6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/config.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
27 DECLARE_MUTEX(xfrm_cfg_sem);
29 static rwlock_t xfrm_policy_lock = RW_LOCK_UNLOCKED;
31 struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
33 static rwlock_t xfrm_policy_afinfo_lock = RW_LOCK_UNLOCKED;
34 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
36 kmem_cache_t *xfrm_dst_cache;
38 static struct work_struct xfrm_policy_gc_work;
39 static struct list_head xfrm_policy_gc_list =
40 LIST_HEAD_INIT(xfrm_policy_gc_list);
41 static spinlock_t xfrm_policy_gc_lock = SPIN_LOCK_UNLOCKED;
43 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
45 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
46 struct xfrm_type_map *typemap;
49 if (unlikely(afinfo == NULL))
51 typemap = afinfo->type_map;
53 write_lock(&typemap->lock);
54 if (likely(typemap->map[type->proto] == NULL))
55 typemap->map[type->proto] = type;
58 write_unlock(&typemap->lock);
59 xfrm_policy_put_afinfo(afinfo);
63 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
65 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
66 struct xfrm_type_map *typemap;
69 if (unlikely(afinfo == NULL))
71 typemap = afinfo->type_map;
73 write_lock(&typemap->lock);
74 if (unlikely(typemap->map[type->proto] != type))
77 typemap->map[type->proto] = NULL;
78 write_unlock(&typemap->lock);
79 xfrm_policy_put_afinfo(afinfo);
83 struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
85 struct xfrm_policy_afinfo *afinfo;
86 struct xfrm_type_map *typemap;
87 struct xfrm_type *type;
88 int modload_attempted = 0;
91 afinfo = xfrm_policy_get_afinfo(family);
92 if (unlikely(afinfo == NULL))
94 typemap = afinfo->type_map;
96 read_lock(&typemap->lock);
97 type = typemap->map[proto];
98 if (unlikely(type && !try_module_get(type->owner)))
100 read_unlock(&typemap->lock);
101 if (!type && !modload_attempted) {
102 xfrm_policy_put_afinfo(afinfo);
103 request_module("xfrm-type-%d-%d",
104 (int) family, (int) proto);
105 modload_attempted = 1;
109 xfrm_policy_put_afinfo(afinfo);
113 int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
114 unsigned short family)
116 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
119 if (unlikely(afinfo == NULL))
120 return -EAFNOSUPPORT;
122 if (likely(afinfo->dst_lookup != NULL))
123 err = afinfo->dst_lookup(dst, fl);
126 xfrm_policy_put_afinfo(afinfo);
130 void xfrm_put_type(struct xfrm_type *type)
132 module_put(type->owner);
135 static inline unsigned long make_jiffies(long secs)
137 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
138 return MAX_SCHEDULE_TIMEOUT-1;
143 static void xfrm_policy_timer(unsigned long data)
145 struct xfrm_policy *xp = (struct xfrm_policy*)data;
146 unsigned long now = (unsigned long)xtime.tv_sec;
147 long next = LONG_MAX;
151 read_lock(&xp->lock);
158 if (xp->lft.hard_add_expires_seconds) {
159 long tmo = xp->lft.hard_add_expires_seconds +
160 xp->curlft.add_time - now;
166 if (xp->lft.hard_use_expires_seconds) {
167 long tmo = xp->lft.hard_use_expires_seconds +
168 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
174 if (xp->lft.soft_add_expires_seconds) {
175 long tmo = xp->lft.soft_add_expires_seconds +
176 xp->curlft.add_time - now;
179 tmo = XFRM_KM_TIMEOUT;
184 if (xp->lft.soft_use_expires_seconds) {
185 long tmo = xp->lft.soft_use_expires_seconds +
186 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
189 tmo = XFRM_KM_TIMEOUT;
196 km_policy_expired(xp, dir, 0);
197 if (next != LONG_MAX &&
198 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
202 read_unlock(&xp->lock);
207 km_policy_expired(xp, dir, 1);
208 xfrm_policy_delete(xp, dir);
213 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
217 struct xfrm_policy *xfrm_policy_alloc(int gfp)
219 struct xfrm_policy *policy;
221 policy = kmalloc(sizeof(struct xfrm_policy), gfp);
