diff options
Diffstat (limited to 'include/net/xfrm.h')
| -rw-r--r-- | include/net/xfrm.h | 284 |
1 files changed, 242 insertions, 42 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1dd20cf17982..5ebb9ba479b1 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -19,6 +19,9 @@ #include <net/route.h> #include <net/ipv6.h> #include <net/ip6_fib.h> +#ifdef CONFIG_XFRM_STATISTICS +#include <net/snmp.h> +#endif #define XFRM_PROTO_ESP 50 #define XFRM_PROTO_AH 51 @@ -34,6 +37,17 @@ #define MODULE_ALIAS_XFRM_TYPE(family, proto) \ MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto)) +#ifdef CONFIG_XFRM_STATISTICS +DECLARE_SNMP_STAT(struct linux_xfrm_mib, xfrm_statistics); +#define XFRM_INC_STATS(field) SNMP_INC_STATS(xfrm_statistics, field) +#define XFRM_INC_STATS_BH(field) SNMP_INC_STATS_BH(xfrm_statistics, field) +#define XFRM_INC_STATS_USER(field) SNMP_INC_STATS_USER(xfrm_statistics, field) +#else +#define XFRM_INC_STATS(field) +#define XFRM_INC_STATS_BH(field) +#define XFRM_INC_STATS_USER(field) +#endif + extern struct sock *xfrm_nl; extern u32 sysctl_xfrm_aevent_etime; extern u32 sysctl_xfrm_aevent_rseqth; @@ -183,7 +197,7 @@ struct xfrm_state struct timer_list timer; /* Last used time */ - u64 lastused; + unsigned long lastused; /* Reference to data common to all the instances of this * transformer. */ @@ -227,22 +241,26 @@ struct km_event u32 event; }; +struct net_device; struct xfrm_type; struct xfrm_dst; struct xfrm_policy_afinfo { unsigned short family; struct dst_ops *dst_ops; void (*garbage_collect)(void); - int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl); + struct dst_entry *(*dst_lookup)(int tos, xfrm_address_t *saddr, + xfrm_address_t *daddr); int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); - int (*bundle_create)(struct xfrm_policy *policy, - struct xfrm_state **xfrm, - int nx, - struct flowi *fl, - struct dst_entry **dst_p); void (*decode_session)(struct sk_buff *skb, - struct flowi *fl); + struct flowi *fl, + int reverse); + int (*get_tos)(struct flowi *fl); + int (*init_path)(struct xfrm_dst *path, + struct dst_entry *dst, + int nfheader_len); + int (*fill_dst)(struct xfrm_dst *xdst, + struct net_device *dev); }; extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo); @@ -257,6 +275,8 @@ extern int __xfrm_state_delete(struct xfrm_state *x); struct xfrm_state_afinfo { unsigned int family; + unsigned int proto; + unsigned int eth_proto; struct module *owner; struct xfrm_type *type_map[IPPROTO_MAX]; struct xfrm_mode *mode_map[XFRM_MODE_MAX]; @@ -267,6 +287,12 @@ struct xfrm_state_afinfo { int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n); int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n); int (*output)(struct sk_buff *skb); + int (*extract_input)(struct xfrm_state *x, + struct sk_buff *skb); + int (*extract_output)(struct xfrm_state *x, + struct sk_buff *skb); + int (*transport_finish)(struct sk_buff *skb, + int async); }; extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo); @@ -282,6 +308,8 @@ struct xfrm_type __u8 flags; #define XFRM_TYPE_NON_FRAGMENT 1 #define XFRM_TYPE_REPLAY_PROT 2 +#define XFRM_TYPE_LOCAL_COADDR 4 +#define XFRM_TYPE_REMOTE_COADDR 8 int (*init_state)(struct xfrm_state *x); void (*destructor)(struct xfrm_state *); @@ -289,8 +317,6 @@ struct xfrm_type int (*output)(struct xfrm_state *, struct sk_buff *pskb); int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *); int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **); - xfrm_address_t *(*local_addr)(struct xfrm_state *, xfrm_address_t *); - xfrm_address_t *(*remote_addr)(struct xfrm_state *, xfrm_address_t *); /* Estimate maximal size of result of transformation of a dgram */ u32 (*get_mtu)(struct xfrm_state *, int size); }; @@ -299,6 +325,27 @@ extern int xfrm_register_type(struct xfrm_type *type, unsigned short family); extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family); struct xfrm_mode { + /* + * Remove encapsulation header. + * + * The IP header will be moved over the top of the encapsulation + * header. + * + * On entry, the transport header shall point to where the IP header + * should be and the network header shall be set to where the IP + * header currently is. skb->data shall point to the start of the + * payload. + */ + int (*input2)(struct xfrm_state *x, struct sk_buff *skb); + + /* + * This is the actual input entry point. + * + * For transport mode and equivalent this would be identical to + * input2 (which does not need to be set). While tunnel mode + * and equivalent would set this to the tunnel encapsulation function + * xfrm4_prepare_input that would in turn call input2. + */ int (*input)(struct xfrm_state *x, struct sk_buff *skb); /* @@ -312,7 +359,18 @@ struct xfrm_mode { * header. The value of the network header will always point * to the top IP header while skb->data will point to the payload. */ - int (*output)(struct xfrm_state *x,struct sk_buff *skb); + int (*output2)(struct xfrm_state *x,struct sk_buff *skb); + + /* + * This is the actual output entry