Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xfrm.h
Go to the documentation of this file.
1 #ifndef _NET_XFRM_H
2 #define _NET_XFRM_H
3 
4 #include <linux/compiler.h>
5 #include <linux/xfrm.h>
6 #include <linux/spinlock.h>
7 #include <linux/list.h>
8 #include <linux/skbuff.h>
9 #include <linux/socket.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/ipsec.h>
12 #include <linux/in6.h>
13 #include <linux/mutex.h>
14 #include <linux/audit.h>
15 #include <linux/slab.h>
16 
17 #include <net/sock.h>
18 #include <net/dst.h>
19 #include <net/ip.h>
20 #include <net/route.h>
21 #include <net/ipv6.h>
22 #include <net/ip6_fib.h>
23 #include <net/flow.h>
24 
25 #include <linux/interrupt.h>
26 
27 #ifdef CONFIG_XFRM_STATISTICS
28 #include <net/snmp.h>
29 #endif
30 
31 #define XFRM_PROTO_ESP 50
32 #define XFRM_PROTO_AH 51
33 #define XFRM_PROTO_COMP 108
34 #define XFRM_PROTO_IPIP 4
35 #define XFRM_PROTO_IPV6 41
36 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
37 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
38 
39 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
40 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
41 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
42  MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
43 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
44  MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
45 
46 #ifdef CONFIG_XFRM_STATISTICS
47 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
48 #define XFRM_INC_STATS_BH(net, field) SNMP_INC_STATS_BH((net)->mib.xfrm_statistics, field)
49 #define XFRM_INC_STATS_USER(net, field) SNMP_INC_STATS_USER((net)-mib.xfrm_statistics, field)
50 #else
51 #define XFRM_INC_STATS(net, field) ((void)(net))
52 #define XFRM_INC_STATS_BH(net, field) ((void)(net))
53 #define XFRM_INC_STATS_USER(net, field) ((void)(net))
54 #endif
55 
56 extern struct mutex xfrm_cfg_mutex;
57 
58 /* Organization of SPD aka "XFRM rules"
59  ------------------------------------
60 
61  Basic objects:
62  - policy rule, struct xfrm_policy (=SPD entry)
63  - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
64  - instance of a transformer, struct xfrm_state (=SA)
65  - template to clone xfrm_state, struct xfrm_tmpl
66 
67  SPD is plain linear list of xfrm_policy rules, ordered by priority.
68  (To be compatible with existing pfkeyv2 implementations,
69  many rules with priority of 0x7fffffff are allowed to exist and
70  such rules are ordered in an unpredictable way, thanks to bsd folks.)
71 
72  Lookup is plain linear search until the first match with selector.
73 
74  If "action" is "block", then we prohibit the flow, otherwise:
75  if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
76  policy entry has list of up to XFRM_MAX_DEPTH transformations,
77  described by templates xfrm_tmpl. Each template is resolved
78  to a complete xfrm_state (see below) and we pack bundle of transformations
79  to a dst_entry returned to requestor.
80 
81  dst -. xfrm .-> xfrm_state #1
82  |---. child .-> dst -. xfrm .-> xfrm_state #2
83  |---. child .-> dst -. xfrm .-> xfrm_state #3
84  |---. child .-> NULL
85 
86  Bundles are cached at xrfm_policy struct (field ->bundles).
87 
88 
89  Resolution of xrfm_tmpl
90  -----------------------
91  Template contains:
92  1. ->mode Mode: transport or tunnel
93  2. ->id.proto Protocol: AH/ESP/IPCOMP
94  3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
95  Q: allow to resolve security gateway?
96  4. ->id.spi If not zero, static SPI.
97  5. ->saddr Local tunnel endpoint, ignored for transport mode.
98  6. ->algos List of allowed algos. Plain bitmask now.
99  Q: ealgos, aalgos, calgos. What a mess...
100  7. ->share Sharing mode.
101  Q: how to implement private sharing mode? To add struct sock* to
102  flow id?
103 
104  Having this template we search through SAD searching for entries
105  with appropriate mode/proto/algo, permitted by selector.
106  If no appropriate entry found, it is requested from key manager.
107 
108  PROBLEMS:
109  Q: How to find all the bundles referring to a physical path for
110  PMTU discovery? Seems, dst should contain list of all parents...
111  and enter to infinite locking hierarchy disaster.
112  No! It is easier, we will not search for them, let them find us.
113  We add genid to each dst plus pointer to genid of raw IP route,
114  pmtu disc will update pmtu on raw IP route and increase its genid.
