6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/config.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
22 #include <linux/notifier.h>
23 #include <linux/netdevice.h>
24 #include <linux/module.h>
28 DECLARE_MUTEX(xfrm_cfg_sem);
29 EXPORT_SYMBOL(xfrm_cfg_sem);
31 static DEFINE_RWLOCK(xfrm_policy_lock);
33 struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
34 EXPORT_SYMBOL(xfrm_policy_list);
36 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
37 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
39 static kmem_cache_t *xfrm_dst_cache;
41 static struct work_struct xfrm_policy_gc_work;
42 static struct list_head xfrm_policy_gc_list =
43 LIST_HEAD_INIT(xfrm_policy_gc_list);
44 static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
46 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
47 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
49 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
51 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
52 struct xfrm_type_map *typemap;
55 if (unlikely(afinfo == NULL))
57 typemap = afinfo->type_map;
59 write_lock(&typemap->lock);
60 if (likely(typemap->map[type->proto] == NULL))
61 typemap->map[type->proto] = type;
64 write_unlock(&typemap->lock);
65 xfrm_policy_put_afinfo(afinfo);
68 EXPORT_SYMBOL(xfrm_register_type);
70 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
72 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
73 struct xfrm_type_map *typemap;
76 if (unlikely(afinfo == NULL))
78 typemap = afinfo->type_map;
80 write_lock(&typemap->lock);
81 if (unlikely(typemap->map[type->proto] != type))
84 typemap->map[type->proto] = NULL;
85 write_unlock(&typemap->lock);
86 xfrm_policy_put_afinfo(afinfo);
89 EXPORT_SYMBOL(xfrm_unregister_type);
91 struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
93 struct xfrm_policy_afinfo *afinfo;
94 struct xfrm_type_map *typemap;
95 struct xfrm_type *type;
96 int modload_attempted = 0;
99 afinfo = xfrm_policy_get_afinfo(family);
100 if (unlikely(afinfo == NULL))
102 typemap = afinfo->type_map;
104 read_lock(&typemap->lock);
105 type = typemap->map[proto];
106 if (unlikely(type && !try_module_get(type->owner)))
108 read_unlock(&typemap->lock);
109 if (!type && !modload_attempted) {
110 xfrm_policy_put_afinfo(afinfo);
111 request_module("xfrm-type-%d-%d",
112 (int) family, (int) proto);
113 modload_attempted = 1;
117 xfrm_policy_put_afinfo(afinfo);
120 EXPORT_SYMBOL(xfrm_get_type);
122 int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
123 unsigned short family)
125 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
128 if (unlikely(afinfo == NULL))
129 return -EAFNOSUPPORT;
131 if (likely(afinfo->dst_lookup != NULL))
132 err = afinfo->dst_lookup(dst, fl);
135 xfrm_policy_put_afinfo(afinfo);
138 EXPORT_SYMBOL(xfrm_dst_lookup);
140 void xfrm_put_type(struct xfrm_type *type)
142 module_put(type->owner);
145 static inline unsigned long make_jiffies(long secs)
147 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
148 return MAX_SCHEDULE_TIMEOUT-1;
153 static void xfrm_policy_timer(unsigned long data)
155 struct xfrm_policy *xp = (struct xfrm_policy*)data;
156 unsigned long now = (unsigned long)xtime.tv_sec;
157 long next = LONG_MAX;
161 read_lock(&xp->lock);
168 if (xp->lft.hard_add_expires_seconds) {
169 long tmo = xp->lft.hard_add_expires_seconds +
170 xp->curlft.add_time - now;
176 if (xp->lft.hard_use_expires_seconds) {
177 long tmo = xp->lft.hard_use_expires_seconds +
178 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
184 if (xp->lft.soft_add_expires_seconds) {
185 long tmo = xp->lft.soft_add_expires_seconds +
186 xp->curlft.add_time - now;
189 tmo = XFRM_KM_TIMEOUT;
194 if (xp->lft.soft_use_expires_seconds) {
195 long tmo = xp->lft.soft_use_expires_seconds +
196 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
199 tmo = XFRM_KM_TIMEOUT;
206 km_policy_expired(xp, dir, 0);
207 if (next != LONG_MAX &&
208 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
212 read_unlock(&xp->lock);
217 read_unlock(&xp->lock);
218 km_policy_expired(xp, dir, 1);
219 xfrm_policy_delete(xp, dir);
