4 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
18 #include <net/route.h>
20 #include <net/ip6_fib.h>
22 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
23 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
24 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
26 extern struct sock *xfrm_nl;
27 extern u32 sysctl_xfrm_aevent_etime;
28 extern u32 sysctl_xfrm_aevent_rseqth;
30 extern struct mutex xfrm_cfg_mutex;
32 /* Organization of SPD aka "XFRM rules"
33 ------------------------------------
36 - policy rule, struct xfrm_policy (=SPD entry)
37 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
38 - instance of a transformer, struct xfrm_state (=SA)
39 - template to clone xfrm_state, struct xfrm_tmpl
41 SPD is plain linear list of xfrm_policy rules, ordered by priority.
42 (To be compatible with existing pfkeyv2 implementations,
43 many rules with priority of 0x7fffffff are allowed to exist and
44 such rules are ordered in an unpredictable way, thanks to bsd folks.)
46 Lookup is plain linear search until the first match with selector.
48 If "action" is "block", then we prohibit the flow, otherwise:
49 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
50 policy entry has list of up to XFRM_MAX_DEPTH transformations,
51 described by templates xfrm_tmpl. Each template is resolved
52 to a complete xfrm_state (see below) and we pack bundle of transformations
53 to a dst_entry returned to requestor.
55 dst -. xfrm .-> xfrm_state #1
56 |---. child .-> dst -. xfrm .-> xfrm_state #2
57 |---. child .-> dst -. xfrm .-> xfrm_state #3
60 Bundles are cached at xrfm_policy struct (field ->bundles).
63 Resolution of xrfm_tmpl
64 -----------------------
66 1. ->mode Mode: transport or tunnel
67 2. ->id.proto Protocol: AH/ESP/IPCOMP
68 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
69 Q: allow to resolve security gateway?
70 4. ->id.spi If not zero, static SPI.
71 5. ->saddr Local tunnel endpoint, ignored for transport mode.
72 6. ->algos List of allowed algos. Plain bitmask now.
73 Q: ealgos, aalgos, calgos. What a mess...
74 7. ->share Sharing mode.
75 Q: how to implement private sharing mode? To add struct sock* to
78 Having this template we search through SAD searching for entries
79 with appropriate mode/proto/algo, permitted by selector.
80 If no appropriate entry found, it is requested from key manager.
83 Q: How to find all the bundles referring to a physical path for
84 PMTU discovery? Seems, dst should contain list of all parents...
85 and enter to infinite locking hierarchy disaster.
86 No! It is easier, we will not search for them, let them find us.
87 We add genid to each dst plus pointer to genid of raw IP route,
88 pmtu disc will update pmtu on raw IP route and increase its genid.
89 dst_check() will see this for top level and trigger resyncing
90 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
93 /* Full description of state of transformer. */
96 /* Note: bydst is re-used during gc */
97 struct list_head bydst;
98 struct list_head bysrc;
99 struct list_head byspi;
105 struct xfrm_selector sel;
107 /* Key manger bits */
114 /* Parameters of this state. */
119 u8 aalgo, ealgo, calgo;
122 xfrm_address_t saddr;
127 struct xfrm_lifetime_cfg lft;
129 /* Data for transformer */
130 struct xfrm_algo *aalg;
131 struct xfrm_algo *ealg;
132 struct xfrm_algo *calg;
134 /* Data for encapsulator */
135 struct xfrm_encap_tmpl *encap;
137 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
138 struct xfrm_state *tunnel;
140 /* If a tunnel, number of users + 1 */
141 atomic_t tunnel_users;
143 /* State for replay detection */
144 struct xfrm_replay_state replay;
146 /* Replay detection state at the time we sent the last notification */
147 struct xfrm_replay_state preplay;
149 /* internal flag that only holds state for delayed aevent at the
154 /* Replay detection notification settings */
158 /* Replay detection notification timer */
159 struct timer_list rtimer;
162 struct xfrm_stats stats;
164 struct xfrm_lifetime_cur curlft;
165 struct timer_list timer;
167 /* Reference to data common to all the instances of this
169 struct xfrm_type *type;
170 struct xfrm_mode *mode;
172 /* Security context */
173 struct xfrm_sec_ctx *security;
175 /* Private data of this transformer, format is opaque,
176 * interpreted by xfrm_type methods. */
180 /* xflags - make enum if more show up */