224 memset(policy, 0, sizeof(struct xfrm_policy));
225 atomic_set(&policy->refcnt, 1);
226 policy->lock = RW_LOCK_UNLOCKED;
227 init_timer(&policy->timer);
228 policy->timer.data = (unsigned long)policy;
229 policy->timer.function = xfrm_policy_timer;
234 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
236 void __xfrm_policy_destroy(struct xfrm_policy *policy)
244 if (del_timer(&policy->timer))
250 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
252 struct dst_entry *dst;
254 while ((dst = policy->bundles) != NULL) {
255 policy->bundles = dst->next;
259 if (del_timer(&policy->timer))
260 atomic_dec(&policy->refcnt);
262 if (atomic_read(&policy->refcnt) > 1)
265 xfrm_pol_put(policy);
268 static void xfrm_policy_gc_task(void *data)
270 struct xfrm_policy *policy;
271 struct list_head *entry, *tmp;
272 struct list_head gc_list = LIST_HEAD_INIT(gc_list);
274 spin_lock_bh(&xfrm_policy_gc_lock);
275 list_splice_init(&xfrm_policy_gc_list, &gc_list);
276 spin_unlock_bh(&xfrm_policy_gc_lock);
278 list_for_each_safe(entry, tmp, &gc_list) {
279 policy = list_entry(entry, struct xfrm_policy, list);
280 xfrm_policy_gc_kill(policy);
284 /* Rule must be locked. Release descentant resources, announce
285 * entry dead. The rule must be unlinked from lists to the moment.
288 void xfrm_policy_kill(struct xfrm_policy *policy)
290 write_lock_bh(&policy->lock);
296 spin_lock(&xfrm_policy_gc_lock);
297 list_add(&policy->list, &xfrm_policy_gc_list);
298 spin_unlock(&xfrm_policy_gc_lock);
299 schedule_work(&xfrm_policy_gc_work);
302 write_unlock_bh(&policy->lock);
305 /* Generate new index... KAME seems to generate them ordered by cost
306 * of an absolute inpredictability of ordering of rules. This will not pass. */
307 static u32 xfrm_gen_index(int dir)
310 struct xfrm_policy *p;
311 static u32 idx_generator;
314 idx = (idx_generator | dir);
318 for (p = xfrm_policy_list[dir]; p; p = p->next) {
327 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
329 struct xfrm_policy *pol, **p;
330 struct xfrm_policy *delpol = NULL;
331 struct xfrm_policy **newpos = NULL;
333 write_lock_bh(&xfrm_policy_lock);
334 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
335 if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
337 write_unlock_bh(&xfrm_policy_lock);
342 if (policy->priority > pol->priority)
344 } else if (policy->priority >= pol->priority)
353 xfrm_pol_hold(policy);
356 atomic_inc(&flow_cache_genid);
357 policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
358 policy->curlft.add_time = (unsigned long)xtime.tv_sec;
359 policy->curlft.use_time = 0;
360 if (!mod_timer(&policy->timer, jiffies + HZ))
361 xfrm_pol_hold(policy);
362 write_unlock_bh(&xfrm_policy_lock);
365 xfrm_policy_kill(delpol);
370 struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
373 struct xfrm_policy *pol, **p;
375 write_lock_bh(&xfrm_policy_lock);
376 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
377 if (memcmp(sel, &pol->selector, sizeof(*sel)) == 0) {
384 write_unlock_bh(&xfrm_policy_lock);
387 atomic_inc(&flow_cache_genid);
388 xfrm_policy_kill(pol);
393 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete)
395 struct xfrm_policy *pol, **p;
397 write_lock_bh(&xfrm_policy_lock);
398 for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
399 if (pol->index == id) {
406 write_unlock_bh(&xfrm_policy_lock);
409 atomic_inc(&flow_cache_genid);
410 xfrm_policy_kill(pol);
415 void xfrm_policy_flush(void)
417 struct xfrm_policy *xp;
420 write_lock_bh(&xfrm_policy_lock);
421 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
422 while ((xp = xfrm_policy_list[dir]) != NULL) {
423 xfrm_policy_list[dir] = xp->next;
424 write_unlock_bh(&xfrm_policy_lock);
426 xfrm_policy_kill(xp);
428 write_lock_bh(&xfrm_policy_lock);
431 atomic_inc(&flow_cache_genid);
432 write_unlock_bh(&xfrm_policy_lock);