115  dst_check() will see this for top level and trigger resyncing
116  metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
117  */
118 
120  struct list_head all;
122  union {
125  };
127 };
128 
129 /* Full description of state of transformer. */
130 struct xfrm_state {
131 #ifdef CONFIG_NET_NS
132  struct net *xs_net;
133 #endif
134  union {
137  };
140 
143 
144  struct xfrm_id id;
146  struct xfrm_mark mark;
148 
150 
151  /* Key manager bits */
153 
154  /* Parameters of this state. */
155  struct {
165  } props;
166 
168 
169  /* Data for transformer */
171  struct xfrm_algo *ealg;
172  struct xfrm_algo *calg;
174 
175  /* Data for encapsulator */
177 
178  /* Data for care-of address */
180 
181  /* IPComp needs an IPIP tunnel for handling uncompressed packets */
183 
184  /* If a tunnel, number of users + 1 */
186 
187  /* State for replay detection */
190 
191  /* Replay detection state at the time we sent the last notification */
194 
195  /* The functions for replay detection. */
196  struct xfrm_replay *repl;
197 
198  /* internal flag that only holds state for delayed aevent at the
199  * moment
200  */
202 
203  /* Replay detection notification settings */
206 
207  /* Replay detection notification timer */
209 
210  /* Statistics */
212 
215 
216  /* used to fix curlft->add_time when changing date */
217  long saved_tmo;
218 
219  /* Last used time */
220  unsigned long lastused;
221 
222  /* Reference to data common to all the instances of this
223  * transformer. */
224  const struct xfrm_type *type;
228 
229  /* Security context */
231 
232  /* Private data of this transformer, format is opaque,
233  * interpreted by xfrm_type methods. */
234  void *data;
235 };
236 
237 static inline struct net *xs_net(struct xfrm_state *x)
238 {
239  return read_pnet(&x->xs_net);
240 }
241 
242 /* xflags - make enum if more show up */
243 #define XFRM_TIME_DEFER 1
244 #define XFRM_SOFT_EXPIRE 2
245 
246 enum {
253 };
254 
255 /* callback structure passed from either netlink or pfkey */
256 struct km_event {
257  union {
263  } data;
264 
268  struct net *net;
269 };
270 
271 struct xfrm_replay {
272  void (*advance)(struct xfrm_state *x, __be32 net_seq);
273  int (*check)(struct xfrm_state *x,
274  struct sk_buff *skb,
275  __be32 net_seq);
276  int (*recheck)(struct xfrm_state *x,
277  struct sk_buff *skb,
278  __be32 net_seq);
279  void (*notify)(struct xfrm_state *x, int event);
280  int (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
281 };
282 
283 struct net_device;
284 struct xfrm_type;
285 struct xfrm_dst;
287  unsigned short family;
288  struct dst_ops *dst_ops;
290  struct dst_entry *(*dst_lookup)(struct net *net, int tos,
291  const xfrm_address_t *saddr,
292  const xfrm_address_t *daddr);
295  struct flowi *fl,
296  int reverse);
297  int (*get_tos)(const struct flowi *fl);
298  void (*init_dst)(struct net *net,
299  struct xfrm_dst *dst);
301  struct dst_entry *dst,
302  int nfheader_len);
303  int (*fill_dst)(struct xfrm_dst *xdst,
304  struct net_device *dev,
305  const struct flowi *fl);
306  struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
307 };
308 
309 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
310 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
311 extern void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c);
312 extern void km_state_notify(struct xfrm_state *x, const struct km_event *c);
313 
314 struct xfrm_tmpl;
315 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
316 extern void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
317 extern int __xfrm_state_delete(struct xfrm_state *x);
318 
320  unsigned int family;
321  unsigned int proto;
323  struct module *owner;
326  int (*init_flags)(struct xfrm_state *x);
328  const struct flowi *fl);
330  const struct xfrm_tmpl *tmpl,
331  const xfrm_address_t *daddr,
332  const xfrm_address_t *saddr);
333  int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
334  int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
335  int (*output)(struct sk_buff *skb);
338  struct sk_buff *skb);
340  struct sk_buff *skb);
342  int async);
343 };
344 
345 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
346 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
347 
348 extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
349 
350 struct xfrm_type {
351  char *description;
352  struct module *owner;
355 #define XFRM_TYPE_NON_FRAGMENT 1
356 #define XFRM_TYPE_REPLAY_PROT 2
357 #define XFRM_TYPE_LOCAL_COADDR 4
358 #define XFRM_TYPE_REMOTE_COADDR 8
359 
360  int (*init_state)(struct xfrm_state *x);
361  void (*destructor)(struct xfrm_state *);
362  int (*input)(struct xfrm_state *, struct sk_buff *skb);
363  int (*output)(struct xfrm_state *, struct sk_buff *pskb);
364  int (*reject)(struct xfrm_state *, struct sk_buff *,
365  const struct flowi *);
366  int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
367  /* Estimate maximal size of result of transformation of a dgram */
368  u32 (*get_mtu)(struct xfrm_state *, int size);
369 };
370 
371 extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
372 extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
373 
374 struct xfrm_mode {
375  /*
376  * Remove encapsulation header.
377  *
378  * The IP header will be moved over the top of the encapsulation
379  * header.
380  *
381  * On entry, the transport header shall point to where the IP header
382  * should be and the network header shall be set to where the IP
383  * header currently is. skb->data shall point to the start of the
384  * payload.
385  */
386  int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
387 
388  /*
389  * This is the actual input entry point.
390  *
391  * For transport mode and equivalent this would be identical to
392  * input2 (which does not need to be set). While tunnel mode
393  * and equivalent would set this to the tunnel encapsulation function
394  * xfrm4_prepare_input that would in turn call input2.
395  */
396  int (*input)(struct xfrm_state *x, struct sk_buff *skb);
397 
398  /*
399  * Add encapsulation header.
400  *
401  * On exit, the transport header will be set to the start of the
402  * encapsulation header to be filled in by x->type->output and
403  * the mac header will be set to the nextheader (protocol for
404  * IPv4) field of the extension header directly preceding the
405  * encapsulation header, or in its absence, that of the top IP
406  * header. The value of the network header will always point
407  * to the top IP header while skb->data will point to the payload.
