1 // SPDX-License-Identifier: GPL-2.0-only
7 * Kazunori MIYAZAWA @USAGI
8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
10 * Kazunori MIYAZAWA @USAGI
12 * Split up af-specific portion
13 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
17 #include <linux/err.h>
18 #include <linux/slab.h>
19 #include <linux/kmod.h>
20 #include <linux/list.h>
21 #include <linux/spinlock.h>
22 #include <linux/workqueue.h>
23 #include <linux/notifier.h>
24 #include <linux/netdevice.h>
25 #include <linux/netfilter.h>
26 #include <linux/module.h>
27 #include <linux/cache.h>
28 #include <linux/cpu.h>
29 #include <linux/audit.h>
30 #include <linux/rhashtable.h>
31 #include <linux/if_tunnel.h>
34 #include <net/inet_ecn.h>
38 #if IS_ENABLED(CONFIG_IPV6_MIP6)
41 #ifdef CONFIG_XFRM_STATISTICS
44 #ifdef CONFIG_XFRM_ESPINTCP
45 #include <net/espintcp.h>
48 #include "xfrm_hash.h"
50 #define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10))
51 #define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
52 #define XFRM_MAX_QUEUE_LEN 100
55 struct dst_entry *dst_orig;
59 /* prefixes smaller than this are stored in lists, not trees. */
60 #define INEXACT_PREFIXLEN_IPV4 16
61 #define INEXACT_PREFIXLEN_IPV6 48
63 struct xfrm_pol_inexact_node {
73 /* the policies matching this node, can be empty list */
74 struct hlist_head hhead;
77 /* xfrm inexact policy search tree:
78 * xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
80 * +---- root_d: sorted by daddr:prefix
82 * | xfrm_pol_inexact_node
84 * | +- root: sorted by saddr/prefix
86 * | | xfrm_pol_inexact_node
90 * | | + hhead: saddr:daddr policies
92 * | +- coarse policies and all any:daddr policies
94 * +---- root_s: sorted by saddr:prefix
96 * | xfrm_pol_inexact_node
100 * | + hhead: saddr:any policies
102 * +---- coarse policies and all any:any policies
104 * Lookups return four candidate lists:
105 * 1. any:any list from top-level xfrm_pol_inexact_bin
106 * 2. any:daddr list from daddr tree
107 * 3. saddr:daddr list from 2nd level daddr tree
108 * 4. saddr:any list from saddr tree
110 * This result set then needs to be searched for the policy with
111 * the lowest priority. If two results have same prio, youngest one wins.
114 struct xfrm_pol_inexact_key {
121 struct xfrm_pol_inexact_bin {
122 struct xfrm_pol_inexact_key k;
123 struct rhash_head head;
124 /* list containing '*:*' policies */
125 struct hlist_head hhead;
127 seqcount_spinlock_t count;
128 /* tree sorted by daddr/prefix */
129 struct rb_root root_d;
131 /* tree sorted by saddr/prefix */
132 struct rb_root root_s;
134 /* slow path below */
135 struct list_head inexact_bins;
139 enum xfrm_pol_inexact_candidate_type {
148 struct xfrm_pol_inexact_candidates {
149 struct hlist_head *res[XFRM_POL_CAND_MAX];
152 struct xfrm_flow_keys {
153 struct flow_dissector_key_basic basic;
154 struct flow_dissector_key_control control;
156 struct flow_dissector_key_ipv4_addrs ipv4;
157 struct flow_dissector_key_ipv6_addrs ipv6;
159 struct flow_dissector_key_ip ip;
160 struct flow_dissector_key_icmp icmp;
161 struct flow_dissector_key_ports ports;
162 struct flow_dissector_key_keyid gre;
165 static struct flow_dissector xfrm_session_dissector __ro_after_init;
167 static DEFINE_SPINLOCK(xfrm_if_cb_lock);
168 static struct xfrm_if_cb const __rcu *xfrm_if_cb __read_mostly;
170 static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);
171 static struct xfrm_policy_afinfo const __rcu *xfrm_policy_afinfo[AF_INET6 + 1]
174 static struct kmem_cache *xfrm_dst_cache __ro_after_init;
176 static struct rhashtable xfrm_policy_inexact_table;
177 static const struct rhashtable_params xfrm_pol_inexact_params;
179 static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr);
180 static int stale_bundle(struct dst_entry *dst);
181 static int xfrm_bundle_ok(struct xfrm_dst *xdst);
182 static void xfrm_policy_queue_process(struct timer_list *t);
184 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);
185 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
188 static struct xfrm_pol_inexact_bin *
189 xfrm_policy_inexact_lookup(struct net *net, u8 type, u16 family, u8 dir,
192 static struct xfrm_pol_inexact_bin *
193 xfrm_policy_inexact_lookup_rcu(struct net *net,
194 u8 type, u16 family, u8 dir, u32 if_id);
195 static struct xfrm_policy *
196 xfrm_policy_insert_list(struct hlist_head *chain, struct xfrm_policy *policy,
198 static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
199 struct xfrm_policy *policy);
202 xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
203 struct xfrm_pol_inexact_bin *b,
204 const xfrm_address_t *saddr,
205 const xfrm_address_t *daddr);
207 static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
209 return refcount_inc_not_zero(&policy->refcnt);
213 __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
215 const struct flowi4 *fl4 = &fl->u.ip4;
217 return addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) &&
218 addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) &&
219 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
220 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
221 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
222 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
226 __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
228 const struct flowi6 *fl6 = &fl->u.ip6;
230 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
231 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
232 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
233 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
234 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
235 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
238 bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
239 unsigned short family)
243 return __xfrm4_selector_match(sel, fl);
245 return __xfrm6_selector_match(sel, fl);
250 static const struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
252 const struct xfrm_policy_afinfo *afinfo;
254 if (unlikely(family >= ARRAY_SIZE(xfrm_policy_afinfo)))
257 afinfo = rcu_dereference(xfrm_policy_afinfo[family]);
258 if (unlikely(!afinfo))
263 /* Called with rcu_read_lock(). */
264 static const struct xfrm_if_cb *xfrm_if_get_cb(void)
266 return rcu_dereference(xfrm_if_cb);
269 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
270 const xfrm_address_t *saddr,
271 const xfrm_address_t *daddr,
272 int family, u32 mark)
274 const struct xfrm_policy_afinfo *afinfo;
275 struct dst_entry *dst;
277 afinfo = xfrm_policy_get_afinfo(family);
278 if (unlikely(afinfo == NULL))
279 return ERR_PTR(-EAFNOSUPPORT);
281 dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark);
287 EXPORT_SYMBOL(__xfrm_dst_lookup);
289 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
291 xfrm_address_t *prev_saddr,
292 xfrm_address_t *prev_daddr,
293 int family, u32 mark)
295 struct net *net = xs_net(x);
296 xfrm_address_t *saddr = &x->props.saddr;
297 xfrm_address_t *daddr = &x->id.daddr;
298 struct dst_entry *dst;
300 if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
304 if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
309 dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark);
312 if (prev_saddr != saddr)
313 memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
314 if (prev_daddr != daddr)
315 memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
321 static inline unsigned long make_jiffies(long secs)
323 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
324 return MAX_SCHEDULE_TIMEOUT-1;
329 static void xfrm_policy_timer(struct timer_list *t)
331 struct xfrm_policy *xp = from_timer(xp, t, timer);
332 time64_t now = ktime_get_real_seconds();
333 time64_t next = TIME64_MAX;
337 read_lock(&xp->lock);
339 if (unlikely(xp->walk.dead))
342 dir = xfrm_policy_id2dir(xp->index);
344 if (xp->lft.hard_add_expires_seconds) {
345 time64_t tmo = xp->lft.hard_add_expires_seconds +
346 xp->curlft.add_time - now;
352 if (xp->lft.hard_use_expires_seconds) {
353 time64_t tmo = xp->lft.hard_use_expires_seconds +
354 (READ_ONCE(xp->curlft.use_time) ? : xp->curlft.add_time) - now;
360 if (xp->lft.soft_add_expires_seconds) {
361 time64_t tmo = xp->lft.soft_add_expires_seconds +
362 xp->curlft.add_time - now;
365 tmo = XFRM_KM_TIMEOUT;
370 if (xp->lft.soft_use_expires_seconds) {
371 time64_t tmo = xp->lft.soft_use_expires_seconds +
372 (READ_ONCE(xp->curlft.use_time) ? : xp->curlft.add_time) - now;
375 tmo = XFRM_KM_TIMEOUT;
382 km_policy_expired(xp, dir, 0, 0);
383 if (next != TIME64_MAX &&
384 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
388 read_unlock(&xp->lock);
393 read_unlock(&xp->lock);
394 if (!xfrm_policy_delete(xp, dir))
395 km_policy_expired(xp, dir, 1, 0);
399 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
403 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
405 struct xfrm_policy *policy;
407 policy = kzalloc(sizeof(struct xfrm_policy), gfp);
410 write_pnet(&policy->xp_net, net);
411 INIT_LIST_HEAD(&policy->walk.all);
412 INIT_HLIST_NODE(&policy->bydst_inexact_list);
413 INIT_HLIST_NODE(&policy->bydst);
414 INIT_HLIST_NODE(&policy->byidx);
415 rwlock_init(&policy->lock);
416 refcount_set(&policy->refcnt, 1);
417 skb_queue_head_init(&policy->polq.hold_queue);
418 timer_setup(&policy->timer, xfrm_policy_timer, 0);
419 timer_setup(&policy->polq.hold_timer,
420 xfrm_policy_queue_process, 0);
424 EXPORT_SYMBOL(xfrm_policy_alloc);
426 static void xfrm_policy_destroy_rcu(struct rcu_head *head)
428 struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
430 security_xfrm_policy_free(policy->security);
434 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
436 void xfrm_policy_destroy(struct xfrm_policy *policy)
438 BUG_ON(!policy->walk.dead);
440 if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
443 xfrm_dev_policy_free(policy);
444 call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);
446 EXPORT_SYMBOL(xfrm_policy_destroy);
448 /* Rule must be locked. Release descendant resources, announce
449 * entry dead. The rule must be unlinked from lists to the moment.