435 int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*),
438 struct xfrm_policy *xp;
443 read_lock_bh(&xfrm_policy_lock);
444 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
445 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next)
454 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
455 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next) {
456 error = func(xp, dir%XFRM_POLICY_MAX, --count, data);
463 read_unlock_bh(&xfrm_policy_lock);
468 /* Find policy to apply to this flow. */
470 static void xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
471 void **objp, atomic_t **obj_refp)
473 struct xfrm_policy *pol;
475 read_lock_bh(&xfrm_policy_lock);
476 for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
477 struct xfrm_selector *sel = &pol->selector;
480 if (pol->family != family)
483 match = xfrm_selector_match(sel, fl, family);
489 read_unlock_bh(&xfrm_policy_lock);
490 if ((*objp = (void *) pol) != NULL)
491 *obj_refp = &pol->refcnt;
494 struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
496 struct xfrm_policy *pol;
498 read_lock_bh(&xfrm_policy_lock);
499 if ((pol = sk->sk_policy[dir]) != NULL) {
500 int match = xfrm_selector_match(&pol->selector, fl,
507 read_unlock_bh(&xfrm_policy_lock);
511 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
513 pol->next = xfrm_policy_list[dir];
514 xfrm_policy_list[dir] = pol;
518 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
521 struct xfrm_policy **polp;
523 for (polp = &xfrm_policy_list[dir];
524 *polp != NULL; polp = &(*polp)->next) {
533 void xfrm_policy_delete(struct xfrm_policy *pol, int dir)
535 write_lock_bh(&xfrm_policy_lock);
536 pol = __xfrm_policy_unlink(pol, dir);
537 write_unlock_bh(&xfrm_policy_lock);
539 xfrm_policy_kill(pol);
542 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
544 struct xfrm_policy *old_pol;
546 write_lock_bh(&xfrm_policy_lock);
547 old_pol = sk->sk_policy[dir];
548 sk->sk_policy[dir] = pol;
550 pol->curlft.add_time = (unsigned long)xtime.tv_sec;
551 pol->index = xfrm_gen_index(XFRM_POLICY_MAX+dir);
552 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
555 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
556 write_unlock_bh(&xfrm_policy_lock);
559 xfrm_policy_kill(old_pol);
564 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
566 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
569 newp->selector = old->selector;
570 newp->lft = old->lft;
571 newp->curlft = old->curlft;
572 newp->action = old->action;
573 newp->flags = old->flags;
574 newp->xfrm_nr = old->xfrm_nr;
575 newp->index = old->index;
576 memcpy(newp->xfrm_vec, old->xfrm_vec,
577 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
578 write_lock_bh(&xfrm_policy_lock);
579 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
580 write_unlock_bh(&xfrm_policy_lock);
586 int __xfrm_sk_clone_policy(struct sock *sk)
588 struct xfrm_policy *p0 = sk->sk_policy[0],
589 *p1 = sk->sk_policy[1];
591 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
592 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
594 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
599 /* Resolve list of templates for the flow, given policy. */
602 xfrm_tmpl_resolve(struct xfrm_policy *policy, struct flowi *fl,
603 struct xfrm_state **xfrm,
604 unsigned short family)
608 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
609 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
611 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
612 struct xfrm_state *x;
613 xfrm_address_t *remote = daddr;
614 xfrm_address_t *local = saddr;
615 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
618 remote = &tmpl->id.daddr;
619 local = &tmpl->saddr;
622 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
624 if (x && x->km.state == XFRM_STATE_VALID) {
631 error = (x->km.state == XFRM_STATE_ERROR ?