224 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
228 struct xfrm_policy *xfrm_policy_alloc(int gfp)
230 struct xfrm_policy *policy;
232 policy = kmalloc(sizeof(struct xfrm_policy), gfp);
235 memset(policy, 0, sizeof(struct xfrm_policy));
236 atomic_set(&policy->refcnt, 1);
237 rwlock_init(&policy->lock);
238 init_timer(&policy->timer);
239 policy->timer.data = (unsigned long)policy;
240 policy->timer.function = xfrm_policy_timer;
244 EXPORT_SYMBOL(xfrm_policy_alloc);
246 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
248 void __xfrm_policy_destroy(struct xfrm_policy *policy)
256 if (del_timer(&policy->timer))
261 EXPORT_SYMBOL(__xfrm_policy_destroy);
263 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
265 struct dst_entry *dst;
267 while ((dst = policy->bundles) != NULL) {
268 policy->bundles = dst->next;
272 if (del_timer(&policy->timer))
273 atomic_dec(&policy->refcnt);
275 if (atomic_read(&policy->refcnt) > 1)
278 xfrm_pol_put(policy);
281 static void xfrm_policy_gc_task(void *data)
283 struct xfrm_policy *policy;
284 struct list_head *entry, *tmp;
285 struct list_head gc_list = LIST_HEAD_INIT(gc_list);
287 spin_lock_bh(&xfrm_policy_gc_lock);
288 list_splice_init(&xfrm_policy_gc_list, &gc_list);
289 spin_unlock_bh(&xfrm_policy_gc_lock);
291 list_for_each_safe(entry, tmp, &gc_list) {
292 policy = list_entry(entry, struct xfrm_policy, list);
293 xfrm_policy_gc_kill(policy);
297 /* Rule must be locked. Release descentant resources, announce
298 * entry dead. The rule must be unlinked from lists to the moment.
301 static void xfrm_policy_kill(struct xfrm_policy *policy)
303 write_lock_bh(&policy->lock);
309 spin_lock(&xfrm_policy_gc_lock);
310 list_add(&policy->list, &xfrm_policy_gc_list);
311 spin_unlock(&xfrm_policy_gc_lock);
312 schedule_work(&xfrm_policy_gc_work);
315 write_unlock_bh(&policy->lock);
318 /* Generate new index... KAME seems to generate them ordered by cost
319 * of an absolute inpredictability of ordering of rules. This will not pass. */
320 static u32 xfrm_gen_index(int dir)
323 struct xfrm_policy *p;
324 static u32 idx_generator;
327 idx = (idx_generator | dir);
331 for (p = xfrm_policy_list[dir]; p; p = p->next) {
340 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
342 struct xfrm_policy *pol, **p;
343 struct xfrm_policy *delpol = NULL;
344 struct xfrm_policy **newpos = NULL;
346 write_lock_bh(&xfrm_policy_lock);
347 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL;) {
348 if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
350 write_unlock_bh(&xfrm_policy_lock);
355 if (policy->priority > pol->priority)
357 } else if (policy->priority >= pol->priority) {
369 xfrm_pol_hold(policy);
372 atomic_inc(&flow_cache_genid);
373 policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
374 policy->curlft.add_time = (unsigned long)xtime.tv_sec;
375 policy->curlft.use_time = 0;
376 if (!mod_timer(&policy->timer, jiffies + HZ))
377 xfrm_pol_hold(policy);
378 write_unlock_bh(&xfrm_policy_lock);
381 xfrm_policy_kill(delpol);
385 EXPORT_SYMBOL(xfrm_policy_insert);
387 struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
390 struct xfrm_policy *pol, **p;
392 write_lock_bh(&xfrm_policy_lock);
393 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
394 if (memcmp(sel, &pol->selector, sizeof(*sel)) == 0) {
401 write_unlock_bh(&xfrm_policy_lock);
404 atomic_inc(&flow_cache_genid);
405 xfrm_policy_kill(pol);
409 EXPORT_SYMBOL(xfrm_policy_bysel);
411 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete)
413 struct xfrm_policy *pol, **p;
415 write_lock_bh(&xfrm_policy_lock);
416 for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
417 if (pol->index == id) {
424 write_unlock_bh(&xfrm_policy_lock);
427 atomic_inc(&flow_cache_genid);
428 xfrm_policy_kill(pol);
432 EXPORT_SYMBOL(xfrm_policy_byid);
434 void xfrm_policy_flush(void)
436 struct xfrm_policy *xp;
439 write_lock_bh(&xfrm_policy_lock);
440 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
441 while ((xp = xfrm_policy_list[dir]) != NULL) {
442 xfrm_policy_list[dir] = xp->next;
443 write_unlock_bh(&xfrm_policy_lock);
445 xfrm_policy_kill(xp);