452 static void xfrm_policy_kill(struct xfrm_policy *policy)
454 write_lock_bh(&policy->lock);
455 policy->walk.dead = 1;
456 write_unlock_bh(&policy->lock);
458 atomic_inc(&policy->genid);
460 if (del_timer(&policy->polq.hold_timer))
461 xfrm_pol_put(policy);
462 skb_queue_purge(&policy->polq.hold_queue);
464 if (del_timer(&policy->timer))
465 xfrm_pol_put(policy);
467 xfrm_pol_put(policy);
470 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
472 static inline unsigned int idx_hash(struct net *net, u32 index)
474 return __idx_hash(index, net->xfrm.policy_idx_hmask);
477 /* calculate policy hash thresholds */
478 static void __get_hash_thresh(struct net *net,
479 unsigned short family, int dir,
480 u8 *dbits, u8 *sbits)
484 *dbits = net->xfrm.policy_bydst[dir].dbits4;
485 *sbits = net->xfrm.policy_bydst[dir].sbits4;
489 *dbits = net->xfrm.policy_bydst[dir].dbits6;
490 *sbits = net->xfrm.policy_bydst[dir].sbits6;
499 static struct hlist_head *policy_hash_bysel(struct net *net,
500 const struct xfrm_selector *sel,
501 unsigned short family, int dir)
503 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
508 __get_hash_thresh(net, family, dir, &dbits, &sbits);
509 hash = __sel_hash(sel, family, hmask, dbits, sbits);
511 if (hash == hmask + 1)
514 return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
515 lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;
518 static struct hlist_head *policy_hash_direct(struct net *net,
519 const xfrm_address_t *daddr,
520 const xfrm_address_t *saddr,
521 unsigned short family, int dir)
523 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
528 __get_hash_thresh(net, family, dir, &dbits, &sbits);
529 hash = __addr_hash(daddr, saddr, family, hmask, dbits, sbits);
531 return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
532 lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;
535 static void xfrm_dst_hash_transfer(struct net *net,
536 struct hlist_head *list,
537 struct hlist_head *ndsttable,
538 unsigned int nhashmask,
541 struct hlist_node *tmp, *entry0 = NULL;
542 struct xfrm_policy *pol;
548 hlist_for_each_entry_safe(pol, tmp, list, bydst) {
551 __get_hash_thresh(net, pol->family, dir, &dbits, &sbits);
552 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
553 pol->family, nhashmask, dbits, sbits);
554 if (!entry0 || pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
555 hlist_del_rcu(&pol->bydst);
556 hlist_add_head_rcu(&pol->bydst, ndsttable + h);
561 hlist_del_rcu(&pol->bydst);
562 hlist_add_behind_rcu(&pol->bydst, entry0);
564 entry0 = &pol->bydst;
566 if (!hlist_empty(list)) {
572 static void xfrm_idx_hash_transfer(struct hlist_head *list,
573 struct hlist_head *nidxtable,
574 unsigned int nhashmask)
576 struct hlist_node *tmp;
577 struct xfrm_policy *pol;
579 hlist_for_each_entry_safe(pol, tmp, list, byidx) {
582 h = __idx_hash(pol->index, nhashmask);
583 hlist_add_head(&pol->byidx, nidxtable+h);
587 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
589 return ((old_hmask + 1) << 1) - 1;
592 static void xfrm_bydst_resize(struct net *net, int dir)
594 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
595 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
596 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
597 struct hlist_head *ndst = xfrm_hash_alloc(nsize);
598 struct hlist_head *odst;
604 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
605 write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
607 odst = rcu_dereference_protected(net->xfrm.policy_bydst[dir].table,
608 lockdep_is_held(&net->xfrm.xfrm_policy_lock));
610 for (i = hmask; i >= 0; i--)
611 xfrm_dst_hash_transfer(net, odst + i, ndst, nhashmask, dir);
613 rcu_assign_pointer(net->xfrm.policy_bydst[dir].table, ndst);
614 net->xfrm.policy_bydst[dir].hmask = nhashmask;
616 write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
617 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
621 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
624 static void xfrm_byidx_resize(struct net *net)
626 unsigned int hmask = net->xfrm.policy_idx_hmask;
627 unsigned int nhashmask = xfrm_new_hash_mask(hmask);
628 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
629 struct hlist_head *oidx = net->xfrm.policy_byidx;
630 struct hlist_head *nidx = xfrm_hash_alloc(nsize);
636 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
638 for (i = hmask; i >= 0; i--)
639 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
641 net->xfrm.policy_byidx = nidx;
642 net->xfrm.policy_idx_hmask = nhashmask;
644 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
646 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
649 static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
651 unsigned int cnt = net->xfrm.policy_count[dir];
652 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
657 if ((hmask + 1) < xfrm_policy_hashmax &&
664 static inline int xfrm_byidx_should_resize(struct net *net, int total)
666 unsigned int hmask = net->xfrm.policy_idx_hmask;
668 if ((hmask + 1) < xfrm_policy_hashmax &&
675 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
677 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
678 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
679 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
680 si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
681 si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
682 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
683 si->spdhcnt = net->xfrm.policy_idx_hmask;
684 si->spdhmcnt = xfrm_policy_hashmax;
686 EXPORT_SYMBOL(xfrm_spd_getinfo);
688 static DEFINE_MUTEX(hash_resize_mutex);
689 static void xfrm_hash_resize(struct work_struct *work)
691 struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
694 mutex_lock(&hash_resize_mutex);
697 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
698 if (xfrm_bydst_should_resize(net, dir, &total))
699 xfrm_bydst_resize(net, dir);
701 if (xfrm_byidx_should_resize(net, total))
702 xfrm_byidx_resize(net);
704 mutex_unlock(&hash_resize_mutex);
707 /* Make sure *pol can be inserted into fastbin.
708 * Useful to check that later insert requests will be successful
709 * (provided xfrm_policy_lock is held throughout).
711 static struct xfrm_pol_inexact_bin *
712 xfrm_policy_inexact_alloc_bin(const struct xfrm_policy *pol, u8 dir)
714 struct xfrm_pol_inexact_bin *bin, *prev;
715 struct xfrm_pol_inexact_key k = {
716 .family = pol->family,
721 struct net *net = xp_net(pol);
723 lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
725 write_pnet(&k.net, net);
726 bin = rhashtable_lookup_fast(&xfrm_policy_inexact_table, &k,
727 xfrm_pol_inexact_params);
731 bin = kzalloc(sizeof(*bin), GFP_ATOMIC);
736 INIT_HLIST_HEAD(&bin->hhead);
737 bin->root_d = RB_ROOT;
738 bin->root_s = RB_ROOT;
739 seqcount_spinlock_init(&bin->count, &net->xfrm.xfrm_policy_lock);
741 prev = rhashtable_lookup_get_insert_key(&xfrm_policy_inexact_table,
743 xfrm_pol_inexact_params);
745 list_add(&bin->inexact_bins, &net->xfrm.inexact_bins);
751 return IS_ERR(prev) ? NULL : prev;
754 static bool xfrm_pol_inexact_addr_use_any_list(const xfrm_address_t *addr,
755 int family, u8 prefixlen)
757 if (xfrm_addr_any(addr, family))
760 if (family == AF_INET6 && prefixlen < INEXACT_PREFIXLEN_IPV6)
763 if (family == AF_INET && prefixlen < INEXACT_PREFIXLEN_IPV4)
770 xfrm_policy_inexact_insert_use_any_list(const struct xfrm_policy *policy)
772 const xfrm_address_t *addr;
773 bool saddr_any, daddr_any;
776 addr = &policy->selector.saddr;
777 prefixlen = policy->selector.prefixlen_s;
779 saddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
782 addr = &policy->selector.daddr;
783 prefixlen = policy->selector.prefixlen_d;
784 daddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
787 return saddr_any && daddr_any;
790 static void xfrm_pol_inexact_node_init(struct xfrm_pol_inexact_node *node,
791 const xfrm_address_t *addr, u8 prefixlen)
794 node->prefixlen = prefixlen;
797 static struct xfrm_pol_inexact_node *
798 xfrm_pol_inexact_node_alloc(const xfrm_address_t *addr, u8 prefixlen)
800 struct xfrm_pol_inexact_node *node;
802 node = kzalloc(sizeof(*node), GFP_ATOMIC);
804 xfrm_pol_inexact_node_init(node, addr, prefixlen);
809 static int xfrm_policy_addr_delta(const xfrm_address_t *a,
810 const xfrm_address_t *b,
811 u8 prefixlen, u16 family)
814 unsigned int pdw, pbi;
821 mask = ~0U << (32 - prefixlen);
822 ma = ntohl(a->a4) & mask;
823 mb = ntohl(b->a4) & mask;
830 pdw = prefixlen >> 5;
831 pbi = prefixlen & 0x1f;
834 delta = memcmp(a->a6, b->a6, pdw << 2);
839 mask = ~0U << (32 - pbi);
840 ma = ntohl(a->a6[pdw]) & mask;
841 mb = ntohl(b->a6[pdw]) & mask;
855 static void xfrm_policy_inexact_list_reinsert(struct net *net,
856 struct xfrm_pol_inexact_node *n,
859 unsigned int matched_s, matched_d;
860 struct xfrm_policy *policy, *p;
865 list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
866 struct hlist_node *newpos = NULL;
867 bool matches_s, matches_d;
869 if (policy->walk.dead || !policy->bydst_reinsert)
872 WARN_ON_ONCE(policy->family != family);
874 policy->bydst_reinsert = false;
875 hlist_for_each_entry(p, &n->hhead, bydst) {
876 if (policy->priority > p->priority)
878 else if (policy->priority == p->priority &&
879 policy->pos > p->pos)
885 if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
886 hlist_add_behind_rcu(&policy->bydst, newpos);
888 hlist_add_head_rcu(&policy->bydst, &n->hhead);
890 /* paranoia checks follow.
891 * Check that the reinserted policy matches at least
892 * saddr or daddr for current node prefix.
894 * Matching both is fine, matching saddr in one policy
895 * (but not daddr) and then matching only daddr in another
898 matches_s = xfrm_policy_addr_delta(&policy->selector.saddr,
902 matches_d = xfrm_policy_addr_delta(&policy->selector.daddr,
906 if (matches_s && matches_d)
909 WARN_ON_ONCE(!matches_s && !matches_d);
914 WARN_ON_ONCE(matched_s && matched_d);
918 static void xfrm_policy_inexact_node_reinsert(struct net *net,
919 struct xfrm_pol_inexact_node *n,
923 struct xfrm_pol_inexact_node *node;
924 struct rb_node **p, *parent;
926 /* we should not have another subtree here */
927 WARN_ON_ONCE(!RB_EMPTY_ROOT(&n->root));
936 node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
938 prefixlen = min(node->prefixlen, n->prefixlen);
940 delta = xfrm_policy_addr_delta(&n->addr, &node->addr,
943 p = &parent->rb_left;
944 } else if (delta > 0) {
945 p = &parent->rb_right;
947 bool same_prefixlen = node->prefixlen == n->prefixlen;
948 struct xfrm_policy *tmp;
950 hlist_for_each_entry(tmp, &n->hhead, bydst) {
951 tmp->bydst_reinsert = true;
952 hlist_del_rcu(&tmp->bydst);
955 node->prefixlen = prefixlen;
957 xfrm_policy_inexact_list_reinsert(net, node, family);
959 if (same_prefixlen) {
971 rb_link_node_rcu(&n->node, parent, p);
972 rb_insert_color(&n->node, new);
975 /* merge nodes v and n */
976 static void xfrm_policy_inexact_node_merge(struct net *net,
977 struct xfrm_pol_inexact_node *v,
978 struct xfrm_pol_inexact_node *n,
981 struct xfrm_pol_inexact_node *node;
982 struct xfrm_policy *tmp;
983 struct rb_node *rnode;
985 /* To-be-merged node v has a subtree.
987 * Dismantle it and insert its nodes to n->root.
989 while ((rnode = rb_first(&v->root)) != NULL) {
990 node = rb_entry(rnode, struct xfrm_pol_inexact_node, node);
991 rb_erase(&node->node, &v->root);
992 xfrm_policy_inexact_node_reinsert(net, node, &n->root,
996 hlist_for_each_entry(tmp, &v->hhead, bydst) {
997 tmp->bydst_reinsert = true;
998 hlist_del_rcu(&tmp->bydst);
1001 xfrm_policy_inexact_list_reinsert(net, n, family);
1004 static struct xfrm_pol_inexact_node *
1005 xfrm_policy_inexact_insert_node(struct net *net,
1006 struct rb_root *root,
1007 xfrm_address_t *addr,
1008 u16 family, u8 prefixlen, u8 dir)
1010 struct xfrm_pol_inexact_node *cached = NULL;
1011 struct rb_node **p, *parent = NULL;
1012 struct xfrm_pol_inexact_node *node;
1019 node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
1021 delta = xfrm_policy_addr_delta(addr, &node->addr,
1024 if (delta == 0 && prefixlen >= node->prefixlen) {
1025 WARN_ON_ONCE(cached); /* ipsec policies got lost */
1030 p = &parent->rb_left;
1032 p = &parent->rb_right;
1034 if (prefixlen < node->prefixlen) {
1035 delta = xfrm_policy_addr_delta(addr, &node->addr,
1041 /* This node is a subnet of the new prefix. It needs
1042 * to be removed and re-inserted with the smaller
1043 * prefix and all nodes that are now also covered
1044 * by the reduced prefixlen.
1046 rb_erase(&node->node, root);
1049 xfrm_pol_inexact_node_init(node, addr,
1053 /* This node also falls within the new
1054 * prefixlen. Merge the to-be-reinserted
1055 * node and this one.