408  */
409  int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
410 
411  /*
412  * This is the actual output entry point.
413  *
414  * For transport mode and equivalent this would be identical to
415  * output2 (which does not need to be set). While tunnel mode
416  * and equivalent would set this to a tunnel encapsulation function
417  * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
418  * call output2.
419  */
420  int (*output)(struct xfrm_state *x, struct sk_buff *skb);
421 
423  struct module *owner;
424  unsigned int encap;
425  int flags;
426 };
427 
428 /* Flags for xfrm_mode. */
429 enum {
431 };
432 
433 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
434 extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
435 
436 static inline int xfrm_af2proto(unsigned int family)
437 {
438  switch(family) {
439  case AF_INET:
440  return IPPROTO_IPIP;
441  case AF_INET6:
442  return IPPROTO_IPV6;
443  default:
444  return 0;
445  }
446 }
447 
448 static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
449 {
450  if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
451  (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
452  return x->inner_mode;
453  else
454  return x->inner_mode_iaf;
455 }
456 
457 struct xfrm_tmpl {
458 /* id in template is interpreted as:
459  * daddr - destination of tunnel, may be zero for transport mode.
460  * spi - zero to acquire spi. Not zero if spi is static, then
461  * daddr must be fixed too.
462  * proto - AH/ESP/IPCOMP
463  */
464  struct xfrm_id id;
465 
466 /* Source address of tunnel. Ignored, if it is not a tunnel. */
468 
469  unsigned short encap_family;
470 
472 
473 /* Mode: transport, tunnel etc. */
475 
476 /* Sharing mode: unique, this session only, this user only etc. */
478 
479 /* May skip this transfomration if no SA is found */
481 
482 /* Skip aalgos/ealgos/calgos checks. */
484 
485 /* Bit mask of algos allowed for acquisition */
489 };
490 
491 #define XFRM_MAX_DEPTH 6
492 
494  struct list_head all;
496 };
497 
502 };
503 
504 struct xfrm_policy {
505 #ifdef CONFIG_NET_NS
506  struct net *xp_net;
507 #endif
510 
511  /* This lock only affects elements except for entry. */
515 
520  struct xfrm_mark mark;
532 };
533 
534 static inline struct net *xp_net(const struct xfrm_policy *xp)
535 {
536  return read_pnet(&xp->xp_net);
537 }
538 
544 };
545 
546 struct xfrm_migrate {
557 };
558 
559 #define XFRM_KM_TIMEOUT 30
560 /* which seqno */
561 #define XFRM_REPLAY_SEQ 1
562 #define XFRM_REPLAY_OSEQ 2
563 #define XFRM_REPLAY_SEQ_MASK 3
564 /* what happened */
565 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
566 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
567 
568 /* default aevent timeout in units of 100ms */
569 #define XFRM_AE_ETIME 10
570 /* Async Event timer multiplier */
571 #define XFRM_AE_ETH_M 10
572 /* default seq threshold size */
573 #define XFRM_AE_SEQT_SIZE 2
574 
575 struct xfrm_mgr {
576  struct list_head list;
577  char *id;
578  int (*notify)(struct xfrm_state *x, const struct km_event *c);
579  int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
580  struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
582  int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
584  int (*migrate)(const struct xfrm_selector *sel,
585  u8 dir, u8 type,
586  const struct xfrm_migrate *m,
587  int num_bundles,
588  const struct xfrm_kmaddress *k);
589 };
590 
591 extern int xfrm_register_km(struct xfrm_mgr *km);
592 extern int xfrm_unregister_km(struct xfrm_mgr *km);
593 
594 /*
595  * This structure is used for the duration where packets are being
596  * transformed by IPsec. As soon as the packet leaves IPsec the
597  * area beyond the generic IP part may be overwritten.
598  */
599 struct xfrm_skb_cb {
600  union {
603  } header;
604 
605  /* Sequence number for replay protection. */
606  union {
607  struct {
610  } output;
611  struct {
614  } input;
615  } seq;
616 };
617 
618 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
619 
620 /*
621  * This structure is used by the afinfo prepare_input/prepare_output functions
622  * to transmit header information to the mode input/output functions.
623  */
625  union {
628  } header;
629 
630  /* Copied from header for IPv4, always set to zero and DF for IPv6. */
633 
634  /* IP header length (excluding options or extension headers). */
636 
637  /* TOS for IPv4, class for IPv6. */
639 
640  /* TTL for IPv4, hop limitfor IPv6. */
642 
643  /* Protocol for IPv4, NH for IPv6. */
645 
646  /* Option length for IPv4, zero for IPv6. */
648 
649  /* Used by IPv6 only, zero for IPv4. */
651 };
652 
653 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
654 
655 /*
656  * This structure is used by the input processing to locate the SPI and
657  * related information.