181 #define XFRM_TIME_DEFER 1
192 /* callback structure passed from either netlink or pfkey */
209 struct xfrm_policy_afinfo {
210 unsigned short family;
211 struct xfrm_type *type_map[IPPROTO_MAX];
212 struct xfrm_mode *mode_map[XFRM_MODE_MAX];
213 struct dst_ops *dst_ops;
214 void (*garbage_collect)(void);
215 int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
216 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
217 int (*bundle_create)(struct xfrm_policy *policy,
218 struct xfrm_state **xfrm,
221 struct dst_entry **dst_p);
222 void (*decode_session)(struct sk_buff *skb,
226 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
227 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
228 extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
229 extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
230 #define XFRM_ACQ_EXPIRES 30
233 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
234 extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
235 extern int __xfrm_state_delete(struct xfrm_state *x);
237 struct xfrm_state_afinfo {
238 unsigned short family;
239 struct list_head *state_bydst;
240 struct list_head *state_bysrc;
241 struct list_head *state_byspi;
242 int (*init_flags)(struct xfrm_state *x);
243 void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
244 struct xfrm_tmpl *tmpl,
245 xfrm_address_t *daddr, xfrm_address_t *saddr);
246 struct xfrm_state *(*state_lookup)(xfrm_address_t *daddr, u32 spi, u8 proto);
247 struct xfrm_state *(*find_acq)(u8 mode, u32 reqid, u8 proto,
248 xfrm_address_t *daddr, xfrm_address_t *saddr,
252 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
253 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
255 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
260 struct module *owner;
263 int (*init_state)(struct xfrm_state *x);
264 void (*destructor)(struct xfrm_state *);
265 int (*input)(struct xfrm_state *, struct sk_buff *skb);
266 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
267 /* Estimate maximal size of result of transformation of a dgram */
268 u32 (*get_max_size)(struct xfrm_state *, int size);
271 extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
272 extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
273 extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family);
274 extern void xfrm_put_type(struct xfrm_type *type);
277 int (*input)(struct xfrm_state *x, struct sk_buff *skb);
278 int (*output)(struct sk_buff *skb);
280 struct module *owner;
284 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
285 extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
286 extern struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family);
287 extern void xfrm_put_mode(struct xfrm_mode *mode);
291 /* id in template is interpreted as:
292 * daddr - destination of tunnel, may be zero for transport mode.
293 * spi - zero to acquire spi. Not zero if spi is static, then
294 * daddr must be fixed too.
295 * proto - AH/ESP/IPCOMP
299 /* Source address of tunnel. Ignored, if it is not a tunnel. */
300 xfrm_address_t saddr;
304 /* Mode: transport, tunnel etc. */
307 /* Sharing mode: unique, this session only, this user only etc. */
310 /* May skip this transfomration if no SA is found */
313 /* Bit mask of algos allowed for acquisition */
319 #define XFRM_MAX_DEPTH 6
323 struct xfrm_policy *next;
324 struct list_head list;
326 /* This lock only affects elements except for entry. */
329 struct timer_list timer;
333 struct xfrm_selector selector;
334 struct xfrm_lifetime_cfg lft;
335 struct xfrm_lifetime_cur curlft;
336 struct dst_entry *bundles;
342 struct xfrm_sec_ctx *security;
343 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
346 #define XFRM_KM_TIMEOUT 30
348 #define XFRM_REPLAY_SEQ 1
349 #define XFRM_REPLAY_OSEQ 2
350 #define XFRM_REPLAY_SEQ_MASK 3
352 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
353 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
355 /* default aevent timeout in units of 100ms */
356 #define XFRM_AE_ETIME 10
357 /* Async Event timer multiplier */
358 #define XFRM_AE_ETH_M 10
359 /* default seq threshold size */
360 #define XFRM_AE_SEQT_SIZE 2
364 struct list_head list;
366 int (*notify)(struct xfrm_state *x, struct km_event *c);
367 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
368 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