1057 xfrm_policy_inexact_node_merge(net, node,
1059 kfree_rcu(node, rcu);
1070 node = xfrm_pol_inexact_node_alloc(addr, prefixlen);
1075 rb_link_node_rcu(&node->node, parent, p);
1076 rb_insert_color(&node->node, root);
1081 static void xfrm_policy_inexact_gc_tree(struct rb_root *r, bool rm)
1083 struct xfrm_pol_inexact_node *node;
1084 struct rb_node *rn = rb_first(r);
1087 node = rb_entry(rn, struct xfrm_pol_inexact_node, node);
1089 xfrm_policy_inexact_gc_tree(&node->root, rm);
1092 if (!hlist_empty(&node->hhead) || !RB_EMPTY_ROOT(&node->root)) {
1097 rb_erase(&node->node, r);
1098 kfree_rcu(node, rcu);
1102 static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool net_exit)
1104 write_seqcount_begin(&b->count);
1105 xfrm_policy_inexact_gc_tree(&b->root_d, net_exit);
1106 xfrm_policy_inexact_gc_tree(&b->root_s, net_exit);
1107 write_seqcount_end(&b->count);
1109 if (!RB_EMPTY_ROOT(&b->root_d) || !RB_EMPTY_ROOT(&b->root_s) ||
1110 !hlist_empty(&b->hhead)) {
1111 WARN_ON_ONCE(net_exit);
1115 if (rhashtable_remove_fast(&xfrm_policy_inexact_table, &b->head,
1116 xfrm_pol_inexact_params) == 0) {
1117 list_del(&b->inexact_bins);
1122 static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
1124 struct net *net = read_pnet(&b->k.net);
1126 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1127 __xfrm_policy_inexact_prune_bin(b, false);
1128 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1131 static void __xfrm_policy_inexact_flush(struct net *net)
1133 struct xfrm_pol_inexact_bin *bin, *t;
1135 lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
1137 list_for_each_entry_safe(bin, t, &net->xfrm.inexact_bins, inexact_bins)
1138 __xfrm_policy_inexact_prune_bin(bin, false);
1141 static struct hlist_head *
1142 xfrm_policy_inexact_alloc_chain(struct xfrm_pol_inexact_bin *bin,
1143 struct xfrm_policy *policy, u8 dir)
1145 struct xfrm_pol_inexact_node *n;
1148 net = xp_net(policy);
1149 lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
1151 if (xfrm_policy_inexact_insert_use_any_list(policy))
1154 if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.daddr,
1156 policy->selector.prefixlen_d)) {
1157 write_seqcount_begin(&bin->count);
1158 n = xfrm_policy_inexact_insert_node(net,
1160 &policy->selector.saddr,
1162 policy->selector.prefixlen_s,
1164 write_seqcount_end(&bin->count);
1171 /* daddr is fixed */
1172 write_seqcount_begin(&bin->count);
1173 n = xfrm_policy_inexact_insert_node(net,
1175 &policy->selector.daddr,
1177 policy->selector.prefixlen_d, dir);
1178 write_seqcount_end(&bin->count);
1182 /* saddr is wildcard */
1183 if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.saddr,
1185 policy->selector.prefixlen_s))
1188 write_seqcount_begin(&bin->count);
1189 n = xfrm_policy_inexact_insert_node(net,
1191 &policy->selector.saddr,
1193 policy->selector.prefixlen_s, dir);
1194 write_seqcount_end(&bin->count);
1201 static struct xfrm_policy *
1202 xfrm_policy_inexact_insert(struct xfrm_policy *policy, u8 dir, int excl)
1204 struct xfrm_pol_inexact_bin *bin;
1205 struct xfrm_policy *delpol;
1206 struct hlist_head *chain;
1209 bin = xfrm_policy_inexact_alloc_bin(policy, dir);
1211 return ERR_PTR(-ENOMEM);
1213 net = xp_net(policy);
1214 lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
1216 chain = xfrm_policy_inexact_alloc_chain(bin, policy, dir);
1218 __xfrm_policy_inexact_prune_bin(bin, false);
1219 return ERR_PTR(-ENOMEM);
1222 delpol = xfrm_policy_insert_list(chain, policy, excl);
1223 if (delpol && excl) {
1224 __xfrm_policy_inexact_prune_bin(bin, false);
1225 return ERR_PTR(-EEXIST);
1228 chain = &net->xfrm.policy_inexact[dir];
1229 xfrm_policy_insert_inexact_list(chain, policy);
1232 __xfrm_policy_inexact_prune_bin(bin, false);
1237 static void xfrm_hash_rebuild(struct work_struct *work)
1239 struct net *net = container_of(work, struct net,
1240 xfrm.policy_hthresh.work);
1242 struct xfrm_policy *pol;
1243 struct xfrm_policy *policy;
1244 struct hlist_head *chain;
1245 struct hlist_head *odst;
1246 struct hlist_node *newpos;
1250 u8 lbits4, rbits4, lbits6, rbits6;
1252 mutex_lock(&hash_resize_mutex);
1254 /* read selector prefixlen thresholds */
1256 seq = read_seqbegin(&net->xfrm.policy_hthresh.lock);
1258 lbits4 = net->xfrm.policy_hthresh.lbits4;
1259 rbits4 = net->xfrm.policy_hthresh.rbits4;
1260 lbits6 = net->xfrm.policy_hthresh.lbits6;
1261 rbits6 = net->xfrm.policy_hthresh.rbits6;
1262 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));
1264 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1265 write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
1267 /* make sure that we can insert the indirect policies again before
1268 * we start with destructive action.
1270 list_for_each_entry(policy, &net->xfrm.policy_all, walk.all) {
1271 struct xfrm_pol_inexact_bin *bin;
1274 if (policy->walk.dead)
1277 dir = xfrm_policy_id2dir(policy->index);
1278 if (dir >= XFRM_POLICY_MAX)
1281 if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
1282 if (policy->family == AF_INET) {
1290 if (policy->family == AF_INET) {
1299 if (policy->selector.prefixlen_d < dbits ||
1300 policy->selector.prefixlen_s < sbits)
1303 bin = xfrm_policy_inexact_alloc_bin(policy, dir);
1307 if (!xfrm_policy_inexact_alloc_chain(bin, policy, dir))
1311 /* reset the bydst and inexact table in all directions */
1312 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
1313 struct hlist_node *n;
1315 hlist_for_each_entry_safe(policy, n,
1316 &net->xfrm.policy_inexact[dir],
1317 bydst_inexact_list) {
1318 hlist_del_rcu(&policy->bydst);
1319 hlist_del_init(&policy->bydst_inexact_list);
1322 hmask = net->xfrm.policy_bydst[dir].hmask;
1323 odst = net->xfrm.policy_bydst[dir].table;
1324 for (i = hmask; i >= 0; i--) {
1325 hlist_for_each_entry_safe(policy, n, odst + i, bydst)
1326 hlist_del_rcu(&policy->bydst);
1328 if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
1329 /* dir out => dst = remote, src = local */
1330 net->xfrm.policy_bydst[dir].dbits4 = rbits4;
1331 net->xfrm.policy_bydst[dir].sbits4 = lbits4;
1332 net->xfrm.policy_bydst[dir].dbits6 = rbits6;
1333 net->xfrm.policy_bydst[dir].sbits6 = lbits6;
1335 /* dir in/fwd => dst = local, src = remote */
1336 net->xfrm.policy_bydst[dir].dbits4 = lbits4;
1337 net->xfrm.policy_bydst[dir].sbits4 = rbits4;
1338 net->xfrm.policy_bydst[dir].dbits6 = lbits6;
1339 net->xfrm.policy_bydst[dir].sbits6 = rbits6;
1343 /* re-insert all policies by order of creation */
1344 list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
1345 if (policy->walk.dead)
1347 dir = xfrm_policy_id2dir(policy->index);
1348 if (dir >= XFRM_POLICY_MAX) {
1349 /* skip socket policies */
1353 chain = policy_hash_bysel(net, &policy->selector,
1354 policy->family, dir);
1357 void *p = xfrm_policy_inexact_insert(policy, dir, 0);
1359 WARN_ONCE(IS_ERR(p), "reinsert: %ld\n", PTR_ERR(p));
1363 hlist_for_each_entry(pol, chain, bydst) {
1364 if (policy->priority >= pol->priority)
1365 newpos = &pol->bydst;
1369 if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
1370 hlist_add_behind_rcu(&policy->bydst, newpos);
1372 hlist_add_head_rcu(&policy->bydst, chain);
1376 __xfrm_policy_inexact_flush(net);
1377 write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
1378 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1380 mutex_unlock(&hash_resize_mutex);
1383 void xfrm_policy_hash_rebuild(struct net *net)
1385 schedule_work(&net->xfrm.policy_hthresh.work);
1387 EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
1389 /* Generate new index... KAME seems to generate them ordered by cost
1390 * of an absolute inpredictability of ordering of rules. This will not pass. */
1391 static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
1394 struct hlist_head *list;
1395 struct xfrm_policy *p;
1400 idx = (net->xfrm.idx_generator | dir);
1401 net->xfrm.idx_generator += 8;
1409 list = net->xfrm.policy_byidx + idx_hash(net, idx);
1411 hlist_for_each_entry(p, list, byidx) {
1412 if (p->index == idx) {
1422 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
1424 u32 *p1 = (u32 *) s1;
1425 u32 *p2 = (u32 *) s2;
1426 int len = sizeof(struct xfrm_selector) / sizeof(u32);
1429 for (i = 0; i < len; i++) {
1437 static void xfrm_policy_requeue(struct xfrm_policy *old,
1438 struct xfrm_policy *new)
1440 struct xfrm_policy_queue *pq = &old->polq;
1441 struct sk_buff_head list;
1443 if (skb_queue_empty(&pq->hold_queue))
1446 __skb_queue_head_init(&list);
1448 spin_lock_bh(&pq->hold_queue.lock);
1449 skb_queue_splice_init(&pq->hold_queue, &list);
1450 if (del_timer(&pq->hold_timer))
1452 spin_unlock_bh(&pq->hold_queue.lock);
1456 spin_lock_bh(&pq->hold_queue.lock);
1457 skb_queue_splice(&list, &pq->hold_queue);
1458 pq->timeout = XFRM_QUEUE_TMO_MIN;
1459 if (!mod_timer(&pq->hold_timer, jiffies))
1461 spin_unlock_bh(&pq->hold_queue.lock);
1464 static inline bool xfrm_policy_mark_match(const struct xfrm_mark *mark,
1465 struct xfrm_policy *pol)
1467 return mark->v == pol->mark.v && mark->m == pol->mark.m;
1470 static u32 xfrm_pol_bin_key(const void *data, u32 len, u32 seed)
1472 const struct xfrm_pol_inexact_key *k = data;
1473 u32 a = k->type << 24 | k->dir << 16 | k->family;
1475 return jhash_3words(a, k->if_id, net_hash_mix(read_pnet(&k->net)),
1479 static u32 xfrm_pol_bin_obj(const void *data, u32 len, u32 seed)
1481 const struct xfrm_pol_inexact_bin *b = data;
1483 return xfrm_pol_bin_key(&b->k, 0, seed);
1486 static int xfrm_pol_bin_cmp(struct rhashtable_compare_arg *arg,
1489 const struct xfrm_pol_inexact_key *key = arg->key;
1490 const struct xfrm_pol_inexact_bin *b = ptr;
1493 if (!net_eq(read_pnet(&b->k.net), read_pnet(&key->net)))
1496 ret = b->k.dir ^ key->dir;
1500 ret = b->k.type ^ key->type;
1504 ret = b->k.family ^ key->family;
1508 return b->k.if_id ^ key->if_id;
1511 static const struct rhashtable_params xfrm_pol_inexact_params = {
1512 .head_offset = offsetof(struct xfrm_pol_inexact_bin, head),
1513 .hashfn = xfrm_pol_bin_key,
1514 .obj_hashfn = xfrm_pol_bin_obj,
1515 .obj_cmpfn = xfrm_pol_bin_cmp,
1516 .automatic_shrinking = true,
1519 static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
1520 struct xfrm_policy *policy)
1522 struct xfrm_policy *pol, *delpol = NULL;
1523 struct hlist_node *newpos = NULL;
1526 hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1527 if (pol->type == policy->type &&
1528 pol->if_id == policy->if_id &&
1529 !selector_cmp(&pol->selector, &policy->selector) &&
1530 xfrm_policy_mark_match(&policy->mark, pol) &&
1531 xfrm_sec_ctx_match(pol->security, policy->security) &&
1534 if (policy->priority > pol->priority)
1536 } else if (policy->priority >= pol->priority) {
1537 newpos = &pol->bydst_inexact_list;
1544 if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
1545 hlist_add_behind_rcu(&policy->bydst_inexact_list, newpos);
1547 hlist_add_head_rcu(&policy->bydst_inexact_list, chain);
1549 hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1555 static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain,
1556 struct xfrm_policy *policy,
1559 struct xfrm_policy *pol, *newpos = NULL, *delpol = NULL;
1561 hlist_for_each_entry(pol, chain, bydst) {
1562 if (pol->type == policy->type &&
1563 pol->if_id == policy->if_id &&
1564 !selector_cmp(&pol->selector, &policy->selector) &&
1565 xfrm_policy_mark_match(&policy->mark, pol) &&
1566 xfrm_sec_ctx_match(pol->security, policy->security) &&
1569 return ERR_PTR(-EEXIST);
1571 if (policy->priority > pol->priority)
1573 } else if (policy->priority >= pol->priority) {
1581 if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
1582 hlist_add_behind_rcu(&policy->bydst, &newpos->bydst);
1584 /* Packet offload policies enter to the head
1585 * to speed-up lookups.