point. + * + * For transport mode and equivalent this would be identical to + * output2 (which does not need to be set). While tunnel mode + * and equivalent would set this to a tunnel encapsulation function + * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn + * call output2. + */ + int (*output)(struct xfrm_state *x, struct sk_buff *skb); struct xfrm_state_afinfo *afinfo; struct module *owner; @@ -454,6 +512,51 @@ struct xfrm_skb_cb { #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) +/* + * This structure is used by the afinfo prepare_input/prepare_output functions + * to transmit header information to the mode input/output functions. + */ +struct xfrm_mode_skb_cb { + union { + struct inet_skb_parm h4; + struct inet6_skb_parm h6; + } header; + + /* Copied from header for IPv4, always set to zero and DF for IPv6. */ + __be16 id; + __be16 frag_off; + + /* TOS for IPv4, class for IPv6. */ + u8 tos; + + /* TTL for IPv4, hop limitfor IPv6. */ + u8 ttl; + + /* Protocol for IPv4, NH for IPv6. */ + u8 protocol; + + /* Used by IPv6 only, zero for IPv4. */ + u8 flow_lbl[3]; +}; + +#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0])) + +/* + * This structure is used by the input processing to locate the SPI and + * related information. + */ +struct xfrm_spi_skb_cb { + union { + struct inet_skb_parm h4; + struct inet6_skb_parm h6; + } header; + + unsigned int daddroff; + unsigned int family; +}; + +#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) + /* Audit Information */ struct xfrm_audit { @@ -462,41 +565,59 @@ struct xfrm_audit }; #ifdef CONFIG_AUDITSYSCALL -static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) +static inline struct audit_buffer *xfrm_audit_start(const char *op) { struct audit_buffer *audit_buf = NULL; - char *secctx; - u32 secctx_len; + if (audit_enabled == 0) + return NULL; audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, - AUDIT_MAC_IPSEC_EVENT); + AUDIT_MAC_IPSEC_EVENT); if (audit_buf == NULL) return NULL; + audit_log_format(audit_buf, "op=%s", op); + return audit_buf; +} - audit_log_format(audit_buf, "auid=%u", auid); +static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid, + struct audit_buffer *audit_buf) +{ + char *secctx; + u32 secctx_len; - if (sid != 0 && - security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { + audit_log_format(audit_buf, " auid=%u", auid); + if (secid != 0 && + security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } else audit_log_task_context(audit_buf); - return audit_buf; } extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, - u32 auid, u32 sid); + u32 auid, u32 secid); extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, - u32 auid, u32 sid); + u32 auid, u32 secid); extern void xfrm_audit_state_add(struct xfrm_state *x, int result, - u32 auid, u32 sid); + u32 auid, u32 secid); extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, - u32 auid, u32 sid); + u32 auid, u32 secid); +extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, + struct sk_buff *skb); +extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); +extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, + __be32 net_spi, __be32 net_seq); +extern void xfrm_audit_state_icvfail(struct xfrm_state *x, + struct sk_buff *skb, u8 proto); #else #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) +#define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0) +#define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0) +#define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0) +#define xfrm_audit_state_icvfail(x, s, p) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) @@ -505,12 +626,12 @@ static inline void xfrm_pol_hold(struct xfrm_policy *policy) atomic_inc(&policy->refcnt); } -extern void __xfrm_policy_destroy(struct xfrm_policy *policy); +extern void xfrm_policy_destroy(struct xfrm_policy *policy); static inline void xfrm_pol_put(struct xfrm_policy *policy) { if (atomic_dec_and_test(&policy->refcnt)) - __xfrm_policy_destroy(policy); + xfrm_policy_destroy(policy); } #ifdef CONFIG_XFRM_SUB_POLICY @@ -757,17 +878,25 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short } #ifdef CONFIG_XFRM - extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); -static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) { + int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); + if (sk && sk->sk_policy[XFRM_POLICY_IN]) - return __xfrm_policy_check(sk, dir, skb, family); + return __xfrm_policy_check(sk, ndir, skb, family); return (!xfrm_policy_count[dir] && !skb->sp) || (skb->dst->flags & DST_NOPOLICY) || - __xfrm_policy_check(sk, dir, skb, family); + __xfrm_policy_check(sk, ndir, skb, family); +} + +static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +{ + return __xfrm_policy_check2(sk, dir, skb, family, 0); } static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) @@ -780,7 +909,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s return