658  */
660  union {
663  } header;
664 
665  unsigned int daddroff;
666  unsigned int family;
667 };
668 
669 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
670 
671 /* Audit Information */
672 struct xfrm_audit {
676 };
677 
678 #ifdef CONFIG_AUDITSYSCALL
679 static inline struct audit_buffer *xfrm_audit_start(const char *op)
680 {
681  struct audit_buffer *audit_buf = NULL;
682 
683  if (audit_enabled == 0)
684  return NULL;
685  audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
687  if (audit_buf == NULL)
688  return NULL;
689  audit_log_format(audit_buf, "op=%s", op);
690  return audit_buf;
691 }
692 
693 static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
694  struct audit_buffer *audit_buf)
695 {
696  char *secctx;
697  u32 secctx_len;
698 
699  audit_log_format(audit_buf, " auid=%u ses=%u",
700  from_kuid(&init_user_ns, auid), ses);
701  if (secid != 0 &&
702  security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
703  audit_log_format(audit_buf, " subj=%s", secctx);
704  security_release_secctx(secctx, secctx_len);
705  } else
706  audit_log_task_context(audit_buf);
707 }
708 
709 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
710  kuid_t auid, u32 ses, u32 secid);
711 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
712  kuid_t auid, u32 ses, u32 secid);
713 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
714  kuid_t auid, u32 ses, u32 secid);
715 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
716  kuid_t auid, u32 ses, u32 secid);
717 extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
718  struct sk_buff *skb);
719 extern void xfrm_audit_state_replay(struct xfrm_state *x,
720  struct sk_buff *skb, __be32 net_seq);
721 extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
722 extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
723  __be32 net_spi, __be32 net_seq);
724 extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
725  struct sk_buff *skb, u8 proto);
726 #else
727 
728 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
729  kuid_t auid, u32 ses, u32 secid)
730 {
731 }
732 
733 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
734  kuid_t auid, u32 ses, u32 secid)
735 {
736 }
737 
738 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
739  kuid_t auid, u32 ses, u32 secid)
740 {
741 }
742 
743 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
744  kuid_t auid, u32 ses, u32 secid)
745 {
746 }
747 
748 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
749  struct sk_buff *skb)
750 {
751 }
752 
753 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
754  struct sk_buff *skb, __be32 net_seq)
755 {
756 }
757 
758 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
759  u16 family)
760 {
761 }
762 
763 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
764  __be32 net_spi, __be32 net_seq)
765 {
766 }
767 
768 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
769  struct sk_buff *skb, u8 proto)
770 {
771 }
772 #endif /* CONFIG_AUDITSYSCALL */
773 
774 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
775 {
776  if (likely(policy != NULL))
777  atomic_inc(&policy->refcnt);
778 }
779 
780 extern void xfrm_policy_destroy(struct xfrm_policy *policy);
781 
782 static inline void xfrm_pol_put(struct xfrm_policy *policy)
783 {
784  if (atomic_dec_and_test(&policy->refcnt))
785  xfrm_policy_destroy(policy);
786 }
787 
788 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
789 {
790  int i;
791  for (i = npols - 1; i >= 0; --i)
792  xfrm_pol_put(pols[i]);
793 }
794 
795 extern void __xfrm_state_destroy(struct xfrm_state *);
796 
797 static inline void __xfrm_state_put(struct xfrm_state *x)
798 {
799  atomic_dec(&x->refcnt);
800 }
801 
802 static inline void xfrm_state_put(struct xfrm_state *x)
803 {
804  if (atomic_dec_and_test(&x->refcnt))
806 }
807 
808 static inline void xfrm_state_hold(struct xfrm_state *x)
809 {
810  atomic_inc(&x->refcnt);
811 }
812 
813 static inline bool addr_match(const void *token1, const void *token2,
814  int prefixlen)
815 {
816  const __be32 *a1 = token1;
817  const __be32 *a2 = token2;
818  int pdw;
819  int pbi;
820 
821  pdw = prefixlen >> 5; /* num of whole u32 in prefix */
822  pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
823 
824  if (pdw)
825  if (memcmp(a1, a2, pdw << 2))
826  return false;
827 
828  if (pbi) {
829  __be32 mask;
830 
831  mask = htonl((0xffffffff) << (32 - pbi));
832 
833  if ((a1[pdw] ^ a2[pdw]) & mask)
834  return false;
835  }
836 
837  return true;
838 }
839 
840 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
841 {
842  /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
843  if (prefixlen == 0)
844  return true;
845  return !((a1 ^ a2) & htonl(0xFFFFFFFFu << (32 - prefixlen)));
846 }
847 
848 static __inline__
849 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
850 {
851  __be16 port;
852  switch(fl->flowi_proto) {
853  case IPPROTO_TCP:
854  case IPPROTO_UDP:
855  case IPPROTO_UDPLITE:
856  case IPPROTO_SCTP:
857  port = uli->ports.sport;
858  break;
859  case IPPROTO_ICMP:
860  case IPPROTO_ICMPV6:
861  port = htons(uli->icmpt.type);
862  break;
863  case IPPROTO_MH:
864  port = htons(uli->mht.type);
865  break;
866  case IPPROTO_GRE:
867  port = htons(ntohl(uli->gre_key) >> 16);
868  break;
869  default:
870  port = 0; /*XXX*/
871  }
872  return port;
873 }
874 
875 static __inline__
876 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
877 {
878  __be16 port;
879  switch(fl->flowi_proto) {
880  case IPPROTO_TCP:
881  case IPPROTO_UDP:
882  case IPPROTO_UDPLITE:
883  case IPPROTO_SCTP:
884  port = uli->ports.dport;
885  break;
886  case IPPROTO_ICMP:
887  case IPPROTO_ICMPV6:
888  port = htons(uli->icmpt.code);
889  break;
890  case IPPROTO_GRE:
891  port = htons(ntohl(uli->gre_key) & 0xffff);
892  break;
893  default:
894  port = 0; /*XXX*/
895  }
896  return port;
897 }
898 
899 extern bool xfrm_selector_match(const struct xfrm_selector *sel,
900  const struct flowi *fl,
901  unsigned short family);
902 
903 #ifdef CONFIG_SECURITY_NETWORK_XFRM
904 /* If neither has a context --> match
905  * Otherwise, both must have a context and the sids, doi, alg must match
906  */
907 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
908 {
909  return ((!s1 && !s2) ||
910  (s1 && s2 &&
911  (s1->ctx_sid == s2->ctx_sid) &&
912  (s1->ctx_doi == s2->ctx_doi) &&
913  (s1->ctx_alg == s2->ctx_alg)));
914 }
915 #else
916 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
917 {
918  return true;
919 }
920 #endif
921 
922 /* A struct encoding bundle of transformations to apply to some set of flow.