447 write_lock_bh(&xfrm_policy_lock);
450 atomic_inc(&flow_cache_genid);
451 write_unlock_bh(&xfrm_policy_lock);
453 EXPORT_SYMBOL(xfrm_policy_flush);
455 int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*),
458 struct xfrm_policy *xp;
463 read_lock_bh(&xfrm_policy_lock);
464 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
465 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next)
474 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
475 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next) {
476 error = func(xp, dir%XFRM_POLICY_MAX, --count, data);
483 read_unlock_bh(&xfrm_policy_lock);
486 EXPORT_SYMBOL(xfrm_policy_walk);
488 /* Find policy to apply to this flow. */
490 static void xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
491 void **objp, atomic_t **obj_refp)
493 struct xfrm_policy *pol;
495 read_lock_bh(&xfrm_policy_lock);
496 for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
497 struct xfrm_selector *sel = &pol->selector;
500 if (pol->family != family)
503 match = xfrm_selector_match(sel, fl, family);
509 read_unlock_bh(&xfrm_policy_lock);
510 if ((*objp = (void *) pol) != NULL)
511 *obj_refp = &pol->refcnt;
514 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
516 struct xfrm_policy *pol;
518 read_lock_bh(&xfrm_policy_lock);
519 if ((pol = sk->sk_policy[dir]) != NULL) {
520 int match = xfrm_selector_match(&pol->selector, fl,
527 read_unlock_bh(&xfrm_policy_lock);
531 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
533 pol->next = xfrm_policy_list[dir];
534 xfrm_policy_list[dir] = pol;
538 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
541 struct xfrm_policy **polp;
543 for (polp = &xfrm_policy_list[dir];
544 *polp != NULL; polp = &(*polp)->next) {
553 void xfrm_policy_delete(struct xfrm_policy *pol, int dir)
555 write_lock_bh(&xfrm_policy_lock);
556 pol = __xfrm_policy_unlink(pol, dir);
557 write_unlock_bh(&xfrm_policy_lock);
559 if (dir < XFRM_POLICY_MAX)
560 atomic_inc(&flow_cache_genid);
561 xfrm_policy_kill(pol);
565 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
567 struct xfrm_policy *old_pol;
569 write_lock_bh(&xfrm_policy_lock);
570 old_pol = sk->sk_policy[dir];
571 sk->sk_policy[dir] = pol;
573 pol->curlft.add_time = (unsigned long)xtime.tv_sec;
574 pol->index = xfrm_gen_index(XFRM_POLICY_MAX+dir);
575 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
578 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
579 write_unlock_bh(&xfrm_policy_lock);
582 xfrm_policy_kill(old_pol);
587 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
589 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
592 newp->selector = old->selector;
593 newp->lft = old->lft;
594 newp->curlft = old->curlft;
595 newp->action = old->action;
596 newp->flags = old->flags;
597 newp->xfrm_nr = old->xfrm_nr;
598 newp->index = old->index;
599 memcpy(newp->xfrm_vec, old->xfrm_vec,
600 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
601 write_lock_bh(&xfrm_policy_lock);
602 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
603 write_unlock_bh(&xfrm_policy_lock);
609 int __xfrm_sk_clone_policy(struct sock *sk)
611 struct xfrm_policy *p0 = sk->sk_policy[0],
612 *p1 = sk->sk_policy[1];
614 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
615 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
617 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
622 /* Resolve list of templates for the flow, given policy. */
625 xfrm_tmpl_resolve(struct xfrm_policy *policy, struct flowi *fl,
626 struct xfrm_state **xfrm,
627 unsigned short family)
631 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
632 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
634 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
635 struct xfrm_state *x;
636 xfrm_address_t *remote = daddr;
637 xfrm_address_t *local = saddr;
638 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
641 remote = &tmpl->id.daddr;
642 local = &tmpl->saddr;
645 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
647 if (x && x->km.state == XFRM_STATE_VALID) {
654 error = (x->km.state == XFRM_STATE_ERROR ?