642 for (nx--; nx>=0; nx--)
643 xfrm_state_put(xfrm[nx]);
647 /* Check that the bundle accepts the flow and its components are
651 static struct dst_entry *
652 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
655 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
656 if (unlikely(afinfo == NULL))
657 return ERR_PTR(-EINVAL);
658 x = afinfo->find_bundle(fl, policy);
659 xfrm_policy_put_afinfo(afinfo);
663 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
664 * all the metrics... Shortly, bundle a bundle.
668 xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
669 struct flowi *fl, struct dst_entry **dst_p,
670 unsigned short family)
673 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
674 if (unlikely(afinfo == NULL))
676 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
677 xfrm_policy_put_afinfo(afinfo);
681 static inline int policy_to_flow_dir(int dir)
683 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
684 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
685 XFRM_POLICY_FWD == FLOW_DIR_FWD)
691 case XFRM_POLICY_OUT:
693 case XFRM_POLICY_FWD:
698 static int stale_bundle(struct dst_entry *dst);
700 /* Main function: finds/creates a bundle for given flow.
702 * At the moment we eat a raw IP route. Mostly to speed up lookups
703 * on interfaces with disabled IPsec.
705 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
706 struct sock *sk, int flags)
708 struct xfrm_policy *policy;
709 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
710 struct rtable *rt = (struct rtable*)*dst_p;
711 struct dst_entry *dst;
715 u16 family = (*dst_p)->ops->family;
720 fl->fl4_src = rt->rt_src;
722 fl->fl4_dst = rt->rt_dst;
724 /* Still not clear... */
730 genid = atomic_read(&flow_cache_genid);
732 if (sk && sk->sk_policy[1])
733 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
736 /* To accelerate a bit... */
737 if ((rt->u.dst.flags & DST_NOXFRM) || !xfrm_policy_list[XFRM_POLICY_OUT])
740 policy = flow_cache_lookup(fl, family,
741 policy_to_flow_dir(XFRM_POLICY_OUT),
748 policy->curlft.use_time = (unsigned long)xtime.tv_sec;
750 switch (policy->action) {
751 case XFRM_POLICY_BLOCK:
752 /* Prohibit the flow */
753 xfrm_pol_put(policy);
756 case XFRM_POLICY_ALLOW:
757 if (policy->xfrm_nr == 0) {
758 /* Flow passes not transformed. */
759 xfrm_pol_put(policy);
763 /* Try to find matching bundle.
765 * LATER: help from flow cache. It is optional, this
766 * is required only for output policy.
768 dst = xfrm_find_bundle(fl, policy, family);
770 xfrm_pol_put(policy);
777 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
779 if (unlikely(nx<0)) {
781 if (err == -EAGAIN && flags) {
782 DECLARE_WAITQUEUE(wait, current);
784 add_wait_queue(&km_waitq, &wait);
785 set_current_state(TASK_INTERRUPTIBLE);
787 set_current_state(TASK_RUNNING);
788 remove_wait_queue(&km_waitq, &wait);
790 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
792 if (nx == -EAGAIN && signal_pending(current)) {
797 genid != atomic_read(&flow_cache_genid)) {
798 xfrm_pol_put(policy);
807 /* Flow passes not transformed. */
808 xfrm_pol_put(policy);
813 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
818 xfrm_state_put(xfrm[i]);
822 write_lock_bh(&policy->lock);
823 if (unlikely(policy->dead || stale_bundle(dst))) {
824 /* Wow! While we worked on resolving, this
825 * policy has gone. Retry. It is not paranoia,
826 * we just cannot enlist new bundle to dead object.
827 * We can't enlist stable bundles either.
829 write_unlock_bh(&policy->lock);
831 xfrm_pol_put(policy);
836 dst->next = policy->bundles;
837 policy->bundles = dst;
839 write_unlock_bh(&policy->lock);
843 xfrm_pol_put(policy);
848 xfrm_pol_put(policy);
853 /* When skb is transformed back to its "native" form, we have to
854 * check policy restrictions. At the moment we make this in maximally
855 * stupid way. Shame on me. :-) Of course, connected sockets must
856 * have policy cached at them.