923  *
924  * dst->child points to the next element of bundle.
925  * dst->xfrm points to an instanse of transformer.
926  *
927  * Due to unfortunate limitations of current routing cache, which we
928  * have no time to fix, it mirrors struct rtable and bound to the same
929  * routing key, including saddr,daddr. However, we can have many of
930  * bundles differing by session id. All the bundles grow from a parent
931  * policy rule.
932  */
933 struct xfrm_dst {
934  union {
935  struct dst_entry dst;
936  struct rtable rt;
937  struct rt6_info rt6;
938  } u;
939  struct dst_entry *route;
943 #ifdef CONFIG_XFRM_SUB_POLICY
944  struct flowi *origin;
945  struct xfrm_selector *partner;
946 #endif
953 };
954 
955 #ifdef CONFIG_XFRM
956 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
957 {
958  xfrm_pols_put(xdst->pols, xdst->num_pols);
959  dst_release(xdst->route);
960  if (likely(xdst->u.dst.xfrm))
961  xfrm_state_put(xdst->u.dst.xfrm);
962 #ifdef CONFIG_XFRM_SUB_POLICY
963  kfree(xdst->origin);
964  xdst->origin = NULL;
965  kfree(xdst->partner);
966  xdst->partner = NULL;
967 #endif
968 }
969 #endif
970 
971 extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
972 
973 struct sec_path {
975  int len;
977 };
978 
979 static inline int secpath_exists(struct sk_buff *skb)
980 {
981 #ifdef CONFIG_XFRM
982  return skb->sp != NULL;
983 #else
984  return 0;
985 #endif
986 }
987 
988 static inline struct sec_path *
989 secpath_get(struct sec_path *sp)
990 {
991  if (sp)
992  atomic_inc(&sp->refcnt);
993  return sp;
994 }
995 
996 extern void __secpath_destroy(struct sec_path *sp);
997 
998 static inline void
999 secpath_put(struct sec_path *sp)
1000 {
1001  if (sp && atomic_dec_and_test(&sp->refcnt))
1002  __secpath_destroy(sp);
1003 }
1004 
1005 extern struct sec_path *secpath_dup(struct sec_path *src);
1006 
1007 static inline void
1008 secpath_reset(struct sk_buff *skb)
1009 {
1010 #ifdef CONFIG_XFRM
1011  secpath_put(skb->sp);
1012  skb->sp = NULL;
1013 #endif
1014 }
1015 
1016 static inline int
1017 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1018 {
1019  switch (family) {
1020  case AF_INET:
1021  return addr->a4 == 0;
1022  case AF_INET6:
1023  return ipv6_addr_any((struct in6_addr *)&addr->a6);
1024  }
1025  return 0;
1026 }
1027 
1028 static inline int
1029 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1030 {
1031  return (tmpl->saddr.a4 &&
1032  tmpl->saddr.a4 != x->props.saddr.a4);
1033 }
1034 
1035 static inline int
1036 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1037 {
1038  return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1039  ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1040 }
1041 
1042 static inline int
1043 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1044 {
1045  switch (family) {
1046  case AF_INET:
1047  return __xfrm4_state_addr_cmp(tmpl, x);
1048  case AF_INET6:
1049  return __xfrm6_state_addr_cmp(tmpl, x);
1050  }
1051  return !0;
1052 }
1053 
1054 #ifdef CONFIG_XFRM
1055 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
1056 
1057 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1058  struct sk_buff *skb,
1059  unsigned int family, int reverse)
1060 {
1061  struct net *net = dev_net(skb->dev);
1062  int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1063 
1064  if (sk && sk->sk_policy[XFRM_POLICY_IN])
1065  return __xfrm_policy_check(sk, ndir, skb, family);
1066 
1067  return (!net->xfrm.policy_count[dir] && !skb->sp) ||
1068  (skb_dst(skb)->flags & DST_NOPOLICY) ||
1069  __xfrm_policy_check(sk, ndir, skb, family);
1070 }
1071 
1072 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1073 {
1074  return __xfrm_policy_check2(sk, dir, skb, family, 0);
1075 }
1076 
1077 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1078 {
1079  return xfrm_policy_check(sk, dir, skb, AF_INET);
1080 }
1081 
1082 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1083 {
1084  return xfrm_policy_check(sk, dir, skb, AF_INET6);
1085 }
1086 
1087 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1088  struct sk_buff *skb)
1089 {
1090  return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1091 }
1092 
1093 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1094  struct sk_buff *skb)
1095 {
1096  return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1097 }
1098 
1099 extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1100  unsigned int family, int reverse);
1101 
1102 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1103  unsigned int family)
1104 {
1105  return __xfrm_decode_session(skb, fl, family, 0);
1106 }
1107 
1108 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1109  struct flowi *fl,
1110  unsigned int family)
1111 {
1112  return __xfrm_decode_session(skb, fl, family, 1);
1113 }
1114 
1115 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1116 
1117 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1118 {
1119  struct net *net = dev_net(skb->dev);
1120 
1121  return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1122  (skb_dst(skb)->flags & DST_NOXFRM) ||
1123  __xfrm_route_forward(skb, family);
1124 }
1125 
1126 static inline int xfrm4_route_forward(struct sk_buff *skb)
1127 {
1128  return xfrm_route_forward(skb, AF_INET);
1129 }
1130 
1131 static inline int xfrm6_route_forward(struct sk_buff *skb)
1132 {
1133  return xfrm_route_forward(skb, AF_INET6);
1134 }
1135 
1136 extern int __xfrm_sk_clone_policy(struct sock *sk);
1137 
1138 static inline int xfrm_sk_clone_policy(struct sock *sk)
1139 {
1140  if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
1141  return __xfrm_sk_clone_policy(sk);
1142  return 0;