665 for (nx--; nx>=0; nx--)
666 xfrm_state_put(xfrm[nx]);
670 /* Check that the bundle accepts the flow and its components are
674 static struct dst_entry *
675 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
678 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
679 if (unlikely(afinfo == NULL))
680 return ERR_PTR(-EINVAL);
681 x = afinfo->find_bundle(fl, policy);
682 xfrm_policy_put_afinfo(afinfo);
686 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
687 * all the metrics... Shortly, bundle a bundle.
691 xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
692 struct flowi *fl, struct dst_entry **dst_p,
693 unsigned short family)
696 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
697 if (unlikely(afinfo == NULL))
699 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
700 xfrm_policy_put_afinfo(afinfo);
704 static inline int policy_to_flow_dir(int dir)
706 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
707 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
708 XFRM_POLICY_FWD == FLOW_DIR_FWD)
714 case XFRM_POLICY_OUT:
716 case XFRM_POLICY_FWD:
721 static int stale_bundle(struct dst_entry *dst);
723 /* Main function: finds/creates a bundle for given flow.
725 * At the moment we eat a raw IP route. Mostly to speed up lookups
726 * on interfaces with disabled IPsec.
728 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
729 struct sock *sk, int flags)
731 struct xfrm_policy *policy;
732 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
733 struct dst_entry *dst, *dst_orig = *dst_p;
737 u16 family = dst_orig->ops->family;
739 genid = atomic_read(&flow_cache_genid);
741 if (sk && sk->sk_policy[1])
742 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
745 /* To accelerate a bit... */
746 if ((dst_orig->flags & DST_NOXFRM) || !xfrm_policy_list[XFRM_POLICY_OUT])
749 policy = flow_cache_lookup(fl, family,
750 policy_to_flow_dir(XFRM_POLICY_OUT),
757 policy->curlft.use_time = (unsigned long)xtime.tv_sec;
759 switch (policy->action) {
760 case XFRM_POLICY_BLOCK:
761 /* Prohibit the flow */
762 xfrm_pol_put(policy);
765 case XFRM_POLICY_ALLOW:
766 if (policy->xfrm_nr == 0) {
767 /* Flow passes not transformed. */
768 xfrm_pol_put(policy);
772 /* Try to find matching bundle.
774 * LATER: help from flow cache. It is optional, this
775 * is required only for output policy.
777 dst = xfrm_find_bundle(fl, policy, family);
779 xfrm_pol_put(policy);
786 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
788 if (unlikely(nx<0)) {
790 if (err == -EAGAIN && flags) {
791 DECLARE_WAITQUEUE(wait, current);
793 add_wait_queue(&km_waitq, &wait);
794 set_current_state(TASK_INTERRUPTIBLE);
796 set_current_state(TASK_RUNNING);
797 remove_wait_queue(&km_waitq, &wait);
799 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
801 if (nx == -EAGAIN && signal_pending(current)) {
806 genid != atomic_read(&flow_cache_genid)) {
807 xfrm_pol_put(policy);
816 /* Flow passes not transformed. */
817 xfrm_pol_put(policy);
822 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
827 xfrm_state_put(xfrm[i]);
831 write_lock_bh(&policy->lock);
832 if (unlikely(policy->dead || stale_bundle(dst))) {
833 /* Wow! While we worked on resolving, this
834 * policy has gone. Retry. It is not paranoia,
835 * we just cannot enlist new bundle to dead object.
836 * We can't enlist stable bundles either.
838 write_unlock_bh(&policy->lock);
840 xfrm_pol_put(policy);
845 dst->next = policy->bundles;
846 policy->bundles = dst;
848 write_unlock_bh(&policy->lock);
851 dst_release(dst_orig);
852 xfrm_pol_put(policy);
856 dst_release(dst_orig);
857 xfrm_pol_put(policy);
861 EXPORT_SYMBOL(xfrm_lookup);
863 /* When skb is transformed back to its "native" form, we have to
864 * check policy restrictions. At the moment we make this in maximally
865 * stupid way. Shame on me. :-) Of course, connected sockets must
866 * have policy cached at them.