369 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
370 int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
373 extern int xfrm_register_km(struct xfrm_mgr *km);
374 extern int xfrm_unregister_km(struct xfrm_mgr *km);
377 extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
379 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
381 if (likely(policy != NULL))
382 atomic_inc(&policy->refcnt);
385 extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
387 static inline void xfrm_pol_put(struct xfrm_policy *policy)
389 if (atomic_dec_and_test(&policy->refcnt))
390 __xfrm_policy_destroy(policy);
393 #define XFRM_DST_HSIZE 1024
396 unsigned __xfrm4_dst_hash(xfrm_address_t *addr)
400 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
405 unsigned __xfrm6_dst_hash(xfrm_address_t *addr)
408 h = ntohl(addr->a6[2]^addr->a6[3]);
409 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
414 unsigned xfrm_dst_hash(xfrm_address_t *addr, unsigned short family)
418 return __xfrm4_dst_hash(addr);
420 return __xfrm6_dst_hash(addr);
426 unsigned __xfrm4_src_hash(xfrm_address_t *addr)
428 return __xfrm4_dst_hash(addr);
432 unsigned __xfrm6_src_hash(xfrm_address_t *addr)
434 return __xfrm6_dst_hash(addr);
438 unsigned xfrm_src_hash(xfrm_address_t *addr, unsigned short family)
442 return __xfrm4_src_hash(addr);
444 return __xfrm6_src_hash(addr);
450 unsigned __xfrm4_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
453 h = ntohl(addr->a4^spi^proto);
454 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
459 unsigned __xfrm6_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
462 h = ntohl(addr->a6[2]^addr->a6[3]^spi^proto);
463 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
468 unsigned xfrm_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto, unsigned short family)
472 return __xfrm4_spi_hash(addr, spi, proto);
474 return __xfrm6_spi_hash(addr, spi, proto);
479 extern void __xfrm_state_destroy(struct xfrm_state *);
481 static inline void __xfrm_state_put(struct xfrm_state *x)
483 atomic_dec(&x->refcnt);
486 static inline void xfrm_state_put(struct xfrm_state *x)
488 if (atomic_dec_and_test(&x->refcnt))
489 __xfrm_state_destroy(x);
492 static inline void xfrm_state_hold(struct xfrm_state *x)
494 atomic_inc(&x->refcnt);
497 static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
504 pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
505 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
508 if (memcmp(a1, a2, pdw << 2))
514 mask = htonl((0xffffffff) << (32 - pbi));
516 if ((a1[pdw] ^ a2[pdw]) & mask)
524 u16 xfrm_flowi_sport(struct flowi *fl)
531 port = fl->fl_ip_sport;
535 port = htons(fl->fl_icmp_type);
544 u16 xfrm_flowi_dport(struct flowi *fl)
551 port = fl->fl_ip_dport;
555 port = htons(fl->fl_icmp_code);
564 __xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
566 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
567 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
568 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
569 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
570 (fl->proto == sel->proto || !sel->proto) &&
571 (fl->oif == sel->ifindex || !sel->ifindex);
575 __xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
577 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
578 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
579 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
580 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
581 (fl->proto == sel->proto || !sel->proto) &&
582 (fl->oif == sel->ifindex || !sel->ifindex);
586 xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
587 unsigned short family)
591 return __xfrm4_selector_match(sel, fl);
593 return __xfrm6_selector_match(sel, fl);
598 #ifdef CONFIG_SECURITY_NETWORK_XFRM
599 /* If neither has a context --> match
600 * Otherwise, both must have a context and the sids, doi, alg must match
602 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
604 return ((!s1 && !s2) ||
606 (s1->ctx_sid == s2->ctx_sid) &&
607 (s1->ctx_doi == s2->ctx_doi) &&
608 (s1->ctx_alg == s2->ctx_alg)));
611 static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
617 /* A struct encoding bundle of transformations to apply to some set of flow.
619 * dst->child points to the next element of bundle.
620 * dst->xfrm points to an instanse of transformer.