1143 }
1144 
1145 extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1146 
1147 static inline void xfrm_sk_free_policy(struct sock *sk)
1148 {
1149  if (unlikely(sk->sk_policy[0] != NULL)) {
1150  xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
1151  sk->sk_policy[0] = NULL;
1152  }
1153  if (unlikely(sk->sk_policy[1] != NULL)) {
1154  xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
1155  sk->sk_policy[1] = NULL;
1156  }
1157 }
1158 
1159 #else
1160 
1161 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1162 static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
1163 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1164 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1165 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1166 {
1167  return 1;
1168 }
1169 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1170 {
1171  return 1;
1172 }
1173 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1174 {
1175  return 1;
1176 }
1177 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1178  struct flowi *fl,
1179  unsigned int family)
1180 {
1181  return -ENOSYS;
1182 }
1183 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1184  struct sk_buff *skb)
1185 {
1186  return 1;
1187 }
1188 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1189  struct sk_buff *skb)
1190 {
1191  return 1;
1192 }
1193 #endif
1194 
1195 static __inline__
1196 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1197 {
1198  switch (family){
1199  case AF_INET:
1200  return (xfrm_address_t *)&fl->u.ip4.daddr;
1201  case AF_INET6:
1202  return (xfrm_address_t *)&fl->u.ip6.daddr;
1203  }
1204  return NULL;
1205 }
1206 
1207 static __inline__
1208 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1209 {
1210  switch (family){
1211  case AF_INET:
1212  return (xfrm_address_t *)&fl->u.ip4.saddr;
1213  case AF_INET6:
1214  return (xfrm_address_t *)&fl->u.ip6.saddr;
1215  }
1216  return NULL;
1217 }
1218 
1219 static __inline__
1220 void xfrm_flowi_addr_get(const struct flowi *fl,
1222  unsigned short family)
1223 {
1224  switch(family) {
1225  case AF_INET:
1226  memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1227  memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1228  break;
1229  case AF_INET6:
1230  *(struct in6_addr *)saddr->a6 = fl->u.ip6.saddr;
1231  *(struct in6_addr *)daddr->a6 = fl->u.ip6.daddr;
1232  break;
1233  }
1234 }
1235 
1236 static __inline__ int
1237 __xfrm4_state_addr_check(const struct xfrm_state *x,
1238  const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1239 {
1240  if (daddr->a4 == x->id.daddr.a4 &&
1241  (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1242  return 1;
1243  return 0;
1244 }
1245 
1246 static __inline__ int
1247 __xfrm6_state_addr_check(const struct xfrm_state *x,
1248  const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1249 {
1250  if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1251  (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
1252  ipv6_addr_any((struct in6_addr *)saddr) ||
1253  ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1254  return 1;
1255  return 0;
1256 }
1257 
1258 static __inline__ int
1259 xfrm_state_addr_check(const struct xfrm_state *x,
1260  const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1261  unsigned short family)
1262 {
1263  switch (family) {
1264  case AF_INET:
1265  return __xfrm4_state_addr_check(x, daddr, saddr);
1266  case AF_INET6:
1267  return __xfrm6_state_addr_check(x, daddr, saddr);
1268  }
1269  return 0;
1270 }
1271 
1272 static __inline__ int
1273 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1274  unsigned short family)
1275 {
1276  switch (family) {
1277  case AF_INET:
1278  return __xfrm4_state_addr_check(x,
1279  (const xfrm_address_t *)&fl->u.ip4.daddr,
1280  (const xfrm_address_t *)&fl->u.ip4.saddr);
1281  case AF_INET6:
1282  return __xfrm6_state_addr_check(x,
1283  (const xfrm_address_t *)&fl->u.ip6.daddr,
1284  (const xfrm_address_t *)&fl->u.ip6.saddr);
1285  }
1286  return 0;
1287 }
1288 
1289 static inline int xfrm_state_kern(const struct xfrm_state *x)
1290 {
1291  return atomic_read(&x->tunnel_users);
1292 }
1293 
1294 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1295 {
1296  return (!userproto || proto == userproto ||
1297  (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1298  proto == IPPROTO_ESP ||
1299  proto == IPPROTO_COMP)));
1300 }
1301 
1302 /*
1303  * xfrm algorithm information
1304  */
1307 };
1308 
1312 };
1313 
1317 };
1318 
1321 };
1322 
1324  char *name;
1325  char *compat;
1327  union {
1332  } uinfo;
1333  struct sadb_alg desc;
1334 };
1335 
1336 /* XFRM tunnel handlers. */
1337 struct xfrm_tunnel {
1338  int (*handler)(struct sk_buff *skb);
1340 
1343 };
1344 
1346  int (*handler)(struct sk_buff *skb);
1348  u8 type, u8 code, int offset, __be32 info);
1351 };
1352 
1353 extern void xfrm_init(void);
1354 extern void xfrm4_init(void);
1355 extern int xfrm_state_init(struct net *net);
1356 extern void xfrm_state_fini(struct net *net);
1357 extern void xfrm4_state_init(void);
1358 #ifdef CONFIG_XFRM
1359 extern int xfrm6_init(void);
1360 extern void xfrm6_fini(void);
1361 extern int xfrm6_state_init(void);
1362 extern void xfrm6_state_fini(void);
1363 #else
1364 static inline int xfrm6_init(void)
1365 {
1366  return 0;
1367 }
1368 static inline void xfrm6_fini(void)
1369 {
1370  ;
1371 }
1372 #endif
1373 
1374 #ifdef CONFIG_XFRM_STATISTICS
1375 extern int xfrm_proc_init(struct net *net);
1376 extern void xfrm_proc_fini(struct net *net);
1377 #endif
1378 
1379 extern int xfrm_sysctl_init(struct net *net);
1380 #ifdef CONFIG_SYSCTL