870 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
871 unsigned short family)
873 if (xfrm_state_kern(x))
874 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family);
875 return x->id.proto == tmpl->id.proto &&
876 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
877 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
878 x->props.mode == tmpl->mode &&
879 (tmpl->aalgos & (1<<x->props.aalgo)) &&
880 !(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
884 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
885 unsigned short family)
889 if (tmpl->optional) {
894 for (; idx < sp->len; idx++) {
895 if (xfrm_state_ok(tmpl, sp->x[idx].xvec, family))
897 if (sp->x[idx].xvec->props.mode)
904 _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
906 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
908 if (unlikely(afinfo == NULL))
909 return -EAFNOSUPPORT;
911 afinfo->decode_session(skb, fl);
912 xfrm_policy_put_afinfo(afinfo);
916 static inline int secpath_has_tunnel(struct sec_path *sp, int k)
918 for (; k < sp->len; k++) {
919 if (sp->x[k].xvec->props.mode)
926 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
927 unsigned short family)
929 struct xfrm_policy *pol;
932 if (_decode_session(skb, &fl, family) < 0)
935 /* First, check used SA against their selectors. */
939 for (i=skb->sp->len-1; i>=0; i--) {
940 struct sec_decap_state *xvec = &(skb->sp->x[i]);
941 if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
944 /* If there is a post_input processor, try running it */
945 if (xvec->xvec->type->post_input &&
946 (xvec->xvec->type->post_input)(xvec->xvec,
954 if (sk && sk->sk_policy[dir])
955 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
958 pol = flow_cache_lookup(&fl, family,
959 policy_to_flow_dir(dir),
963 return !skb->sp || !secpath_has_tunnel(skb->sp, 0);
965 pol->curlft.use_time = (unsigned long)xtime.tv_sec;
967 if (pol->action == XFRM_POLICY_ALLOW) {
969 static struct sec_path dummy;
972 if ((sp = skb->sp) == NULL)
975 /* For each tunnel xfrm, find the first matching tmpl.
976 * For each tmpl before that, find corresponding xfrm.
977 * Order is _important_. Later we will implement
978 * some barriers, but at the moment barriers
979 * are implied between each two transformations.
981 for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) {
982 k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k, family);
987 if (secpath_has_tunnel(sp, k))
998 EXPORT_SYMBOL(__xfrm_policy_check);
1000 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1004 if (_decode_session(skb, &fl, family) < 0)
1007 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
1009 EXPORT_SYMBOL(__xfrm_route_forward);
1011 /* Optimize later using cookies and generation ids. */
1013 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
1015 if (!stale_bundle(dst))
1022 static int stale_bundle(struct dst_entry *dst)
1024 struct dst_entry *child = dst;
1027 if (child->obsolete > 0 ||
1028 (child->dev && !netif_running(child->dev)) ||
1029 (child->xfrm && child->xfrm->km.state != XFRM_STATE_VALID)) {
1032 child = child->child;
1038 static void xfrm_dst_destroy(struct dst_entry *dst)
1042 xfrm_state_put(dst->xfrm);
1046 static void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
1052 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
1053 dst->dev = &loopback_dev;
1054 dev_hold(&loopback_dev);
1059 static void xfrm_link_failure(struct sk_buff *skb)
1061 /* Impossible. Such dst must be popped before reaches point of failure. */
1065 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
1068 if (dst->obsolete) {
1076 static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
1079 struct xfrm_policy *pol;
1080 struct dst_entry *dst, **dstp, *gc_list = NULL;
1082 read_lock_bh(&xfrm_policy_lock);
1083 for (i=0; i<2*XFRM_POLICY_MAX; i++) {
1084 for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
1085 write_lock(&pol->lock);
1086 dstp = &pol->bundles;
1087 while ((dst=*dstp) != NULL) {
1090 dst->next = gc_list;
1096 write_unlock(&pol->lock);
1099 read_unlock_bh(&xfrm_policy_lock);
1103 gc_list = dst->next;
1108 static int unused_bundle(struct dst_entry *dst)
1110 return !atomic_read(&dst->__refcnt);
1113 static void __xfrm_garbage_collect(void)
1115 xfrm_prune_bundles(unused_bundle);
1118 int xfrm_flush_bundles(void)
1120 xfrm_prune_bundles(stale_bundle);
1124 /* Well... that's _TASK_. We need to scan through transformation
1125 * list and figure out what mss tcp should generate in order to
1126 * final datagram fit to mtu. Mama mia... :-)
1128 * Apparently, some easy way exists, but we used to choose the most
1129 * bizarre ones. :-) So, raising Kalashnikov... tra-ta-ta.
