(afinfo);
766 static int stale_bundle(struct dst_entry *dst);
768 /* Main function: finds/creates a bundle for given flow.
770 * At the moment we eat a raw IP route. Mostly to speed up lookups
771 * on interfaces with disabled IPsec.
773 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
774 struct sock *sk, int flags)
776 struct xfrm_policy *policy;
777 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
778 struct dst_entry *dst, *dst_orig = *dst_p;
783 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
784 u32 sk_sid = security_sk_sid(sk, fl, dir);
786 genid = atomic_read(&flow_cache_genid);
788 if (sk && sk->sk_policy[1])
789 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, sk_sid);
792 /* To accelerate a bit... */
793 if ((dst_orig->flags & DST_NOXFRM) || !xfrm_policy_list[XFRM_POLICY_OUT])
796 policy = flow_cache_lookup(fl, sk_sid, dst_orig->ops->family,
797 dir, xfrm_policy_lookup);
803 family = dst_orig->ops->family;
804 policy->curlft.use_time = (unsigned long)xtime.tv_sec;
806 switch (policy->action) {
807 case XFRM_POLICY_BLOCK:
808 /* Prohibit the flow */
812 case XFRM_POLICY_ALLOW:
813 if (policy->xfrm_nr == 0) {
814 /* Flow passes not transformed. */
815 xfrm_pol_put(policy);
819 /* Try to find matching bundle.
821 * LATER: help from flow cache. It is optional, this
822 * is required only for output policy.
824 dst = xfrm_find_bundle(fl, policy, family);
833 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
835 if (unlikely(nx<0)) {
837 if (err == -EAGAIN && flags) {
838 DECLARE_WAITQUEUE(wait, current);
840 add_wait_queue(&km_waitq, &wait);
841 set_current_state(TASK_INTERRUPTIBLE);
843 set_current_state(TASK_RUNNING);
844 remove_wait_queue(&km_waitq, &wait);
846 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
848 if (nx == -EAGAIN && signal_pending(current)) {
853 genid != atomic_read(&flow_cache_genid)) {
854 xfrm_pol_put(policy);
863 /* Flow passes not transformed. */
864 xfrm_pol_put(policy);
869 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
874 xfrm_state_put(xfrm[i]);
878 write_lock_bh(&policy->lock);
879 if (unlikely(policy->dead || stale_bundle(dst))) {
880 /* Wow! While we worked on resolving, this
881 * policy has gone. Retry. It is not paranoia,
882 * we just cannot enlist new bundle to dead object.
883 * We can't enlist stable bundles either.
885 write_unlock_bh(&policy->lock);
892 dst->next = policy->bundles;
893 policy->bundles = dst;
895 write_unlock_bh(&policy->lock);
898 dst_release(dst_orig);
899 xfrm_pol_put(policy);
903 dst_release(dst_orig);
904 xfrm_pol_put(policy);
908 EXPORT_SYMBOL(xfrm_lookup);
910 /* When skb is transformed back to its "native" form, we have to
911 * check policy restrictions. At the moment we make this in maximally
912 * stupid way. Shame on me. :-) Of course, connected sockets must
913 * have policy cached at them.
917 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
918 unsigned short family)
920 if (xfrm_state_kern(x))
921 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family);
922 return x->id.proto == tmpl->id.proto &&
923 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
924 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
925 x->props.mode == tmpl->mode &&
926 (tmpl->aalgos & (1<<x->props.aalgo)) &&
927 !(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
931 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
932 unsigned short family)
936 if (tmpl->optional) {
941 for (; idx < sp->len; idx++) {
942 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
944 if (sp->xvec[idx]->props.mode)
951 xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
953 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
955 if (unlikely(afinfo == NULL))
956 return -EAFNOSUPPORT;
958 afinfo->decode_session(skb, fl);
959 xfrm_policy_put_afinfo(afinfo);
962 EXPORT_SYMBOL(xfrm_decode_session);
964 static inline int secpath_has_tunnel(struct sec_path *sp, int k)
966 for (; k < sp->len; k++) {
967 if (sp->xvec[k]->props.mode)
974 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
975 unsigned short family)
977 struct xfrm_policy *pol;
979 u8 fl_dir = policy_to_flow_dir(dir);
982 if (xfrm_decode_session(skb, &fl, family) < 0)
984 nf_nat_decode_session(skb, &fl, family);
986 sk_sid = security_sk_sid(sk, &fl, fl_dir);
988 /* First, check used SA against their selectors. */
992 for (i=skb->sp->len-1; i>=0; i--) {
993 struct xfrm_state *x = skb->sp->xvec[i];
994 if (!xfrm_selector_match(&x->sel, &fl, family))
1000 if (sk && sk->sk_policy[dir])
1001 pol = xfrm_sk_policy_lookup(sk, dir, &fl, sk_sid);
1004 pol = flow_cache_lookup(&fl, sk_sid, family, fl_dir,
1005 xfrm_policy_lookup);
1008 return !skb->sp || !secpath_has_tunnel(skb->sp, 0);
1010 pol->curlft.use_time = (unsigned long)xtime.tv_sec;
1012 if (pol->action == XFRM_POLICY_ALLOW) {
1013 struct sec_path *sp;
1014 static struct sec_path dummy;
1017 if ((sp = skb->sp) == NULL)
1020 /* For each tunnel xfrm, find the first matching tmpl.