1381 extern void xfrm_sysctl_fini(struct net *net);
1382 #else
1383 static inline void xfrm_sysctl_fini(struct net *net)
1384 {
1385 }
1386 #endif
1387 
1388 extern void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1389 extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1390  int (*func)(struct xfrm_state *, int, void*), void *);
1391 extern void xfrm_state_walk_done(struct xfrm_state_walk *walk);
1392 extern struct xfrm_state *xfrm_state_alloc(struct net *net);
1393 extern struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1394  const xfrm_address_t *saddr,
1395  const struct flowi *fl,
1396  struct xfrm_tmpl *tmpl,
1397  struct xfrm_policy *pol, int *err,
1398  unsigned short family);
1399 extern struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark,
1400  xfrm_address_t *daddr,
1401  xfrm_address_t *saddr,
1402  unsigned short family,
1403  u8 mode, u8 proto, u32 reqid);
1404 extern int xfrm_state_check_expire(struct xfrm_state *x);
1405 extern void xfrm_state_insert(struct xfrm_state *x);
1406 extern int xfrm_state_add(struct xfrm_state *x);
1407 extern int xfrm_state_update(struct xfrm_state *x);
1408 extern struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1409  const xfrm_address_t *daddr, __be32 spi,
1410  u8 proto, unsigned short family);
1411 extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1412  const xfrm_address_t *daddr,
1413  const xfrm_address_t *saddr,
1414  u8 proto,
1415  unsigned short family);
1416 #ifdef CONFIG_XFRM_SUB_POLICY
1417 extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1418  int n, unsigned short family);
1419 extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1420  int n, unsigned short family);
1421 #else
1422 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1423  int n, unsigned short family)
1424 {
1425  return -ENOSYS;
1426 }
1427 
1428 static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
1429  int n, unsigned short family)
1430 {
1431  return -ENOSYS;
1432 }
1433 #endif
1434 
1436  u32 sadhcnt; /* current hash bkts */
1437  u32 sadhmcnt; /* max allowed hash bkts */
1438  u32 sadcnt; /* current running count */
1439 };
1440 
1450 };
1451 
1452 extern struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark,
1453  u32 seq);
1454 extern int xfrm_state_delete(struct xfrm_state *x);
1455 extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
1456 extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1457 extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1458 extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1459 extern int xfrm_init_replay(struct xfrm_state *x);
1460 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
1461 extern int __xfrm_init_state(struct xfrm_state *x, bool init_replay);
1462 extern int xfrm_init_state(struct xfrm_state *x);
1463 extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
1464 extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
1465  int encap_type);
1466 extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1467 extern int xfrm_output_resume(struct sk_buff *skb, int err);
1468 extern int xfrm_output(struct sk_buff *skb);
1469 extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1470 extern int xfrm4_extract_header(struct sk_buff *skb);
1471 extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1472 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1473  int encap_type);
1474 extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
1475 extern int xfrm4_rcv(struct sk_buff *skb);
1476 
1477 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1478 {
1479  return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
1480 }
1481 
1482 extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1483 extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1484 extern int xfrm4_output(struct sk_buff *skb);
1485 extern int xfrm4_output_finish(struct sk_buff *skb);
1486 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1487 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1488 extern int xfrm4_mode_tunnel_input_register(struct xfrm_tunnel *handler);
1489 extern int xfrm4_mode_tunnel_input_deregister(struct xfrm_tunnel *handler);
1490 extern int xfrm6_extract_header(struct sk_buff *skb);
1491 extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1492 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
1493 extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
1494 extern int xfrm6_rcv(struct sk_buff *skb);
1495 extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1496  xfrm_address_t *saddr, u8 proto);
1497 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1498 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1499 extern __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1500 extern __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1501 extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
1502 extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
1503 extern int xfrm6_output(struct sk_buff *skb);
1504 extern int xfrm6_output_finish(struct sk_buff *skb);
1505 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1506  u8 **prevhdr);
1507 
1508 #ifdef CONFIG_XFRM
1509 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1510 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
1511 #else
1512 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1513 {
1514  return -ENOPROTOOPT;
1515 }
1516 
1517 static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
1518 {
1519  /* should not happen */
1520  kfree_skb(skb);
1521  return 0;
1522 }
1523 #endif
1524 
1525 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1526 