1131 * Consider this function as something like dark humour. :-)
1133 static int xfrm_get_mss(struct dst_entry *dst, u32 mtu)
1135 int res = mtu - dst->header_len;
1138 struct dst_entry *d = dst;
1142 struct xfrm_state *x = d->xfrm;
1144 spin_lock_bh(&x->lock);
1145 if (x->km.state == XFRM_STATE_VALID &&
1146 x->type && x->type->get_max_size)
1147 m = x->type->get_max_size(d->xfrm, m);
1149 m += x->props.header_len;
1150 spin_unlock_bh(&x->lock);
1152 } while ((d = d->child) != NULL);
1161 return res + dst->header_len;
1164 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
1167 if (unlikely(afinfo == NULL))
1169 if (unlikely(afinfo->family >= NPROTO))
1170 return -EAFNOSUPPORT;
1171 write_lock(&xfrm_policy_afinfo_lock);
1172 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
1175 struct dst_ops *dst_ops = afinfo->dst_ops;
1176 if (likely(dst_ops->kmem_cachep == NULL))
1177 dst_ops->kmem_cachep = xfrm_dst_cache;
1178 if (likely(dst_ops->check == NULL))
1179 dst_ops->check = xfrm_dst_check;
1180 if (likely(dst_ops->destroy == NULL))
1181 dst_ops->destroy = xfrm_dst_destroy;
1182 if (likely(dst_ops->ifdown == NULL))
1183 dst_ops->ifdown = xfrm_dst_ifdown;
1184 if (likely(dst_ops->negative_advice == NULL))
1185 dst_ops->negative_advice = xfrm_negative_advice;
1186 if (likely(dst_ops->link_failure == NULL))
1187 dst_ops->link_failure = xfrm_link_failure;
1188 if (likely(dst_ops->get_mss == NULL))
1189 dst_ops->get_mss = xfrm_get_mss;
1190 if (likely(afinfo->garbage_collect == NULL))
1191 afinfo->garbage_collect = __xfrm_garbage_collect;
1192 xfrm_policy_afinfo[afinfo->family] = afinfo;
1194 write_unlock(&xfrm_policy_afinfo_lock);
1197 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
1199 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
1202 if (unlikely(afinfo == NULL))
1204 if (unlikely(afinfo->family >= NPROTO))
1205 return -EAFNOSUPPORT;
1206 write_lock(&xfrm_policy_afinfo_lock);
1207 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
1208 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
1211 struct dst_ops *dst_ops = afinfo->dst_ops;
1212 xfrm_policy_afinfo[afinfo->family] = NULL;
1213 dst_ops->kmem_cachep = NULL;
1214 dst_ops->check = NULL;
1215 dst_ops->destroy = NULL;
1216 dst_ops->ifdown = NULL;
1217 dst_ops->negative_advice = NULL;
1218 dst_ops->link_failure = NULL;
1219 dst_ops->get_mss = NULL;
1220 afinfo->garbage_collect = NULL;
1223 write_unlock(&xfrm_policy_afinfo_lock);
1226 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
1228 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
1230 struct xfrm_policy_afinfo *afinfo;
1231 if (unlikely(family >= NPROTO))
1233 read_lock(&xfrm_policy_afinfo_lock);
1234 afinfo = xfrm_policy_afinfo[family];
1235 if (likely(afinfo != NULL))
1236 read_lock(&afinfo->lock);
1237 read_unlock(&xfrm_policy_afinfo_lock);
1241 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
1243 if (unlikely(afinfo == NULL))
1245 read_unlock(&afinfo->lock);
1248 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
1252 xfrm_flush_bundles();
1257 static struct notifier_block xfrm_dev_notifier = {
1263 static void __init xfrm_policy_init(void)
1265 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
1266 sizeof(struct xfrm_dst),
1267 0, SLAB_HWCACHE_ALIGN,
1269 if (!xfrm_dst_cache)
1270 panic("XFRM: failed to allocate xfrm_dst_cache\n");
1272 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task, NULL);
1273 register_netdevice_notifier(&xfrm_dev_notifier);
1276 void __init xfrm_init(void)
git://git.onelab.eu / linux-2.6.git / blob