1587 hlist_add_head_rcu(&policy->bydst, chain);
1592 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
1594 struct net *net = xp_net(policy);
1595 struct xfrm_policy *delpol;
1596 struct hlist_head *chain;
1598 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1599 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
1601 delpol = xfrm_policy_insert_list(chain, policy, excl);
1603 delpol = xfrm_policy_inexact_insert(policy, dir, excl);
1605 if (IS_ERR(delpol)) {
1606 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1607 return PTR_ERR(delpol);
1610 __xfrm_policy_link(policy, dir);
1612 /* After previous checking, family can either be AF_INET or AF_INET6 */
1613 if (policy->family == AF_INET)
1614 rt_genid_bump_ipv4(net);
1616 rt_genid_bump_ipv6(net);
1619 xfrm_policy_requeue(delpol, policy);
1620 __xfrm_policy_unlink(delpol, dir);
1622 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index);
1623 hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
1624 policy->curlft.add_time = ktime_get_real_seconds();
1625 policy->curlft.use_time = 0;
1626 if (!mod_timer(&policy->timer, jiffies + HZ))
1627 xfrm_pol_hold(policy);
1628 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1631 xfrm_policy_kill(delpol);
1632 else if (xfrm_bydst_should_resize(net, dir, NULL))
1633 schedule_work(&net->xfrm.policy_hash_work);
1637 EXPORT_SYMBOL(xfrm_policy_insert);
1639 static struct xfrm_policy *
1640 __xfrm_policy_bysel_ctx(struct hlist_head *chain, const struct xfrm_mark *mark,
1641 u32 if_id, u8 type, int dir, struct xfrm_selector *sel,
1642 struct xfrm_sec_ctx *ctx)
1644 struct xfrm_policy *pol;
1649 hlist_for_each_entry(pol, chain, bydst) {
1650 if (pol->type == type &&
1651 pol->if_id == if_id &&
1652 xfrm_policy_mark_match(mark, pol) &&
1653 !selector_cmp(sel, &pol->selector) &&
1654 xfrm_sec_ctx_match(ctx, pol->security))
1661 struct xfrm_policy *
1662 xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
1663 u8 type, int dir, struct xfrm_selector *sel,
1664 struct xfrm_sec_ctx *ctx, int delete, int *err)
1666 struct xfrm_pol_inexact_bin *bin = NULL;
1667 struct xfrm_policy *pol, *ret = NULL;
1668 struct hlist_head *chain;
1671 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1672 chain = policy_hash_bysel(net, sel, sel->family, dir);
1674 struct xfrm_pol_inexact_candidates cand;
1677 bin = xfrm_policy_inexact_lookup(net, type,
1678 sel->family, dir, if_id);
1680 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1684 if (!xfrm_policy_find_inexact_candidates(&cand, bin,
1687 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1692 for (i = 0; i < ARRAY_SIZE(cand.res); i++) {
1693 struct xfrm_policy *tmp;
1695 tmp = __xfrm_policy_bysel_ctx(cand.res[i], mark,
1701 if (!pol || tmp->pos < pol->pos)
1705 pol = __xfrm_policy_bysel_ctx(chain, mark, if_id, type, dir,
1712 *err = security_xfrm_policy_delete(pol->security);
1714 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1717 __xfrm_policy_unlink(pol, dir);
1721 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1724 xfrm_policy_kill(ret);
1726 xfrm_policy_inexact_prune_bin(bin);
1729 EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
1731 struct xfrm_policy *
1732 xfrm_policy_byid(struct net *net, const struct xfrm_mark *mark, u32 if_id,
1733 u8 type, int dir, u32 id, int delete, int *err)
1735 struct xfrm_policy *pol, *ret;
1736 struct hlist_head *chain;
1739 if (xfrm_policy_id2dir(id) != dir)
1743 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1744 chain = net->xfrm.policy_byidx + idx_hash(net, id);
1746 hlist_for_each_entry(pol, chain, byidx) {
1747 if (pol->type == type && pol->index == id &&
1748 pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) {
1751 *err = security_xfrm_policy_delete(
1754 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1757 __xfrm_policy_unlink(pol, dir);
1763 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1766 xfrm_policy_kill(ret);
1769 EXPORT_SYMBOL(xfrm_policy_byid);
1771 #ifdef CONFIG_SECURITY_NETWORK_XFRM
1773 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
1775 struct xfrm_policy *pol;
1778 list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1779 if (pol->walk.dead ||
1780 xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
1784 err = security_xfrm_policy_delete(pol->security);
1786 xfrm_audit_policy_delete(pol, 0, task_valid);
1793 static inline int xfrm_dev_policy_flush_secctx_check(struct net *net,
1794 struct net_device *dev,
1797 struct xfrm_policy *pol;
1800 list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1801 if (pol->walk.dead ||
1802 xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
1803 pol->xdo.dev != dev)
1806 err = security_xfrm_policy_delete(pol->security);
1808 xfrm_audit_policy_delete(pol, 0, task_valid);
1816 xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
1821 static inline int xfrm_dev_policy_flush_secctx_check(struct net *net,
1822 struct net_device *dev,
1829 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
1831 int dir, err = 0, cnt = 0;
1832 struct xfrm_policy *pol;
1834 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1836 err = xfrm_policy_flush_secctx_check(net, type, task_valid);
1841 list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1845 dir = xfrm_policy_id2dir(pol->index);
1846 if (dir >= XFRM_POLICY_MAX ||
1850 __xfrm_policy_unlink(pol, dir);
1851 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1852 xfrm_dev_policy_delete(pol);
1854 xfrm_audit_policy_delete(pol, 1, task_valid);
1855 xfrm_policy_kill(pol);
1856 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1860 __xfrm_policy_inexact_flush(net);
1864 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1867 EXPORT_SYMBOL(xfrm_policy_flush);
1869 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1872 int dir, err = 0, cnt = 0;
1873 struct xfrm_policy *pol;
1875 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1877 err = xfrm_dev_policy_flush_secctx_check(net, dev, task_valid);
1882 list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1886 dir = xfrm_policy_id2dir(pol->index);
1887 if (dir >= XFRM_POLICY_MAX ||
1888 pol->xdo.dev != dev)
1891 __xfrm_policy_unlink(pol, dir);
1892 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1893 xfrm_dev_policy_delete(pol);
1895 xfrm_audit_policy_delete(pol, 1, task_valid);
1896 xfrm_policy_kill(pol);
1897 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1901 __xfrm_policy_inexact_flush(net);
1905 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1908 EXPORT_SYMBOL(xfrm_dev_policy_flush);
1910 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1911 int (*func)(struct xfrm_policy *, int, int, void*),
1914 struct xfrm_policy *pol;
1915 struct xfrm_policy_walk_entry *x;
1918 if (walk->type >= XFRM_POLICY_TYPE_MAX &&
1919 walk->type != XFRM_POLICY_TYPE_ANY)
1922 if (list_empty(&walk->walk.all) && walk->seq != 0)
1925 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
1926 if (list_empty(&walk->walk.all))
1927 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
1929 x = list_first_entry(&walk->walk.all,
1930 struct xfrm_policy_walk_entry, all);
1932 list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
1935 pol = container_of(x, struct xfrm_policy, walk);
1936 if (walk->type != XFRM_POLICY_TYPE_ANY &&
1937 walk->type != pol->type)
1939 error = func(pol, xfrm_policy_id2dir(pol->index),
1942 list_move_tail(&walk->walk.all, &x->all);
1947 if (walk->seq == 0) {
1951 list_del_init(&walk->walk.all);
1953 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1956 EXPORT_SYMBOL(xfrm_policy_walk);
1958 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
1960 INIT_LIST_HEAD(&walk->walk.all);
1961 walk->walk.dead = 1;
1965 EXPORT_SYMBOL(xfrm_policy_walk_init);
1967 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)
1969 if (list_empty(&walk->walk.all))
1972 spin_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */
1973 list_del(&walk->walk.all);
1974 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1976 EXPORT_SYMBOL(xfrm_policy_walk_done);
1979 * Find policy to apply to this flow.
1981 * Returns 0 if policy found, else an -errno.
1983 static int xfrm_policy_match(const struct xfrm_policy *pol,
1984 const struct flowi *fl,
1985 u8 type, u16 family, u32 if_id)
1987 const struct xfrm_selector *sel = &pol->selector;
1991 if (pol->family != family ||
1992 pol->if_id != if_id ||
1993 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
1997 match = xfrm_selector_match(sel, fl, family);
1999 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid);
2003 static struct xfrm_pol_inexact_node *
2004 xfrm_policy_lookup_inexact_addr(const struct rb_root *r,
2005 seqcount_spinlock_t *count,
2006 const xfrm_address_t *addr, u16 family)
2008 const struct rb_node *parent;
2012 seq = read_seqcount_begin(count);
2014 parent = rcu_dereference_raw(r->rb_node);
2016 struct xfrm_pol_inexact_node *node;
2019 node = rb_entry(parent, struct xfrm_pol_inexact_node, node);
2021 delta = xfrm_policy_addr_delta(addr, &node->addr,
2022 node->prefixlen, family);
2024 parent = rcu_dereference_raw(parent->rb_left);
2026 } else if (delta > 0) {
2027 parent = rcu_dereference_raw(parent->rb_right);
2034 if (read_seqcount_retry(count, seq))
2041 xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
2042 struct xfrm_pol_inexact_bin *b,
2043 const xfrm_address_t *saddr,
2044 const xfrm_address_t *daddr)
2046 struct xfrm_pol_inexact_node *n;
2052 family = b->k.family;
2053 memset(cand, 0, sizeof(*cand));
2054 cand->res[XFRM_POL_CAND_ANY] = &b->hhead;
2056 n = xfrm_policy_lookup_inexact_addr(&b->root_d, &b->count, daddr,
2059 cand->res[XFRM_POL_CAND_DADDR] = &n->hhead;
2060 n = xfrm_policy_lookup_inexact_addr(&n->root, &b->count, saddr,
2063 cand->res[XFRM_POL_CAND_BOTH] = &n->hhead;
2066 n = xfrm_policy_lookup_inexact_addr(&b->root_s, &b->count, saddr,
2069 cand->res[XFRM_POL_CAND_SADDR] = &n->hhead;
2074 static struct xfrm_pol_inexact_bin *
2075 xfrm_policy_inexact_lookup_rcu(struct net *net, u8 type, u16 family,
2078 struct xfrm_pol_inexact_key k = {
2085 write_pnet(&k.net, net);
2087 return rhashtable_lookup(&xfrm_policy_inexact_table, &k,
2088 xfrm_pol_inexact_params);
2091 static struct xfrm_pol_inexact_bin *
2092 xfrm_policy_inexact_lookup(struct net *net, u8 type, u16 family,
2095 struct xfrm_pol_inexact_bin *bin;
2097 lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
2100 bin = xfrm_policy_inexact_lookup_rcu(net, type, family, dir, if_id);
2106 static struct xfrm_policy *
2107 __xfrm_policy_eval_candidates(struct hlist_head *chain,
2108 struct xfrm_policy *prefer,
2109 const struct flowi *fl,
2110 u8 type, u16 family, u32 if_id)
2112 u32 priority = prefer ? prefer->priority : ~0u;
2113 struct xfrm_policy *pol;
2118 hlist_for_each_entry_rcu(pol, chain, bydst) {
2121 if (pol->priority > priority)
2124 err = xfrm_policy_match(pol, fl, type, family, if_id);
2127 return ERR_PTR(err);
2133 /* matches. Is it older than *prefer? */
2134 if (pol->priority == priority &&
2135 prefer->pos < pol->pos)
2145 static struct xfrm_policy *
2146 xfrm_policy_eval_candidates(struct xfrm_pol_inexact_candidates *cand,
2147 struct xfrm_policy *prefer,
2148 const struct flowi *fl,
2149 u8 type, u16 family, u32 if_id)
2151 struct xfrm_policy *tmp;
2154 for (i = 0; i < ARRAY_SIZE(cand->res); i++) {
2155 tmp = __xfrm_policy_eval_candidates(cand->res[i],
2157 fl, type, family, if_id);
2169 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
2170 const struct flowi *fl,
2174 struct xfrm_pol_inexact_candidates cand;
2175 const xfrm_address_t *daddr, *saddr;
2176 struct xfrm_pol_inexact_bin *bin;
2177 struct xfrm_policy *pol, *ret;
2178 struct hlist_head *chain;
2179 unsigned int sequence;
2182 daddr = xfrm_flowi_daddr(fl, family);
2183 saddr = xfrm_flowi_saddr(fl, family);
2184 if (unlikely(!daddr || !saddr))
2190 sequence = read_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
2191 chain = policy_hash_direct(net, daddr, saddr, family, dir);
2192 } while (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence));
2195 hlist_for_each_entry_rcu(pol, chain, bydst) {
2196 err = xfrm_policy_match(pol, fl, type, family, if_id);
2209 if (ret && ret->xdo.type == XFRM_DEV_OFFLOAD_PACKET)
2212 bin = xfrm_policy_inexact_lookup_rcu(net, type, family, dir, if_id);
2213 if (!bin || !xfrm_policy_find_inexact_candidates(&cand, bin, saddr,
2217 pol = xfrm_policy_eval_candidates(&cand, ret, fl, type,
2226 if (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence))
2229 if (ret && !xfrm_pol_hold_rcu(ret))
2237 static struct xfrm_policy *xfrm_policy_lookup(struct net *net,
2238 const struct flowi *fl,
2239 u16 family, u8 dir, u32 if_id)
2241 #ifdef CONFIG_XFRM_SUB_POLICY
2242 struct xfrm_policy *pol;
2244 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family,
2249 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family,
2253 static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
2254 const struct flowi *fl,
2255 u16 family, u32 if_id)
2257 struct xfrm_policy *pol;
2261 pol = rcu_dereference(sk->sk_policy[dir]);
2266 if (pol->family != family) {
2271 match = xfrm_selector_match(&pol->selector, fl, family);
2273 if ((READ_ONCE(sk->sk_mark) & pol->mark.m) != pol->mark.v ||
2274 pol->if_id != if_id) {
2278 err = security_xfrm_policy_lookup(pol->security,
2281 if (!xfrm_pol_hold_rcu(pol))
2283 } else if (err == -ESRCH) {
2296 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
2298 struct net *net = xp_net(pol);
2300 list_add(&pol->walk.all, &net->xfrm.policy_all);
2301 net->xfrm.policy_count[dir]++;
2305 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
2308 struct net *net = xp_net(pol);
2310 if (list_empty(&pol->walk.all))
2313 /* Socket policies are not hashed. */
2314 if (!hlist_unhashed(&pol->bydst)) {
2315 hlist_del_rcu(&pol->bydst);
2316 hlist_del_init(&pol->bydst_inexact_list);
2317 hlist_del(&pol->byidx);
2320 list_del_init(&pol->walk.all);
2321 net->xfrm.policy_count[dir]--;
2326 static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir)
2328 __xfrm_policy_link(pol, XFRM_POLICY_MAX + dir);
2331 static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir)
2333 __xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir);
2336 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
2338 struct net *net = xp_net(pol);
2340 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
2341 pol = __xfrm_policy_unlink(pol, dir);
2342 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
2344 xfrm_dev_policy_delete(pol);
2345 xfrm_policy_kill(pol);
2350 EXPORT_SYMBOL(xfrm_policy_delete);
2352 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
2354 struct net *net = sock_net(sk);
2355 struct xfrm_policy *old_pol;
2357 #ifdef CONFIG_XFRM_SUB_POLICY
2358 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
2362 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
2363 old_pol = rcu_dereference_protected(sk->sk_policy[dir],
2364 lockdep_is_held(&net->xfrm.xfrm_policy_lock));
2366 pol->curlft.add_time = ktime_get_real_seconds();
2367 pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
2368 xfrm_sk_policy_link(pol, dir);
2370 rcu_assign_pointer(sk->sk_policy[dir], pol);
2373 xfrm_policy_requeue(old_pol, pol);
2375 /* Unlinking succeeds always. This is the only function
2376 * allowed to delete or replace socket policy.