1527 extern void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1528 extern int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1529  int (*func)(struct xfrm_policy *, int, int, void*), void *);
1530 extern void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
1531 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1532 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1533  u8 type, int dir,
1534  struct xfrm_selector *sel,
1535  struct xfrm_sec_ctx *ctx, int delete,
1536  int *err);
1537 struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir, u32 id, int delete, int *err);
1538 int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
1539 u32 xfrm_get_acqseq(void);
1540 extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1541 struct xfrm_state *xfrm_find_acq(struct net *net, struct xfrm_mark *mark,
1542  u8 mode, u32 reqid, u8 proto,
1543  const xfrm_address_t *daddr,
1544  const xfrm_address_t *saddr, int create,
1545  unsigned short family);
1546 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1547 
1548 #ifdef CONFIG_XFRM_MIGRATE
1549 extern int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1550  const struct xfrm_migrate *m, int num_bundles,
1551  const struct xfrm_kmaddress *k);
1552 extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
1553 extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1554  struct xfrm_migrate *m);
1555 extern int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1556  struct xfrm_migrate *m, int num_bundles,
1557  struct xfrm_kmaddress *k);
1558 #endif
1559 
1560 extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1561 extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1562 extern int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
1563 
1564 extern void xfrm_input_init(void);
1565 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1566 
1567 extern void xfrm_probe_algs(void);
1568 extern int xfrm_count_auth_supported(void);
1569 extern int xfrm_count_enc_supported(void);
1570 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1571 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1572 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1573 extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1574 extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1575 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1576 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1577 extern struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1578 extern struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1579  int probe);
1580 
1581 static inline int xfrm_addr_cmp(const xfrm_address_t *a,
1582  const xfrm_address_t *b,
1583  int family)
1584 {
1585  switch (family) {
1586  default:
1587  case AF_INET:
1588  return (__force u32)a->a4 - (__force u32)b->a4;
1589  case AF_INET6:
1590  return ipv6_addr_cmp((const struct in6_addr *)a,
1591  (const struct in6_addr *)b);
1592  }
1593 }
1594 
1595 static inline int xfrm_policy_id2dir(u32 index)
1596 {
1597  return index & 7;
1598 }
1599 
1600 #ifdef CONFIG_XFRM
1601 static inline int xfrm_aevent_is_on(struct net *net)
1602 {
1603  struct sock *nlsk;
1604  int ret = 0;
1605 
1606  rcu_read_lock();
1607  nlsk = rcu_dereference(net->xfrm.nlsk);
1608  if (nlsk)
1610  rcu_read_unlock();
1611  return ret;
1612 }
1613 #endif
1614 
1615 static inline int xfrm_alg_len(const struct xfrm_algo *alg)
1616 {
1617  return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1618 }
1619 
1620 static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1621 {
1622  return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1623 }
1624 
1625 static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1626 {
1627  return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1628 }
1629 
1630 #ifdef CONFIG_XFRM_MIGRATE
1631 static inline int xfrm_replay_clone(struct xfrm_state *x,
1632  struct xfrm_state *orig)
1633 {
1634  x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
1635  GFP_KERNEL);
1636  if (!x->replay_esn)
1637  return -ENOMEM;
1638 
1639  x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
1640  x->replay_esn->replay_window = orig->replay_esn->replay_window;
1641 
1642  x->preplay_esn = kmemdup(x->replay_esn,
1643  xfrm_replay_state_esn_len(x->replay_esn),
1644  GFP_KERNEL);
1645  if (!x->preplay_esn) {
1646  kfree(x->replay_esn);
1647  return -ENOMEM;
1648  }
1649 
1650  return 0;
1651 }
1652 
1653 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1654 {
1655  return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1656 }
1657 
1658 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1659 {
1660  return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1661 }
1662 
1663 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1664 {
1665  int i;
1666  for (i = 0; i < n; i++)
1667  xfrm_state_put(*(states + i));
1668 }
1669 
1670 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1671 {
1672  int i;
1673  for (i = 0; i < n; i++)
1674  xfrm_state_delete(*(states + i));
1675 }
1676 #endif
1677 
1678 #ifdef CONFIG_XFRM
1679 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1680 {
1681  return skb->sp->xvec[skb->sp->len - 1];
1682 }
1683 #endif
1684 
1685 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1686 {
1687  if (attrs[XFRMA_MARK])
1688  memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1689  else
1690  m->v = m->m = 0;
1691 
1692  return m->v & m->m;
1693 }
1694 
1695 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1696 {
1697  int ret = 0;
1698 
1699  if (m->m | m->v)
1700  ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1701  return ret;
1702 }
1703 
1704 #endif /* _NET_XFRM_H */