622 * Due to unfortunate limitations of current routing cache, which we
623 * have no time to fix, it mirrors struct rtable and bound to the same
624 * routing key, including saddr,daddr. However, we can have many of
625 * bundles differing by session id. All the bundles grow from a parent
631 struct xfrm_dst *next;
632 struct dst_entry dst;
636 struct dst_entry *route;
637 u32 route_mtu_cached;
638 u32 child_mtu_cached;
643 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
645 dst_release(xdst->route);
646 if (likely(xdst->u.dst.xfrm))
647 xfrm_state_put(xdst->u.dst.xfrm);
650 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
656 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
659 static inline struct sec_path *
660 secpath_get(struct sec_path *sp)
663 atomic_inc(&sp->refcnt);
667 extern void __secpath_destroy(struct sec_path *sp);
670 secpath_put(struct sec_path *sp)
672 if (sp && atomic_dec_and_test(&sp->refcnt))
673 __secpath_destroy(sp);
676 extern struct sec_path *secpath_dup(struct sec_path *src);
679 secpath_reset(struct sk_buff *skb)
682 secpath_put(skb->sp);
688 __xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
690 return (tmpl->saddr.a4 &&
691 tmpl->saddr.a4 != x->props.saddr.a4);
695 __xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
697 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
698 ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
702 xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
706 return __xfrm4_state_addr_cmp(tmpl, x);
708 return __xfrm6_state_addr_cmp(tmpl, x);
715 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
717 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
719 if (sk && sk->sk_policy[XFRM_POLICY_IN])
720 return __xfrm_policy_check(sk, dir, skb, family);
722 return (!xfrm_policy_list[dir] && !skb->sp) ||
723 (skb->dst->flags & DST_NOPOLICY) ||
724 __xfrm_policy_check(sk, dir, skb, family);
727 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
729 return xfrm_policy_check(sk, dir, skb, AF_INET);
732 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
734 return xfrm_policy_check(sk, dir, skb, AF_INET6);
737 extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
738 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
740 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
742 return !xfrm_policy_list[XFRM_POLICY_OUT] ||
743 (skb->dst->flags & DST_NOXFRM) ||
744 __xfrm_route_forward(skb, family);
747 static inline int xfrm4_route_forward(struct sk_buff *skb)
749 return xfrm_route_forward(skb, AF_INET);
752 static inline int xfrm6_route_forward(struct sk_buff *skb)
754 return xfrm_route_forward(skb, AF_INET6);
757 extern int __xfrm_sk_clone_policy(struct sock *sk);
759 static inline int xfrm_sk_clone_policy(struct sock *sk)
761 if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
762 return __xfrm_sk_clone_policy(sk);
766 extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
768 static inline void xfrm_sk_free_policy(struct sock *sk)
770 if (unlikely(sk->sk_policy[0] != NULL)) {
771 xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
772 sk->sk_policy[0] = NULL;
774 if (unlikely(sk->sk_policy[1] != NULL)) {
775 xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
776 sk->sk_policy[1] = NULL;
782 static inline void xfrm_sk_free_policy(struct sock *sk) {}
783 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
784 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
785 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
786 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
790 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
794 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
801 xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
805 return (xfrm_address_t *)&fl->fl4_dst;
807 return (xfrm_address_t *)&fl->fl6_dst;
813 xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
817 return (xfrm_address_t *)&fl->fl4_src;
819 return (xfrm_address_t *)&fl->fl6_src;
824 static __inline__ int
825 __xfrm4_state_addr_check(struct xfrm_state *x,
826 xfrm_address_t *daddr, xfrm_address_t *saddr)
828 if (daddr->a4 == x->id.daddr.a4 &&
829 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
834 static __inline__ int
835 __xfrm6_state_addr_check(struct xfrm_state *x,
836 xfrm_address_t *daddr, xfrm_address_t *saddr)
838 if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
839 (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
840 ipv6_addr_any((struct in6_addr *)saddr) ||
841 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
846 static __inline__ int
847 xfrm_state_addr_check(struct xfrm_state *x,
848 xfrm_address_t *daddr, xfrm_address_t *saddr,
849 unsigned short family)
853 return __xfrm4_state_addr_check(x, daddr, saddr);
855 return __xfrm6_state_addr_check(x, daddr, saddr);
860 static inline int xfrm_state_kern(struct xfrm_state *x)
862 return atomic_read(&x->tunnel_users);
865 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
867 return (!userproto || proto == userproto ||
868 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
869 proto == IPPROTO_ESP ||
870 proto == IPPROTO_COMP)));
874 * xfrm algorithm information
876 struct xfrm_algo_auth_info {
881 struct xfrm_algo_encr_info {
886 struct xfrm_algo_comp_info {
890 struct xfrm_algo_desc {
895 struct xfrm_algo_auth_info auth;
896 struct xfrm_algo_encr_info encr;
897 struct xfrm_algo_comp_info comp;
899 struct sadb_alg desc;
902 /* XFRM tunnel handlers. */