2378 xfrm_sk_policy_unlink(old_pol, dir);
2380 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
2383 xfrm_policy_kill(old_pol);
2388 static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
2390 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
2391 struct net *net = xp_net(old);
2394 newp->selector = old->selector;
2395 if (security_xfrm_policy_clone(old->security,
2398 return NULL; /* ENOMEM */
2400 newp->lft = old->lft;
2401 newp->curlft = old->curlft;
2402 newp->mark = old->mark;
2403 newp->if_id = old->if_id;
2404 newp->action = old->action;
2405 newp->flags = old->flags;
2406 newp->xfrm_nr = old->xfrm_nr;
2407 newp->index = old->index;
2408 newp->type = old->type;
2409 newp->family = old->family;
2410 memcpy(newp->xfrm_vec, old->xfrm_vec,
2411 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
2412 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
2413 xfrm_sk_policy_link(newp, dir);
2414 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
2420 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
2422 const struct xfrm_policy *p;
2423 struct xfrm_policy *np;
2427 for (i = 0; i < 2; i++) {
2428 p = rcu_dereference(osk->sk_policy[i]);
2430 np = clone_policy(p, i);
2431 if (unlikely(!np)) {
2435 rcu_assign_pointer(sk->sk_policy[i], np);
2443 xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local,
2444 xfrm_address_t *remote, unsigned short family, u32 mark)
2447 const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2449 if (unlikely(afinfo == NULL))
2451 err = afinfo->get_saddr(net, oif, local, remote, mark);
2456 /* Resolve list of templates for the flow, given policy. */
2459 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
2460 struct xfrm_state **xfrm, unsigned short family)
2462 struct net *net = xp_net(policy);
2465 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
2466 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
2469 for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
2470 struct xfrm_state *x;
2471 xfrm_address_t *remote = daddr;
2472 xfrm_address_t *local = saddr;
2473 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
2475 if (tmpl->mode == XFRM_MODE_TUNNEL ||
2476 tmpl->mode == XFRM_MODE_BEET) {
2477 remote = &tmpl->id.daddr;
2478 local = &tmpl->saddr;
2479 if (xfrm_addr_any(local, tmpl->encap_family)) {
2480 error = xfrm_get_saddr(net, fl->flowi_oif,
2482 tmpl->encap_family, 0);
2489 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
2490 family, policy->if_id);
2492 if (x && x->km.state == XFRM_STATE_VALID) {
2499 error = (x->km.state == XFRM_STATE_ERROR ?
2502 } else if (error == -ESRCH) {
2506 if (!tmpl->optional)
2512 for (nx--; nx >= 0; nx--)
2513 xfrm_state_put(xfrm[nx]);
2518 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
2519 struct xfrm_state **xfrm, unsigned short family)
2521 struct xfrm_state *tp[XFRM_MAX_DEPTH];
2522 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
2528 for (i = 0; i < npols; i++) {
2529 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
2534 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
2542 /* found states are sorted for outbound processing */
2544 xfrm_state_sort(xfrm, tpp, cnx, family);
2549 for (cnx--; cnx >= 0; cnx--)
2550 xfrm_state_put(tpp[cnx]);
2555 static int xfrm_get_tos(const struct flowi *fl, int family)
2557 if (family == AF_INET)
2558 return IPTOS_RT_MASK & fl->u.ip4.flowi4_tos;
2563 static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
2565 const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
2566 struct dst_ops *dst_ops;
2567 struct xfrm_dst *xdst;
2570 return ERR_PTR(-EINVAL);
2574 dst_ops = &net->xfrm.xfrm4_dst_ops;
2576 #if IS_ENABLED(CONFIG_IPV6)
2578 dst_ops = &net->xfrm.xfrm6_dst_ops;
2584 xdst = dst_alloc(dst_ops, NULL, DST_OBSOLETE_NONE, 0);
2587 memset_after(xdst, 0, u.dst);
2589 xdst = ERR_PTR(-ENOBUFS);
2596 static void xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
2599 if (dst->ops->family == AF_INET6) {
2600 struct rt6_info *rt = (struct rt6_info *)dst;
2601 path->path_cookie = rt6_get_cookie(rt);
2602 path->u.rt6.rt6i_nfheader_len = nfheader_len;
2606 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
2607 const struct flowi *fl)
2609 const struct xfrm_policy_afinfo *afinfo =
2610 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
2616 err = afinfo->fill_dst(xdst, dev, fl);
2624 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
2625 * all the metrics... Shortly, bundle a bundle.
2628 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
2629 struct xfrm_state **xfrm,
2630 struct xfrm_dst **bundle,
2632 const struct flowi *fl,
2633 struct dst_entry *dst)
2635 const struct xfrm_state_afinfo *afinfo;
2636 const struct xfrm_mode *inner_mode;
2637 struct net *net = xp_net(policy);
2638 unsigned long now = jiffies;
2639 struct net_device *dev;
2640 struct xfrm_dst *xdst_prev = NULL;
2641 struct xfrm_dst *xdst0 = NULL;
2645 int nfheader_len = 0;
2646 int trailer_len = 0;
2648 int family = policy->selector.family;
2649 xfrm_address_t saddr, daddr;
2651 xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
2653 tos = xfrm_get_tos(fl, family);
2657 for (; i < nx; i++) {
2658 struct xfrm_dst *xdst = xfrm_alloc_dst(net, family);
2659 struct dst_entry *dst1 = &xdst->u.dst;
2661 err = PTR_ERR(xdst);
2671 /* Ref count is taken during xfrm_alloc_dst()
2672 * No need to do dst_clone() on dst1
2674 xfrm_dst_set_child(xdst_prev, &xdst->u.dst);
2676 if (xfrm[i]->sel.family == AF_UNSPEC) {
2677 inner_mode = xfrm_ip2inner_mode(xfrm[i],
2678 xfrm_af2proto(family));
2680 err = -EAFNOSUPPORT;
2685 inner_mode = &xfrm[i]->inner_mode;
2688 dst_copy_metrics(dst1, dst);
2690 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
2694 if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m)
2695 mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
2697 if (xfrm[i]->xso.type != XFRM_DEV_OFFLOAD_PACKET)
2698 family = xfrm[i]->props.family;
2700 oif = fl->flowi_oif ? : fl->flowi_l3mdev;
2701 dst = xfrm_dst_lookup(xfrm[i], tos, oif,
2702 &saddr, &daddr, family, mark);
2709 dst1->xfrm = xfrm[i];
2710 xdst->xfrm_genid = xfrm[i]->genid;
2712 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
2713 dst1->lastuse = now;
2715 dst1->input = dst_discard;
2718 afinfo = xfrm_state_afinfo_get_rcu(inner_mode->family);
2720 dst1->output = afinfo->output;
2722 dst1->output = dst_discard_out;
2727 header_len += xfrm[i]->props.header_len;
2728 if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
2729 nfheader_len += xfrm[i]->props.header_len;
2730 trailer_len += xfrm[i]->props.trailer_len;
2733 xfrm_dst_set_child(xdst_prev, dst);
2741 xfrm_init_path(xdst0, dst, nfheader_len);
2742 xfrm_init_pmtu(bundle, nx);
2744 for (xdst_prev = xdst0; xdst_prev != (struct xfrm_dst *)dst;
2745 xdst_prev = (struct xfrm_dst *) xfrm_dst_child(&xdst_prev->u.dst)) {
2746 err = xfrm_fill_dst(xdst_prev, dev, fl);
2750 xdst_prev->u.dst.header_len = header_len;
2751 xdst_prev->u.dst.trailer_len = trailer_len;
2752 header_len -= xdst_prev->u.dst.xfrm->props.header_len;
2753 trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;
2756 return &xdst0->u.dst;
2760 xfrm_state_put(xfrm[i]);
2763 dst_release_immediate(&xdst0->u.dst);
2765 return ERR_PTR(err);
2768 static int xfrm_expand_policies(const struct flowi *fl, u16 family,
2769 struct xfrm_policy **pols,
2770 int *num_pols, int *num_xfrms)
2774 if (*num_pols == 0 || !pols[0]) {
2779 if (IS_ERR(pols[0])) {
2781 return PTR_ERR(pols[0]);
2784 *num_xfrms = pols[0]->xfrm_nr;
2786 #ifdef CONFIG_XFRM_SUB_POLICY
2787 if (pols[0]->action == XFRM_POLICY_ALLOW &&
2788 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
2789 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
2790 XFRM_POLICY_TYPE_MAIN,
2795 if (IS_ERR(pols[1])) {
2796 xfrm_pols_put(pols, *num_pols);
2798 return PTR_ERR(pols[1]);
2801 (*num_xfrms) += pols[1]->xfrm_nr;
2805 for (i = 0; i < *num_pols; i++) {
2806 if (pols[i]->action != XFRM_POLICY_ALLOW) {
2816 static struct xfrm_dst *
2817 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
2818 const struct flowi *fl, u16 family,
2819 struct dst_entry *dst_orig)
2821 struct net *net = xp_net(pols[0]);
2822 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
2823 struct xfrm_dst *bundle[XFRM_MAX_DEPTH];
2824 struct xfrm_dst *xdst;
2825 struct dst_entry *dst;
2828 /* Try to instantiate a bundle */
2829 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
2835 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
2836 return ERR_PTR(err);
2839 dst = xfrm_bundle_create(pols[0], xfrm, bundle, err, fl, dst_orig);
2841 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
2842 return ERR_CAST(dst);
2845 xdst = (struct xfrm_dst *)dst;
2846 xdst->num_xfrms = err;
2847 xdst->num_pols = num_pols;
2848 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
2849 xdst->policy_genid = atomic_read(&pols[0]->genid);
2854 static void xfrm_policy_queue_process(struct timer_list *t)
2856 struct sk_buff *skb;
2858 struct dst_entry *dst;
2859 struct xfrm_policy *pol = from_timer(pol, t, polq.hold_timer);
2860 struct net *net = xp_net(pol);
2861 struct xfrm_policy_queue *pq = &pol->polq;
2863 struct sk_buff_head list;
2866 spin_lock(&pq->hold_queue.lock);
2867 skb = skb_peek(&pq->hold_queue);
2869 spin_unlock(&pq->hold_queue.lock);
2875 /* Fixup the mark to support VTI. */
2876 skb_mark = skb->mark;
2877 skb->mark = pol->mark.v;
2878 xfrm_decode_session(net, skb, &fl, dst->ops->family);
2879 skb->mark = skb_mark;
2880 spin_unlock(&pq->hold_queue.lock);
2882 dst_hold(xfrm_dst_path(dst));
2883 dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, XFRM_LOOKUP_QUEUE);