1021 * For each tmpl before that, find corresponding xfrm.
1022 * Order is _important_. Later we will implement
1023 * some barriers, but at the moment barriers
1024 * are implied between each two transformations.
1026 for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) {
1027 k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k, family);
1032 if (secpath_has_tunnel(sp, k))
1043 EXPORT_SYMBOL(__xfrm_policy_check);
1045 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1049 if (xfrm_decode_session(skb, &fl, family) < 0)
1052 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
1054 EXPORT_SYMBOL(__xfrm_route_forward);
1056 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
1058 /* If it is marked obsolete, which is how we even get here,
1059 * then we have purged it from the policy bundle list and we
1060 * did that for a good reason.
1065 static int stale_bundle(struct dst_entry *dst)
1067 return !xfrm_bundle_ok((struct xfrm_dst *)dst, NULL, AF_UNSPEC);
1070 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
1072 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
1073 dst->dev = &loopback_dev;
1074 dev_hold(&loopback_dev);
1078 EXPORT_SYMBOL(xfrm_dst_ifdown);
1080 static void xfrm_link_failure(struct sk_buff *skb)
1082 /* Impossible. Such dst must be popped before reaches point of failure. */
1086 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
1089 if (dst->obsolete) {
1097 static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
1100 struct xfrm_policy *pol;
1101 struct dst_entry *dst, **dstp, *gc_list = NULL;
1103 read_lock_bh(&xfrm_policy_lock);
1104 for (i=0; i<2*XFRM_POLICY_MAX; i++) {
1105 for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
1106 write_lock(&pol->lock);
1107 dstp = &pol->bundles;
1108 while ((dst=*dstp) != NULL) {
1111 dst->next = gc_list;
1117 write_unlock(&pol->lock);
1120 read_unlock_bh(&xfrm_policy_lock);
1124 gc_list = dst->next;
1129 static int unused_bundle(struct dst_entry *dst)
1131 return !atomic_read(&dst->__refcnt);
1134 static void __xfrm_garbage_collect(void)
1136 xfrm_prune_bundles(unused_bundle);
1139 int xfrm_flush_bundles(void)
1141 xfrm_prune_bundles(stale_bundle);
1145 static int always_true(struct dst_entry *dst)
1150 void xfrm_flush_all_bundles(void)
1152 xfrm_prune_bundles(always_true);
1155 void xfrm_init_pmtu(struct dst_entry *dst)
1158 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1159 u32 pmtu, route_mtu_cached;
1161 pmtu = dst_mtu(dst->child);
1162 xdst->child_mtu_cached = pmtu;
1164 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
1166 route_mtu_cached = dst_mtu(xdst->route);
1167 xdst->route_mtu_cached = route_mtu_cached;
1169 if (pmtu > route_mtu_cached)
1170 pmtu = route_mtu_cached;
1172 dst->metrics[RTAX_MTU-1] = pmtu;
1173 } while ((dst = dst->next));
1176 EXPORT_SYMBOL(xfrm_init_pmtu);
1178 /* Check that the bundle accepts the flow and its components are
1182 int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family)
1184 struct dst_entry *dst = &first->u.dst;
1185 struct xfrm_dst *last;
1188 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
1189 (dst->dev && !netif_running(dst->dev)))
1195 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
1197 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
1199 if (dst->xfrm->km.state != XFRM_STATE_VALID)
1202 mtu = dst_mtu(dst->child);
1203 if (xdst->child_mtu_cached != mtu) {
1205 xdst->child_mtu_cached = mtu;
1208 if (!dst_check(xdst->route, xdst->route_cookie))