860 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
861 unsigned short family)
863 if (xfrm_state_kern(x))
864 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family);
865 return x->id.proto == tmpl->id.proto &&
866 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
867 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
868 x->props.mode == tmpl->mode &&
869 (tmpl->aalgos & (1<<x->props.aalgo)) &&
870 !(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
874 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
875 unsigned short family)
879 if (tmpl->optional) {
884 for (; idx < sp->len; idx++) {
885 if (xfrm_state_ok(tmpl, sp->x[idx].xvec, family))
887 if (sp->x[idx].xvec->props.mode)
894 _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
896 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
898 if (unlikely(afinfo == NULL))
899 return -EAFNOSUPPORT;
901 afinfo->decode_session(skb, fl);
902 xfrm_policy_put_afinfo(afinfo);
906 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
907 unsigned short family)
909 struct xfrm_policy *pol;
912 if (_decode_session(skb, &fl, family) < 0)
915 /* First, check used SA against their selectors. */
919 for (i=skb->sp->len-1; i>=0; i--) {
920 struct sec_decap_state *xvec = &(skb->sp->x[i]);
921 if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
924 /* If there is a post_input processor, try running it */
925 if (xvec->xvec->type->post_input &&
926 (xvec->xvec->type->post_input)(xvec->xvec,
934 if (sk && sk->sk_policy[dir])
935 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
938 pol = flow_cache_lookup(&fl, family,
939 policy_to_flow_dir(dir),
945 pol->curlft.use_time = (unsigned long)xtime.tv_sec;
947 if (pol->action == XFRM_POLICY_ALLOW) {
949 static struct sec_path dummy;
952 if ((sp = skb->sp) == NULL)
955 /* For each tunnel xfrm, find the first matching tmpl.
956 * For each tmpl before that, find corresponding xfrm.
957 * Order is _important_. Later we will implement
958 * some barriers, but at the moment barriers
959 * are implied between each two transformations.
961 for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) {
962 k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k, family);
967 for (; k < sp->len; k++) {
968 if (sp->x[k].xvec->props.mode)
981 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
985 if (_decode_session(skb, &fl, family) < 0)
988 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
991 /* Optimize later using cookies and generation ids. */
993 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
995 if (!stale_bundle(dst))
1002 static int stale_bundle(struct dst_entry *dst)
1004 struct dst_entry *child = dst;
1007 if (child->obsolete > 0 ||
1008 (child->dev && !netif_running(child->dev)) ||
1009 (child->xfrm && child->xfrm->km.state != XFRM_STATE_VALID)) {
1012 child = child->child;
1018 static void xfrm_dst_destroy(struct dst_entry *dst)
1022 xfrm_state_put(dst->xfrm);
1026 static void xfrm_link_failure(struct sk_buff *skb)
1028 /* Impossible. Such dst must be popped before reaches point of failure. */
1032 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
1035 if (dst->obsolete) {
1043 static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
1046 struct xfrm_policy *pol;
1047 struct dst_entry *dst, **dstp, *gc_list = NULL;
1049 read_lock_bh(&xfrm_policy_lock);
1050 for (i=0; i<2*XFRM_POLICY_MAX; i++) {
1051 for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
1052 write_lock(&pol->lock);
1053 dstp = &pol->bundles;
1054 while ((dst=*dstp) != NULL) {
1057 dst->next = gc_list;
1063 write_unlock(&pol->lock);
1066 read_unlock_bh(&xfrm_policy_lock);
1070 gc_list = dst->next;
1075 static int unused_bundle(struct dst_entry *dst)
1077 return !atomic_read(&dst->__refcnt);
1080 static void __xfrm_garbage_collect(void)
1082 xfrm_prune_bundles(unused_bundle);
1085 int xfrm_flush_bundles(void)
1087 xfrm_prune_bundles(stale_bundle);
1091 /* Well... that's _TASK_. We need to scan through transformation
1092 * list and figure out what mss tcp should generate in order to
1093 * final datagram fit to mtu. Mama mia... :-)
1095 * Apparently, some easy way exists, but we used to choose the most
1096 * bizarre ones. :-) So, raising Kalashnikov... tra-ta-ta.