2887 if (dst->flags & DST_XFRM_QUEUE) {
2890 if (pq->timeout >= XFRM_QUEUE_TMO_MAX)
2893 pq->timeout = pq->timeout << 1;
2894 if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
2901 __skb_queue_head_init(&list);
2903 spin_lock(&pq->hold_queue.lock);
2905 skb_queue_splice_init(&pq->hold_queue, &list);
2906 spin_unlock(&pq->hold_queue.lock);
2908 while (!skb_queue_empty(&list)) {
2909 skb = __skb_dequeue(&list);
2911 /* Fixup the mark to support VTI. */
2912 skb_mark = skb->mark;
2913 skb->mark = pol->mark.v;
2914 xfrm_decode_session(net, skb, &fl, skb_dst(skb)->ops->family);
2915 skb->mark = skb_mark;
2917 dst_hold(xfrm_dst_path(skb_dst(skb)));
2918 dst = xfrm_lookup(net, xfrm_dst_path(skb_dst(skb)), &fl, skb->sk, 0);
2926 skb_dst_set(skb, dst);
2928 dst_output(net, skb->sk, skb);
2937 skb_queue_purge(&pq->hold_queue);
2941 static int xdst_queue_output(struct net *net, struct sock *sk, struct sk_buff *skb)
2943 unsigned long sched_next;
2944 struct dst_entry *dst = skb_dst(skb);
2945 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
2946 struct xfrm_policy *pol = xdst->pols[0];
2947 struct xfrm_policy_queue *pq = &pol->polq;
2949 if (unlikely(skb_fclone_busy(sk, skb))) {
2954 if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
2961 spin_lock_bh(&pq->hold_queue.lock);
2964 pq->timeout = XFRM_QUEUE_TMO_MIN;
2966 sched_next = jiffies + pq->timeout;
2968 if (del_timer(&pq->hold_timer)) {
2969 if (time_before(pq->hold_timer.expires, sched_next))
2970 sched_next = pq->hold_timer.expires;
2974 __skb_queue_tail(&pq->hold_queue, skb);
2975 if (!mod_timer(&pq->hold_timer, sched_next))
2978 spin_unlock_bh(&pq->hold_queue.lock);
2983 static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net,
2984 struct xfrm_flo *xflo,
2985 const struct flowi *fl,
2990 struct net_device *dev;
2991 struct dst_entry *dst;
2992 struct dst_entry *dst1;
2993 struct xfrm_dst *xdst;
2995 xdst = xfrm_alloc_dst(net, family);
2999 if (!(xflo->flags & XFRM_LOOKUP_QUEUE) ||
3000 net->xfrm.sysctl_larval_drop ||
3004 dst = xflo->dst_orig;
3005 dst1 = &xdst->u.dst;
3009 dst_copy_metrics(dst1, dst);
3011 dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
3012 dst1->flags |= DST_XFRM_QUEUE;
3013 dst1->lastuse = jiffies;
3015 dst1->input = dst_discard;
3016 dst1->output = xdst_queue_output;
3019 xfrm_dst_set_child(xdst, dst);
3022 xfrm_init_path((struct xfrm_dst *)dst1, dst, 0);
3029 err = xfrm_fill_dst(xdst, dev, fl);
3038 xdst = ERR_PTR(err);
3042 static struct xfrm_dst *xfrm_bundle_lookup(struct net *net,
3043 const struct flowi *fl,
3045 struct xfrm_flo *xflo, u32 if_id)
3047 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
3048 int num_pols = 0, num_xfrms = 0, err;
3049 struct xfrm_dst *xdst;
3051 /* Resolve policies to use if we couldn't get them from
3052 * previous cache entry */
3054 pols[0] = xfrm_policy_lookup(net, fl, family, dir, if_id);
3055 err = xfrm_expand_policies(fl, family, pols,
3056 &num_pols, &num_xfrms);
3062 goto make_dummy_bundle;
3064 xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
3067 err = PTR_ERR(xdst);
3068 if (err == -EREMOTE) {
3069 xfrm_pols_put(pols, num_pols);
3075 goto make_dummy_bundle;
3076 } else if (xdst == NULL) {
3078 goto make_dummy_bundle;
3084 /* We found policies, but there's no bundles to instantiate:
3085 * either because the policy blocks, has no transformations or
3086 * we could not build template (no xfrm_states).*/
3087 xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family);
3089 xfrm_pols_put(pols, num_pols);
3090 return ERR_CAST(xdst);
3092 xdst->num_pols = num_pols;
3093 xdst->num_xfrms = num_xfrms;
3094 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
3099 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
3101 xfrm_pols_put(pols, num_pols);
3102 return ERR_PTR(err);
3105 static struct dst_entry *make_blackhole(struct net *net, u16 family,
3106 struct dst_entry *dst_orig)
3108 const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
3109 struct dst_entry *ret;
3112 dst_release(dst_orig);
3113 return ERR_PTR(-EINVAL);
3115 ret = afinfo->blackhole_route(net, dst_orig);
3122 /* Finds/creates a bundle for given flow and if_id
3124 * At the moment we eat a raw IP route. Mostly to speed up lookups
3125 * on interfaces with disabled IPsec.
3127 * xfrm_lookup uses an if_id of 0 by default, and is provided for
3130 struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
3131 struct dst_entry *dst_orig,
3132 const struct flowi *fl,
3133 const struct sock *sk,
3134 int flags, u32 if_id)
3136 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
3137 struct xfrm_dst *xdst;
3138 struct dst_entry *dst, *route;
3139 u16 family = dst_orig->ops->family;
3140 u8 dir = XFRM_POLICY_OUT;
3141 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
3147 sk = sk_const_to_full_sk(sk);
3148 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
3150 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family,
3152 err = xfrm_expand_policies(fl, family, pols,
3153 &num_pols, &num_xfrms);
3158 if (num_xfrms <= 0) {
3159 drop_pols = num_pols;
3163 xdst = xfrm_resolve_and_create_bundle(
3168 xfrm_pols_put(pols, num_pols);
3169 err = PTR_ERR(xdst);
3170 if (err == -EREMOTE)
3174 } else if (xdst == NULL) {
3176 drop_pols = num_pols;
3180 route = xdst->route;
3185 struct xfrm_flo xflo;
3187 xflo.dst_orig = dst_orig;
3190 /* To accelerate a bit... */
3191 if (!if_id && ((dst_orig->flags & DST_NOXFRM) ||
3192 !net->xfrm.policy_count[XFRM_POLICY_OUT]))
3195 xdst = xfrm_bundle_lookup(net, fl, family, dir, &xflo, if_id);
3199 err = PTR_ERR(xdst);
3203 num_pols = xdst->num_pols;
3204 num_xfrms = xdst->num_xfrms;
3205 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols);
3206 route = xdst->route;
3210 if (route == NULL && num_xfrms > 0) {
3211 /* The only case when xfrm_bundle_lookup() returns a
3212 * bundle with null route, is when the template could
3213 * not be resolved. It means policies are there, but
3214 * bundle could not be created, since we don't yet
3215 * have the xfrm_state's. We need to wait for KM to
3216 * negotiate new SA's or bail out with error.*/
3217 if (net->xfrm.sysctl_larval_drop) {
3218 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
3225 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
3233 if ((flags & XFRM_LOOKUP_ICMP) &&
3234 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
3239 for (i = 0; i < num_pols; i++)
3240 WRITE_ONCE(pols[i]->curlft.use_time, ktime_get_real_seconds());
3242 if (num_xfrms < 0) {
3243 /* Prohibit the flow */
3244 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
3247 } else if (num_xfrms > 0) {
3248 /* Flow transformed */
3249 dst_release(dst_orig);
3251 /* Flow passes untransformed */
3256 xfrm_pols_put(pols, drop_pols);
3257 if (dst && dst->xfrm &&
3258 dst->xfrm->props.mode == XFRM_MODE_TUNNEL)
3259 dst->flags |= DST_XFRM_TUNNEL;
3263 if ((!dst_orig->dev || !(dst_orig->dev->flags & IFF_LOOPBACK)) &&
3264 net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
3268 if (!(flags & XFRM_LOOKUP_ICMP)) {
3276 if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
3277 dst_release(dst_orig);
3278 xfrm_pols_put(pols, drop_pols);
3279 return ERR_PTR(err);
3281 EXPORT_SYMBOL(xfrm_lookup_with_ifid);
3283 /* Main function: finds/creates a bundle for given flow.
3285 * At the moment we eat a raw IP route. Mostly to speed up lookups
3286 * on interfaces with disabled IPsec.
3288 struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
3289 const struct flowi *fl, const struct sock *sk,
3292 return xfrm_lookup_with_ifid(net, dst_orig, fl, sk, flags, 0);
3294 EXPORT_SYMBOL(xfrm_lookup);
3296 /* Callers of xfrm_lookup_route() must ensure a call to dst_output().
3297 * Otherwise we may send out blackholed packets.
3299 struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
3300 const struct flowi *fl,
3301 const struct sock *sk, int flags)
3303 struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
3304 flags | XFRM_LOOKUP_QUEUE |
3305 XFRM_LOOKUP_KEEP_DST_REF);
3307 if (PTR_ERR(dst) == -EREMOTE)
3308 return make_blackhole(net, dst_orig->ops->family, dst_orig);
3311 dst_release(dst_orig);
3315 EXPORT_SYMBOL(xfrm_lookup_route);
3318 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
3320 struct sec_path *sp = skb_sec_path(skb);
3321 struct xfrm_state *x;
3323 if (!sp || idx < 0 || idx >= sp->len)
3326 if (!x->type->reject)
3328 return x->type->reject(x, skb, fl);
3331 /* When skb is transformed back to its "native" form, we have to
3332 * check policy restrictions. At the moment we make this in maximally
3333 * stupid way. Shame on me. :-) Of course, connected sockets must
3334 * have policy cached at them.
3338 xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
3339 unsigned short family, u32 if_id)
3341 if (xfrm_state_kern(x))
3342 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
3343 return x->id.proto == tmpl->id.proto &&
3344 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
3345 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
3346 x->props.mode == tmpl->mode &&
3347 (tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
3348 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
3349 !(x->props.mode != XFRM_MODE_TRANSPORT &&
3350 xfrm_state_addr_cmp(tmpl, x, family)) &&
3351 (if_id == 0 || if_id == x->if_id);
3355 * 0 or more than 0 is returned when validation is succeeded (either bypass
3356 * because of optional transport mode, or next index of the matched secpath
3357 * state with the template.
3358 * -1 is returned when no matching template is found.
3359 * Otherwise "-2 - errored_index" is returned.