904 int (*handler)(struct sk_buff *skb);
905 int (*err_handler)(struct sk_buff *skb, __u32 info);
907 struct xfrm_tunnel *next;
911 struct xfrm6_tunnel {
912 int (*handler)(struct sk_buff *skb);
913 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
914 int type, int code, int offset, __u32 info);
916 struct xfrm6_tunnel *next;
920 extern void xfrm_init(void);
921 extern void xfrm4_init(void);
922 extern void xfrm6_init(void);
923 extern void xfrm6_fini(void);
924 extern void xfrm_state_init(void);
925 extern void xfrm4_state_init(void);
926 extern void xfrm6_state_init(void);
927 extern void xfrm6_state_fini(void);
929 extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
930 extern struct xfrm_state *xfrm_state_alloc(void);
931 extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
932 struct flowi *fl, struct xfrm_tmpl *tmpl,
933 struct xfrm_policy *pol, int *err,
934 unsigned short family);
935 extern int xfrm_state_check_expire(struct xfrm_state *x);
936 extern void xfrm_state_insert(struct xfrm_state *x);
937 extern int xfrm_state_add(struct xfrm_state *x);
938 extern int xfrm_state_update(struct xfrm_state *x);
939 extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family);
940 extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
941 extern int xfrm_state_delete(struct xfrm_state *x);
942 extern void xfrm_state_flush(u8 proto);
943 extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
944 extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
945 extern void xfrm_replay_notify(struct xfrm_state *x, int event);
946 extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
947 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
948 extern int xfrm_init_state(struct xfrm_state *x);
949 extern int xfrm4_rcv(struct sk_buff *skb);
950 extern int xfrm4_output(struct sk_buff *skb);
951 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
952 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
953 extern int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi);
954 extern int xfrm6_rcv(struct sk_buff **pskb);
955 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);
956 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);
957 extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
958 extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
959 extern u32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
960 extern int xfrm6_output(struct sk_buff *skb);
963 extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type);
964 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
965 extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
967 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
972 static inline int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
974 /* should not happen */
978 static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
984 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
985 extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
986 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
987 struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
988 struct xfrm_sec_ctx *ctx, int delete);
989 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
990 void xfrm_policy_flush(void);
991 u32 xfrm_get_acqseq(void);
992 void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
993 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
994 xfrm_address_t *daddr, xfrm_address_t *saddr,
995 int create, unsigned short family);
996 extern void xfrm_policy_flush(void);
997 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
998 extern int xfrm_flush_bundles(void);
999 extern void xfrm_flush_all_bundles(void);
1000 extern int xfrm_bundle_ok(struct xfrm_dst *xdst, struct flowi *fl, int family);
1001 extern void xfrm_init_pmtu(struct dst_entry *dst);
1003 extern wait_queue_head_t km_waitq;
1004 extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
1005 extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
1007 extern void xfrm_input_init(void);
1008 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq);
1010 extern void xfrm_probe_algs(void);
1011 extern int xfrm_count_auth_supported(void);
1012 extern int xfrm_count_enc_supported(void);
1013 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1014 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1015 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1016 extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1017 extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1018 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
1019 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
1020 extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
1024 typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
1027 extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
1028 int offset, int len, icv_update_fn_t icv_update);
1030 static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
1036 return a->a4 - b->a4;
1038 return ipv6_addr_cmp((struct in6_addr *)a,
1039 (struct in6_addr *)b);
1043 static inline int xfrm_policy_id2dir(u32 index)
1048 static inline int xfrm_aevent_is_on(void)
1054 nlsk = rcu_dereference(xfrm_nl);
1056 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1061 static inline void xfrm_aevent_doreplay(struct xfrm_state *x)
1063 if (xfrm_aevent_is_on())
1064 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1068 #endif /* _NET_XFRM_H */
projects / mv-sheeva.git / blob