1098 * Consider this function as something like dark humour. :-)
1100 static int xfrm_get_mss(struct dst_entry *dst, u32 mtu)
1102 int res = mtu - dst->header_len;
1105 struct dst_entry *d = dst;
1109 struct xfrm_state *x = d->xfrm;
1111 spin_lock_bh(&x->lock);
1112 if (x->km.state == XFRM_STATE_VALID &&
1113 x->type && x->type->get_max_size)
1114 m = x->type->get_max_size(d->xfrm, m);
1116 m += x->props.header_len;
1117 spin_unlock_bh(&x->lock);
1119 } while ((d = d->child) != NULL);
1128 return res + dst->header_len;
1131 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
1134 if (unlikely(afinfo == NULL))
1136 if (unlikely(afinfo->family >= NPROTO))
1137 return -EAFNOSUPPORT;
1138 write_lock(&xfrm_policy_afinfo_lock);
1139 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
1142 struct dst_ops *dst_ops = afinfo->dst_ops;
1143 if (likely(dst_ops->kmem_cachep == NULL))
1144 dst_ops->kmem_cachep = xfrm_dst_cache;
1145 if (likely(dst_ops->check == NULL))
1146 dst_ops->check = xfrm_dst_check;
1147 if (likely(dst_ops->destroy == NULL))
1148 dst_ops->destroy = xfrm_dst_destroy;
1149 if (likely(dst_ops->negative_advice == NULL))
1150 dst_ops->negative_advice = xfrm_negative_advice;
1151 if (likely(dst_ops->link_failure == NULL))
1152 dst_ops->link_failure = xfrm_link_failure;
1153 if (likely(dst_ops->get_mss == NULL))
1154 dst_ops->get_mss = xfrm_get_mss;
1155 if (likely(afinfo->garbage_collect == NULL))
1156 afinfo->garbage_collect = __xfrm_garbage_collect;
1157 xfrm_policy_afinfo[afinfo->family] = afinfo;
1159 write_unlock(&xfrm_policy_afinfo_lock);
1163 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
1166 if (unlikely(afinfo == NULL))
1168 if (unlikely(afinfo->family >= NPROTO))
1169 return -EAFNOSUPPORT;
1170 write_lock(&xfrm_policy_afinfo_lock);
1171 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
1172 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
1175 struct dst_ops *dst_ops = afinfo->dst_ops;
1176 xfrm_policy_afinfo[afinfo->family] = NULL;
1177 dst_ops->kmem_cachep = NULL;
1178 dst_ops->check = NULL;
1179 dst_ops->destroy = NULL;
1180 dst_ops->negative_advice = NULL;
1181 dst_ops->link_failure = NULL;
1182 dst_ops->get_mss = NULL;
1183 afinfo->garbage_collect = NULL;
1186 write_unlock(&xfrm_policy_afinfo_lock);
1190 struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
1192 struct xfrm_policy_afinfo *afinfo;
1193 if (unlikely(family >= NPROTO))
1195 read_lock(&xfrm_policy_afinfo_lock);
1196 afinfo = xfrm_policy_afinfo[family];
1197 if (likely(afinfo != NULL))
1198 read_lock(&afinfo->lock);
1199 read_unlock(&xfrm_policy_afinfo_lock);
1203 void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
1205 if (unlikely(afinfo == NULL))
1207 read_unlock(&afinfo->lock);
1210 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
1214 xfrm_flush_bundles();
1219 struct notifier_block xfrm_dev_notifier = {
1225 void __init xfrm_policy_init(void)
1227 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
1228 sizeof(struct xfrm_dst),
1229 0, SLAB_HWCACHE_ALIGN,
1231 if (!xfrm_dst_cache)
1232 panic("XFRM: failed to allocate xfrm_dst_cache\n");
1234 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task, NULL);
1235 register_netdevice_notifier(&xfrm_dev_notifier);
1238 void __init xfrm_init(void)