3362 xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
3363 unsigned short family, u32 if_id)
3367 if (tmpl->optional) {
3368 if (tmpl->mode == XFRM_MODE_TRANSPORT)
3372 for (; idx < sp->len; idx++) {
3373 if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
3375 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
3376 if (idx < sp->verified_cnt) {
3377 /* Secpath entry previously verified, consider optional and
3378 * continue searching
3392 decode_session4(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reverse)
3394 struct flowi4 *fl4 = &fl->u.ip4;
3396 memset(fl4, 0, sizeof(struct flowi4));
3399 fl4->saddr = flkeys->addrs.ipv4.dst;
3400 fl4->daddr = flkeys->addrs.ipv4.src;
3401 fl4->fl4_sport = flkeys->ports.dst;
3402 fl4->fl4_dport = flkeys->ports.src;
3404 fl4->saddr = flkeys->addrs.ipv4.src;
3405 fl4->daddr = flkeys->addrs.ipv4.dst;
3406 fl4->fl4_sport = flkeys->ports.src;
3407 fl4->fl4_dport = flkeys->ports.dst;
3410 switch (flkeys->basic.ip_proto) {
3412 fl4->fl4_gre_key = flkeys->gre.keyid;
3415 fl4->fl4_icmp_type = flkeys->icmp.type;
3416 fl4->fl4_icmp_code = flkeys->icmp.code;
3420 fl4->flowi4_proto = flkeys->basic.ip_proto;
3421 fl4->flowi4_tos = flkeys->ip.tos & ~INET_ECN_MASK;
3424 #if IS_ENABLED(CONFIG_IPV6)
3426 decode_session6(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reverse)
3428 struct flowi6 *fl6 = &fl->u.ip6;
3430 memset(fl6, 0, sizeof(struct flowi6));
3433 fl6->saddr = flkeys->addrs.ipv6.dst;
3434 fl6->daddr = flkeys->addrs.ipv6.src;
3435 fl6->fl6_sport = flkeys->ports.dst;
3436 fl6->fl6_dport = flkeys->ports.src;
3438 fl6->saddr = flkeys->addrs.ipv6.src;
3439 fl6->daddr = flkeys->addrs.ipv6.dst;
3440 fl6->fl6_sport = flkeys->ports.src;
3441 fl6->fl6_dport = flkeys->ports.dst;
3444 switch (flkeys->basic.ip_proto) {
3446 fl6->fl6_gre_key = flkeys->gre.keyid;
3448 case IPPROTO_ICMPV6:
3449 fl6->fl6_icmp_type = flkeys->icmp.type;
3450 fl6->fl6_icmp_code = flkeys->icmp.code;
3454 fl6->flowi6_proto = flkeys->basic.ip_proto;
3458 int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
3459 unsigned int family, int reverse)
3461 struct xfrm_flow_keys flkeys;
3463 memset(&flkeys, 0, sizeof(flkeys));
3464 __skb_flow_dissect(net, skb, &xfrm_session_dissector, &flkeys,
3465 NULL, 0, 0, 0, FLOW_DISSECTOR_F_STOP_AT_ENCAP);
3469 decode_session4(&flkeys, fl, reverse);
3471 #if IS_ENABLED(CONFIG_IPV6)
3473 decode_session6(&flkeys, fl, reverse);
3477 return -EAFNOSUPPORT;
3480 fl->flowi_mark = skb->mark;
3482 fl->flowi_oif = skb->skb_iif;
3486 if (skb_dst(skb) && skb_dst(skb)->dev)
3487 oif = skb_dst(skb)->dev->ifindex;
3489 fl->flowi_oif = oif;
3492 return security_xfrm_decode_session(skb, &fl->flowi_secid);
3494 EXPORT_SYMBOL(__xfrm_decode_session);
3496 static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
3498 for (; k < sp->len; k++) {
3499 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
3508 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
3509 unsigned short family)
3511 struct net *net = dev_net(skb->dev);
3512 struct xfrm_policy *pol;
3513 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
3520 const struct xfrm_if_cb *ifcb;
3521 struct sec_path *sp;
3525 ifcb = xfrm_if_get_cb();
3528 struct xfrm_if_decode_session_result r;
3530 if (ifcb->decode_session(skb, family, &r)) {
3537 reverse = dir & ~XFRM_POLICY_MASK;
3538 dir &= XFRM_POLICY_MASK;
3540 if (__xfrm_decode_session(net, skb, &fl, family, reverse) < 0) {
3541 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
3545 nf_nat_decode_session(skb, &fl, family);
3547 /* First, check used SA against their selectors. */
3548 sp = skb_sec_path(skb);
3552 for (i = sp->len - 1; i >= 0; i--) {
3553 struct xfrm_state *x = sp->xvec[i];
3554 if (!xfrm_selector_match(&x->sel, &fl, family)) {
3555 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
3562 sk = sk_to_full_sk(sk);
3563 if (sk && sk->sk_policy[dir]) {
3564 pol = xfrm_sk_policy_lookup(sk, dir, &fl, family, if_id);
3566 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
3572 pol = xfrm_policy_lookup(net, &fl, family, dir, if_id);
3575 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
3580 if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
3581 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
3585 if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
3586 xfrm_secpath_reject(xerr_idx, skb, &fl);
3587 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
3593 /* This lockless write can happen from different cpus. */
3594 WRITE_ONCE(pol->curlft.use_time, ktime_get_real_seconds());
3598 #ifdef CONFIG_XFRM_SUB_POLICY
3599 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
3600 pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
3602 XFRM_POLICY_IN, if_id);
3604 if (IS_ERR(pols[1])) {
3605 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
3606 xfrm_pol_put(pols[0]);
3609 /* This write can happen from different cpus. */
3610 WRITE_ONCE(pols[1]->curlft.use_time,
3611 ktime_get_real_seconds());
3617 if (pol->action == XFRM_POLICY_ALLOW) {
3618 static struct sec_path dummy;
3619 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
3620 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
3621 struct xfrm_tmpl **tpp = tp;
3625 sp = skb_sec_path(skb);
3629 for (pi = 0; pi < npols; pi++) {
3630 if (pols[pi] != pol &&
3631 pols[pi]->action != XFRM_POLICY_ALLOW) {
3632 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
3635 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
3636 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
3639 for (i = 0; i < pols[pi]->xfrm_nr; i++)
3640 tpp[ti++] = &pols[pi]->xfrm_vec[i];
3645 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
3649 /* For each tunnel xfrm, find the first matching tmpl.
3650 * For each tmpl before that, find corresponding xfrm.
3651 * Order is _important_. Later we will implement
3652 * some barriers, but at the moment barriers
3653 * are implied between each two transformations.
3654 * Upon success, marks secpath entries as having been
3655 * verified to allow them to be skipped in future policy
3656 * checks (e.g. nested tunnels).
3658 for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
3659 k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
3662 /* "-2 - errored_index" returned */
3664 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
3669 if (secpath_has_nontransport(sp, k, &xerr_idx)) {
3670 XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
3674 xfrm_pols_put(pols, npols);
3675 sp->verified_cnt = k;
3679 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
3682 xfrm_secpath_reject(xerr_idx, skb, &fl);
3684 xfrm_pols_put(pols, npols);
3687 EXPORT_SYMBOL(__xfrm_policy_check);
3689 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
3691 struct net *net = dev_net(skb->dev);
3693 struct dst_entry *dst;
3696 if (xfrm_decode_session(net, skb, &fl, family) < 0) {
3697 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
3702 if (!skb_dst(skb)) {
3703 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
3707 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
3712 skb_dst_set(skb, dst);
3715 EXPORT_SYMBOL(__xfrm_route_forward);
3717 /* Optimize later using cookies and generation ids. */
3719 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
3721 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
3722 * to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to
3723 * get validated by dst_ops->check on every use. We do this
3724 * because when a normal route referenced by an XFRM dst is
3725 * obsoleted we do not go looking around for all parent
3726 * referencing XFRM dsts so that we can invalidate them. It
3727 * is just too much work. Instead we make the checks here on
3728 * every use. For example:
3730 * XFRM dst A --> IPv4 dst X
3732 * X is the "xdst->route" of A (X is also the "dst->path" of A
3733 * in this example). If X is marked obsolete, "A" will not
3734 * notice. That's what we are validating here via the
3735 * stale_bundle() check.
3737 * When a dst is removed from the fib tree, DST_OBSOLETE_DEAD will
3739 * This will force stale_bundle() to fail on any xdst bundle with
3740 * this dst linked in it.
3742 if (dst->obsolete < 0 && !stale_bundle(dst))
3748 static int stale_bundle(struct dst_entry *dst)
3750 return !xfrm_bundle_ok((struct xfrm_dst *)dst);
3753 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
3755 while ((dst = xfrm_dst_child(dst)) && dst->xfrm && dst->dev == dev) {
3756 dst->dev = blackhole_netdev;
3761 EXPORT_SYMBOL(xfrm_dst_ifdown);
3763 static void xfrm_link_failure(struct sk_buff *skb)
3765 /* Impossible. Such dst must be popped before reaches point of failure. */
3768 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
3771 if (dst->obsolete) {
3779 static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr)
3782 struct xfrm_dst *xdst = bundle[nr];
3783 u32 pmtu, route_mtu_cached;
3784 struct dst_entry *dst;
3787 pmtu = dst_mtu(xfrm_dst_child(dst));
3788 xdst->child_mtu_cached = pmtu;
3790 pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
3792 route_mtu_cached = dst_mtu(xdst->route);
3793 xdst->route_mtu_cached = route_mtu_cached;
3795 if (pmtu > route_mtu_cached)
3796 pmtu = route_mtu_cached;
3798 dst_metric_set(dst, RTAX_MTU, pmtu);
3802 /* Check that the bundle accepts the flow and its components are
3806 static int xfrm_bundle_ok(struct xfrm_dst *first)
3808 struct xfrm_dst *bundle[XFRM_MAX_DEPTH];
3809 struct dst_entry *dst = &first->u.dst;
3810 struct xfrm_dst *xdst;
3814 if (!dst_check(xfrm_dst_path(dst), ((struct xfrm_dst *)dst)->path_cookie) ||
3815 (dst->dev && !netif_running(dst->dev)))
3818 if (dst->flags & DST_XFRM_QUEUE)
3821 start_from = nr = 0;
3823 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
3825 if (dst->xfrm->km.state != XFRM_STATE_VALID)
3827 if (xdst->xfrm_genid != dst->xfrm->genid)
3829 if (xdst->num_pols > 0 &&
3830 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
3833 bundle[nr++] = xdst;
3835 mtu = dst_mtu(xfrm_dst_child(dst));
3836 if (xdst->child_mtu_cached != mtu) {
3838 xdst->child_mtu_cached = mtu;
3841 if (!dst_check(xdst->route, xdst->route_cookie))
3843 mtu = dst_mtu(xdst->route);
3844 if (xdst->route_mtu_cached != mtu) {
3846 xdst->route_mtu_cached = mtu;
3849 dst = xfrm_dst_child(dst);
3850 } while (dst->xfrm);
3852 if (likely(!start_from))
3855 xdst = bundle[start_from - 1];
3856 mtu = xdst->child_mtu_cached;
3857 while (start_from--) {
3860 mtu = xfrm_state_mtu(dst->xfrm, mtu);
3861 if (mtu > xdst->route_mtu_cached)
3862 mtu = xdst->route_mtu_cached;
3863 dst_metric_set(dst, RTAX_MTU, mtu);
3867 xdst = bundle[start_from - 1];
3868 xdst->child_mtu_cached = mtu;
3874 static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
3876 return dst_metric_advmss(xfrm_dst_path(dst));
3879 static unsigned int xfrm_mtu(const struct dst_entry *dst)
3881 unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
3883 return mtu ? : dst_mtu(xfrm_dst_path(dst));
3886 static const void *xfrm_get_dst_nexthop(const struct dst_entry *dst,
3890 const struct xfrm_state *xfrm = dst->xfrm;
3892 dst = xfrm_dst_child(dst);
3894 if (xfrm->props.mode == XFRM_MODE_TRANSPORT)
3896 if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR)
3897 daddr = xfrm->coaddr;
3898 else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR))
3899 daddr = &xfrm->id.daddr;
3904 static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst,
3905 struct sk_buff *skb,
3908 const struct dst_entry *path = xfrm_dst_path(dst);
3911 daddr = xfrm_get_dst_nexthop(dst, daddr);
3912 return path->ops->neigh_lookup(path, skb, daddr);
3915 static void xfrm_confirm_neigh(const struct dst_entry *dst, const void *daddr)
3917 const struct dst_entry *path = xfrm_dst_path(dst);
3919 daddr = xfrm_get_dst_nexthop(dst, daddr);
3920 path->ops->confirm_neigh(path, daddr);
3923 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family)
3927 if (WARN_ON(family >= ARRAY_SIZE(xfrm_policy_afinfo)))
3928 return -EAFNOSUPPORT;
3930 spin_lock(&xfrm_policy_afinfo_lock);
3931 if (unlikely(xfrm_policy_afinfo[family] != NULL))
3934 struct dst_ops *dst_ops = afinfo->dst_ops;
3935 if (likely(dst_ops->kmem_cachep == NULL))
3936 dst_ops->kmem_cachep = xfrm_dst_cache;
3937 if (likely(dst_ops->check == NULL))
3938 dst_ops->check = xfrm_dst_check;
3939 if (likely(dst_ops->default_advmss == NULL))
3940 dst_ops->default_advmss = xfrm_default_advmss;
3941 if (likely(dst_ops->mtu == NULL))
3942 dst_ops->mtu = xfrm_mtu;
3943 if (likely(dst_ops->negative_advice == NULL))
3944 dst_ops->negative_advice = xfrm_negative_advice;
3945 if (likely(dst_ops->link_failure == NULL))
3946 dst_ops->link_failure = xfrm_link_failure;
3947 if (likely(dst_ops->neigh_lookup == NULL))
3948 dst_ops->neigh_lookup = xfrm_neigh_lookup;
3949 if (likely(!dst_ops->confirm_neigh))
3950 dst_ops->confirm_neigh = xfrm_confirm_neigh;
3951 rcu_assign_pointer(xfrm_policy_afinfo[family], afinfo);
3953 spin_unlock(&xfrm_policy_afinfo_lock);
3957 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
3959 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo)
3961 struct dst_ops *dst_ops = afinfo->dst_ops;
3964 for (i = 0; i < ARRAY_SIZE(xfrm_policy_afinfo); i++) {
3965 if (xfrm_policy_afinfo[i] != afinfo)