xfrm_policy_check(sk, dir, skb, AF_INET6); } -extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); +static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); +} + +static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); +} + +extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, + unsigned int family, int reverse); + +static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, + unsigned int family) +{ + return __xfrm_decode_session(skb, fl, family, 0); +} + +static inline int xfrm_decode_session_reverse(struct sk_buff *skb, + struct flowi *fl, + unsigned int family) +{ + return __xfrm_decode_session(skb, fl, family, 1); +} + extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) @@ -841,6 +997,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk { return 1; } +static inline int xfrm_decode_session_reverse(struct sk_buff *skb, + struct flowi *fl, + unsigned int family) +{ + return -ENOSYS; +} +static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return 1; +} +static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return 1; +} #endif static __inline__ @@ -981,12 +1153,27 @@ struct xfrm6_tunnel { extern void xfrm_init(void); extern void xfrm4_init(void); -extern void xfrm6_init(void); -extern void xfrm6_fini(void); extern void xfrm_state_init(void); extern void xfrm4_state_init(void); -extern void xfrm6_state_init(void); +#ifdef CONFIG_XFRM +extern int xfrm6_init(void); +extern void xfrm6_fini(void); +extern int xfrm6_state_init(void); extern void xfrm6_state_fini(void); +#else +static inline int xfrm6_init(void) +{ + return 0; +} +static inline void xfrm6_fini(void) +{ + ; +} +#endif + +#ifdef CONFIG_XFRM_STATISTICS +extern int xfrm_proc_init(void); +#endif extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *); extern struct xfrm_state *xfrm_state_alloc(void); @@ -1045,14 +1232,23 @@ extern int xfrm_state_delete(struct xfrm_state *x); extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si); extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); -extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); +extern int xfrm_replay_check(struct xfrm_state *x, + struct sk_buff *skb, __be32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); extern int xfrm_init_state(struct xfrm_state *x); +extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb); +extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, + int encap_type); +extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr); +extern int xfrm_output_resume(struct sk_buff *skb, int err); extern int xfrm_output(struct sk_buff *skb); +extern int xfrm4_extract_header(struct sk_buff *skb); +extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb); extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); +extern int xfrm4_transport_finish(struct sk_buff *skb, int async); extern int xfrm4_rcv(struct sk_buff *skb); static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) @@ -1060,10 +1256,15 @@ static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) return xfrm4_rcv_encap(skb, nexthdr, spi, 0); } +extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb); +extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb); extern int xfrm4_output(struct sk_buff *skb); extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family); +extern int xfrm6_extract_header(struct sk_buff *skb); +extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb); extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi); +extern int xfrm6_transport_finish(struct sk_buff *skb, int async); extern int xfrm6_rcv(struct sk_buff *skb); extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto); @@ -1072,6 +1273,8 @@ extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr); extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr); extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr); +extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb); +extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb); extern int xfrm6_output(struct sk_buff *skb); extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb, u8 **prevhdr); @@ -1079,7 +1282,6 @@ extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb, #ifdef CONFIG_XFRM extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen); -extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family); #else static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) { @@ -1092,11 +1294,6 @@ static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb) kfree_skb(skb); return 0; } - -static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family) -{ - return -EINVAL; -} #endif struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); @@ -1113,11 +1310,9 @@ extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst, struct flowi *fl, int family, int strict); -extern void xfrm_init_pmtu(struct dst_entry *dst); #ifdef CONFIG_XFRM_MIGRATE extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, @@ -1214,4 +1409,9 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n) } #endif +static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb) +{ + return skb->sp->xvec[skb->sp->len - 1]; +} + #endif /* _NET_XFRM_H */ |