1210 mtu = dst_mtu(xdst->route);
1211 if (xdst->route_mtu_cached != mtu) {
1213 xdst->route_mtu_cached = mtu;
1217 } while (dst->xfrm);
1222 mtu = last->child_mtu_cached;
1226 mtu = xfrm_state_mtu(dst->xfrm, mtu);
1227 if (mtu > last->route_mtu_cached)
1228 mtu = last->route_mtu_cached;
1229 dst->metrics[RTAX_MTU-1] = mtu;
1234 last = last->u.next;
1235 last->child_mtu_cached = mtu;
1241 EXPORT_SYMBOL(xfrm_bundle_ok);
1243 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
1246 if (unlikely(afinfo == NULL))
1248 if (unlikely(afinfo->family >= NPROTO))
1249 return -EAFNOSUPPORT;
1250 write_lock_bh(&xfrm_policy_afinfo_lock);
1251 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
1254 struct dst_ops *dst_ops = afinfo->dst_ops;
1255 if (likely(dst_ops->kmem_cachep == NULL))
1256 dst_ops->kmem_cachep = xfrm_dst_cache;
1257 if (likely(dst_ops->check == NULL))
1258 dst_ops->check = xfrm_dst_check;
1259 if (likely(dst_ops->negative_advice == NULL))
1260 dst_ops->negative_advice = xfrm_negative_advice;
1261 if (likely(dst_ops->link_failure == NULL))
1262 dst_ops->link_failure = xfrm_link_failure;
1263 if (likely(afinfo->garbage_collect == NULL))
1264 afinfo->garbage_collect = __xfrm_garbage_collect;
1265 xfrm_policy_afinfo[afinfo->family] = afinfo;
1267 write_unlock_bh(&xfrm_policy_afinfo_lock);
1270 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
1272 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
1275 if (unlikely(afinfo == NULL))
1277 if (unlikely(afinfo->family >= NPROTO))
1278 return -EAFNOSUPPORT;
1279 write_lock_bh(&xfrm_policy_afinfo_lock);
1280 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
1281 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
1284 struct dst_ops *dst_ops = afinfo->dst_ops;
1285 xfrm_policy_afinfo[afinfo->family] = NULL;
1286 dst_ops->kmem_cachep = NULL;
1287 dst_ops->check = NULL;
1288 dst_ops->negative_advice = NULL;
1289 dst_ops->link_failure = NULL;
1290 afinfo->garbage_collect = NULL;
1293 write_unlock_bh(&xfrm_policy_afinfo_lock);
1296 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
1298 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
1300 struct xfrm_policy_afinfo *afinfo;
1301 if (unlikely(family >= NPROTO))
1303 read_lock(&xfrm_policy_afinfo_lock);
1304 afinfo = xfrm_policy_afinfo[family];
1305 if (unlikely(!afinfo))
1306 read_unlock(&xfrm_policy_afinfo_lock);
1310 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
1312 read_unlock(&xfrm_policy_afinfo_lock);
1315 static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family)
1317 struct xfrm_policy_afinfo *afinfo;
1318 if (unlikely(family >= NPROTO))
1320 write_lock_bh(&xfrm_policy_afinfo_lock);
1321 afinfo = xfrm_policy_afinfo[family];
1322 if (unlikely(!afinfo))
1323 write_unlock_bh(&xfrm_policy_afinfo_lock);
1327 static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo)
1329 write_unlock_bh(&xfrm_policy_afinfo_lock);
1332 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
1336 xfrm_flush_bundles();
1341 static struct notifier_block xfrm_dev_notifier = {
1347 static void __init xfrm_policy_init(void)
1349 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
1350 sizeof(struct xfrm_dst),
1351 0, SLAB_HWCACHE_ALIGN,
1353 if (!xfrm_dst_cache)
1354 panic("XFRM: failed to allocate xfrm_dst_cache\n");
1356 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task, NULL);
1357 register_netdevice_notifier(&xfrm_dev_notifier);
1360 void __init xfrm_init(void)