3967 RCU_INIT_POINTER(xfrm_policy_afinfo[i], NULL);
3973 dst_ops->kmem_cachep = NULL;
3974 dst_ops->check = NULL;
3975 dst_ops->negative_advice = NULL;
3976 dst_ops->link_failure = NULL;
3978 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
3980 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb)
3982 spin_lock(&xfrm_if_cb_lock);
3983 rcu_assign_pointer(xfrm_if_cb, ifcb);
3984 spin_unlock(&xfrm_if_cb_lock);
3986 EXPORT_SYMBOL(xfrm_if_register_cb);
3988 void xfrm_if_unregister_cb(void)
3990 RCU_INIT_POINTER(xfrm_if_cb, NULL);
3993 EXPORT_SYMBOL(xfrm_if_unregister_cb);
3995 #ifdef CONFIG_XFRM_STATISTICS
3996 static int __net_init xfrm_statistics_init(struct net *net)
3999 net->mib.xfrm_statistics = alloc_percpu(struct linux_xfrm_mib);
4000 if (!net->mib.xfrm_statistics)
4002 rv = xfrm_proc_init(net);
4004 free_percpu(net->mib.xfrm_statistics);
4008 static void xfrm_statistics_fini(struct net *net)
4010 xfrm_proc_fini(net);
4011 free_percpu(net->mib.xfrm_statistics);
4014 static int __net_init xfrm_statistics_init(struct net *net)
4019 static void xfrm_statistics_fini(struct net *net)
4024 static int __net_init xfrm_policy_init(struct net *net)
4026 unsigned int hmask, sz;
4029 if (net_eq(net, &init_net)) {
4030 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
4031 sizeof(struct xfrm_dst),
4032 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
4034 err = rhashtable_init(&xfrm_policy_inexact_table,
4035 &xfrm_pol_inexact_params);
4040 sz = (hmask+1) * sizeof(struct hlist_head);
4042 net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
4043 if (!net->xfrm.policy_byidx)
4045 net->xfrm.policy_idx_hmask = hmask;
4047 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
4048 struct xfrm_policy_hash *htab;
4050 net->xfrm.policy_count[dir] = 0;
4051 net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0;
4052 INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
4054 htab = &net->xfrm.policy_bydst[dir];
4055 htab->table = xfrm_hash_alloc(sz);
4058 htab->hmask = hmask;
4064 net->xfrm.policy_hthresh.lbits4 = 32;
4065 net->xfrm.policy_hthresh.rbits4 = 32;
4066 net->xfrm.policy_hthresh.lbits6 = 128;
4067 net->xfrm.policy_hthresh.rbits6 = 128;
4069 seqlock_init(&net->xfrm.policy_hthresh.lock);
4071 INIT_LIST_HEAD(&net->xfrm.policy_all);
4072 INIT_LIST_HEAD(&net->xfrm.inexact_bins);
4073 INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
4074 INIT_WORK(&net->xfrm.policy_hthresh.work, xfrm_hash_rebuild);
4078 for (dir--; dir >= 0; dir--) {
4079 struct xfrm_policy_hash *htab;
4081 htab = &net->xfrm.policy_bydst[dir];
4082 xfrm_hash_free(htab->table, sz);
4084 xfrm_hash_free(net->xfrm.policy_byidx, sz);
4089 static void xfrm_policy_fini(struct net *net)
4091 struct xfrm_pol_inexact_bin *b, *t;
4095 flush_work(&net->xfrm.policy_hash_work);
4096 #ifdef CONFIG_XFRM_SUB_POLICY
4097 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
4099 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
4101 WARN_ON(!list_empty(&net->xfrm.policy_all));
4103 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
4104 struct xfrm_policy_hash *htab;
4106 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
4108 htab = &net->xfrm.policy_bydst[dir];
4109 sz = (htab->hmask + 1) * sizeof(struct hlist_head);
4110 WARN_ON(!hlist_empty(htab->table));
4111 xfrm_hash_free(htab->table, sz);
4114 sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
4115 WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
4116 xfrm_hash_free(net->xfrm.policy_byidx, sz);
4118 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
4119 list_for_each_entry_safe(b, t, &net->xfrm.inexact_bins, inexact_bins)
4120 __xfrm_policy_inexact_prune_bin(b, true);
4121 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
4124 static int __net_init xfrm_net_init(struct net *net)
4128 /* Initialize the per-net locks here */
4129 spin_lock_init(&net->xfrm.xfrm_state_lock);
4130 spin_lock_init(&net->xfrm.xfrm_policy_lock);
4131 seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock);
4132 mutex_init(&net->xfrm.xfrm_cfg_mutex);
4133 net->xfrm.policy_default[XFRM_POLICY_IN] = XFRM_USERPOLICY_ACCEPT;
4134 net->xfrm.policy_default[XFRM_POLICY_FWD] = XFRM_USERPOLICY_ACCEPT;
4135 net->xfrm.policy_default[XFRM_POLICY_OUT] = XFRM_USERPOLICY_ACCEPT;
4137 rv = xfrm_statistics_init(net);
4139 goto out_statistics;
4140 rv = xfrm_state_init(net);
4143 rv = xfrm_policy_init(net);
4146 rv = xfrm_sysctl_init(net);
4153 xfrm_policy_fini(net);
4155 xfrm_state_fini(net);
4157 xfrm_statistics_fini(net);
4162 static void __net_exit xfrm_net_exit(struct net *net)
4164 xfrm_sysctl_fini(net);
4165 xfrm_policy_fini(net);
4166 xfrm_state_fini(net);
4167 xfrm_statistics_fini(net);
4170 static struct pernet_operations __net_initdata xfrm_net_ops = {
4171 .init = xfrm_net_init,
4172 .exit = xfrm_net_exit,
4175 static const struct flow_dissector_key xfrm_flow_dissector_keys[] = {
4177 .key_id = FLOW_DISSECTOR_KEY_CONTROL,
4178 .offset = offsetof(struct xfrm_flow_keys, control),
4181 .key_id = FLOW_DISSECTOR_KEY_BASIC,
4182 .offset = offsetof(struct xfrm_flow_keys, basic),
4185 .key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
4186 .offset = offsetof(struct xfrm_flow_keys, addrs.ipv4),
4189 .key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
4190 .offset = offsetof(struct xfrm_flow_keys, addrs.ipv6),
4193 .key_id = FLOW_DISSECTOR_KEY_PORTS,
4194 .offset = offsetof(struct xfrm_flow_keys, ports),
4197 .key_id = FLOW_DISSECTOR_KEY_GRE_KEYID,
4198 .offset = offsetof(struct xfrm_flow_keys, gre),
4201 .key_id = FLOW_DISSECTOR_KEY_IP,
4202 .offset = offsetof(struct xfrm_flow_keys, ip),
4205 .key_id = FLOW_DISSECTOR_KEY_ICMP,
4206 .offset = offsetof(struct xfrm_flow_keys, icmp),
4210 void __init xfrm_init(void)
4212 skb_flow_dissector_init(&xfrm_session_dissector,
4213 xfrm_flow_dissector_keys,
4214 ARRAY_SIZE(xfrm_flow_dissector_keys));
4216 register_pernet_subsys(&xfrm_net_ops);
4220 #ifdef CONFIG_XFRM_ESPINTCP
4224 register_xfrm_state_bpf();
4227 #ifdef CONFIG_AUDITSYSCALL
4228 static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
4229 struct audit_buffer *audit_buf)
4231 struct xfrm_sec_ctx *ctx = xp->security;
4232 struct xfrm_selector *sel = &xp->selector;
4235 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
4236 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
4238 switch (sel->family) {
4240 audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
4241 if (sel->prefixlen_s != 32)
4242 audit_log_format(audit_buf, " src_prefixlen=%d",
4244 audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
4245 if (sel->prefixlen_d != 32)
4246 audit_log_format(audit_buf, " dst_prefixlen=%d",
4250 audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
4251 if (sel->prefixlen_s != 128)
4252 audit_log_format(audit_buf, " src_prefixlen=%d",
4254 audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
4255 if (sel->prefixlen_d != 128)
4256 audit_log_format(audit_buf, " dst_prefixlen=%d",
4262 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
4264 struct audit_buffer *audit_buf;
4266 audit_buf = xfrm_audit_start("SPD-add");
4267 if (audit_buf == NULL)
4269 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
4270 audit_log_format(audit_buf, " res=%u", result);
4271 xfrm_audit_common_policyinfo(xp, audit_buf);
4272 audit_log_end(audit_buf);
4274 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
4276 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
4279 struct audit_buffer *audit_buf;
4281 audit_buf = xfrm_audit_start("SPD-delete");
4282 if (audit_buf == NULL)
4284 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
4285 audit_log_format(audit_buf, " res=%u", result);
4286 xfrm_audit_common_policyinfo(xp, audit_buf);
4287 audit_log_end(audit_buf);
4289 EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
4292 #ifdef CONFIG_XFRM_MIGRATE
4293 static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
4294 const struct xfrm_selector *sel_tgt)
4296 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
4297 if (sel_tgt->family == sel_cmp->family &&
4298 xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr,
4300 xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr,
4302 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
4303 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
4307 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
4314 static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel,
4315 u8 dir, u8 type, struct net *net, u32 if_id)
4317 struct xfrm_policy *pol, *ret = NULL;
4318 struct hlist_head *chain;
4321 spin_lock_bh(&net->xfrm.xfrm_policy_lock);
4322 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
4323 hlist_for_each_entry(pol, chain, bydst) {
4324 if ((if_id == 0 || pol->if_id == if_id) &&
4325 xfrm_migrate_selector_match(sel, &pol->selector) &&
4326 pol->type == type) {
4328 priority = ret->priority;
4332 chain = &net->xfrm.policy_inexact[dir];
4333 hlist_for_each_entry(pol, chain, bydst_inexact_list) {
4334 if ((pol->priority >= priority) && ret)
4337 if ((if_id == 0 || pol->if_id == if_id) &&
4338 xfrm_migrate_selector_match(sel, &pol->selector) &&
4339 pol->type == type) {
4347 spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
4352 static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
4356 if (t->mode == m->mode && t->id.proto == m->proto &&
4357 (m->reqid == 0 || t->reqid == m->reqid)) {
4359 case XFRM_MODE_TUNNEL:
4360 case XFRM_MODE_BEET:
4361 if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr,
4363 xfrm_addr_equal(&t->saddr, &m->old_saddr,
4368 case XFRM_MODE_TRANSPORT:
4369 /* in case of transport mode, template does not store
4370 any IP addresses, hence we just compare mode and
4381 /* update endpoint address(es) of template(s) */
4382 static int xfrm_policy_migrate(struct xfrm_policy *pol,
4383 struct xfrm_migrate *m, int num_migrate,
4384 struct netlink_ext_ack *extack)
4386 struct xfrm_migrate *mp;
4389 write_lock_bh(&pol->lock);
4390 if (unlikely(pol->walk.dead)) {
4391 /* target policy has been deleted */
4392 NL_SET_ERR_MSG(extack, "Target policy not found");
4393 write_unlock_bh(&pol->lock);
4397 for (i = 0; i < pol->xfrm_nr; i++) {
4398 for (j = 0, mp = m; j < num_migrate; j++, mp++) {
4399 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
4402 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
4403 pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
4405 /* update endpoints */
4406 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
4407 sizeof(pol->xfrm_vec[i].id.daddr));
4408 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
4409 sizeof(pol->xfrm_vec[i].saddr));
4410 pol->xfrm_vec[i].encap_family = mp->new_family;
4412 atomic_inc(&pol->genid);
4416 write_unlock_bh(&pol->lock);
4424 static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate,
4425 struct netlink_ext_ack *extack)
4429 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) {
4430 NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)");
4434 for (i = 0; i < num_migrate; i++) {
4435 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
4436 xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) {
4437 NL_SET_ERR_MSG(extack, "Addresses in the MIGRATE attribute's list cannot be null");
4441 /* check if there is any duplicated entry */
4442 for (j = i + 1; j < num_migrate; j++) {
4443 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
4444 sizeof(m[i].old_daddr)) &&
4445 !memcmp(&m[i].old_saddr, &m[j].old_saddr,
4446 sizeof(m[i].old_saddr)) &&
4447 m[i].proto == m[j].proto &&
4448 m[i].mode == m[j].mode &&
4449 m[i].reqid == m[j].reqid &&
4450 m[i].old_family == m[j].old_family) {
4451 NL_SET_ERR_MSG(extack, "Entries in the MIGRATE attribute's list must be unique");
4460 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
4461 struct xfrm_migrate *m, int num_migrate,
4462 struct xfrm_kmaddress *k, struct net *net,
4463 struct xfrm_encap_tmpl *encap, u32 if_id,
4464 struct netlink_ext_ack *extack)
4466 int i, err, nx_cur = 0, nx_new = 0;
4467 struct xfrm_policy *pol = NULL;
4468 struct xfrm_state *x, *xc;
4469 struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
4470 struct xfrm_state *x_new[XFRM_MAX_DEPTH];
4471 struct xfrm_migrate *mp;
4473 /* Stage 0 - sanity checks */
4474 err = xfrm_migrate_check(m, num_migrate, extack);
4478 if (dir >= XFRM_POLICY_MAX) {
4479 NL_SET_ERR_MSG(extack, "Invalid policy direction");
4484 /* Stage 1 - find policy */
4485 pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id);
4487 NL_SET_ERR_MSG(extack, "Target policy not found");
4492 /* Stage 2 - find and update state(s) */
4493 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
4494 if ((x = xfrm_migrate_state_find(mp, net, if_id))) {
4497 xc = xfrm_state_migrate(x, mp, encap);
4508 /* Stage 3 - update policy */
4509 err = xfrm_policy_migrate(pol, m, num_migrate, extack);
4513 /* Stage 4 - delete old state(s) */
4515 xfrm_states_put(x_cur, nx_cur);
4516 xfrm_states_delete(x_cur, nx_cur);
4519 /* Stage 5 - announce */
4520 km_migrate(sel, dir, type, m, num_migrate, k, encap);
4532 xfrm_states_put(x_cur, nx_cur);
4534 xfrm_states_delete(x_new, nx_new);
4538 EXPORT_SYMBOL(xfrm_migrate);
projects / releases.git / blob