include/net/xfrm.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef _NET_XFRM_H
0003 #define _NET_XFRM_H
0004
0005 #include <linux/compiler.h>
0006 #include <linux/xfrm.h>
0007 #include <linux/spinlock.h>
0008 #include <linux/list.h>
0009 #include <linux/skbuff.h>
0010 #include <linux/socket.h>
0011 #include <linux/pfkeyv2.h>
0012 #include <linux/ipsec.h>
0013 #include <linux/in6.h>
0014 #include <linux/mutex.h>
0015 #include <linux/audit.h>
0016 #include <linux/slab.h>
0017 #include <linux/refcount.h>
0018 #include <linux/sockptr.h>
0019
0020 #include <net/sock.h>
0021 #include <net/dst.h>
0022 #include <net/ip.h>
0023 #include <net/route.h>
0024 #include <net/ipv6.h>
0025 #include <net/ip6_fib.h>
0026 #include <net/flow.h>
0027 #include <net/gro_cells.h>
0028
0029 #include <linux/interrupt.h>
0030
0031 #ifdef CONFIG_XFRM_STATISTICS
0032 #include <net/snmp.h>
0033 #endif
0034
0035 #define XFRM_PROTO_ESP      50
0036 #define XFRM_PROTO_AH       51
0037 #define XFRM_PROTO_COMP     108
0038 #define XFRM_PROTO_IPIP     4
0039 #define XFRM_PROTO_IPV6     41
0040 #define XFRM_PROTO_ROUTING  IPPROTO_ROUTING
0041 #define XFRM_PROTO_DSTOPTS  IPPROTO_DSTOPTS
0042
0043 #define XFRM_ALIGN4(len)    (((len) + 3) & ~3)
0044 #define XFRM_ALIGN8(len)    (((len) + 7) & ~7)
0045 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
0046     MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
0047 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
0048     MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
0049 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
0050     MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
0051
0052 #ifdef CONFIG_XFRM_STATISTICS
0053 #define XFRM_INC_STATS(net, field)  SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
0054 #else
0055 #define XFRM_INC_STATS(net, field)  ((void)(net))
0056 #endif
0057
0058
0059 /* Organization of SPD aka "XFRM rules"
0060    ------------------------------------
0061
0062    Basic objects:
0063    - policy rule, struct xfrm_policy (=SPD entry)
0064    - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
0065    - instance of a transformer, struct xfrm_state (=SA)
0066    - template to clone xfrm_state, struct xfrm_tmpl
0067
0068    SPD is plain linear list of xfrm_policy rules, ordered by priority.
0069    (To be compatible with existing pfkeyv2 implementations,
0070    many rules with priority of 0x7fffffff are allowed to exist and
0071    such rules are ordered in an unpredictable way, thanks to bsd folks.)
0072
0073    Lookup is plain linear search until the first match with selector.
0074
0075    If "action" is "block", then we prohibit the flow, otherwise:
0076    if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
0077    policy entry has list of up to XFRM_MAX_DEPTH transformations,
0078    described by templates xfrm_tmpl. Each template is resolved
0079    to a complete xfrm_state (see below) and we pack bundle of transformations
0080    to a dst_entry returned to requestor.
0081
0082    dst -. xfrm  .-> xfrm_state #1
0083     |---. child .-> dst -. xfrm .-> xfrm_state #2
0084                      |---. child .-> dst -. xfrm .-> xfrm_state #3
0085                                       |---. child .-> NULL
0086
0087    Bundles are cached at xrfm_policy struct (field ->bundles).
0088
0089
0090    Resolution of xrfm_tmpl
0091    -----------------------
0092    Template contains:
0093    1. ->mode        Mode: transport or tunnel
0094    2. ->id.proto    Protocol: AH/ESP/IPCOMP
0095    3. ->id.daddr    Remote tunnel endpoint, ignored for transport mode.
0096       Q: allow to resolve security gateway?
0097    4. ->id.spi          If not zero, static SPI.
0098    5. ->saddr       Local tunnel endpoint, ignored for transport mode.
0099    6. ->algos       List of allowed algos. Plain bitmask now.
0100       Q: ealgos, aalgos, calgos. What a mess...
0101    7. ->share       Sharing mode.
0102       Q: how to implement private sharing mode? To add struct sock* to
0103       flow id?
0104
0105    Having this template we search through SAD searching for entries
0106    with appropriate mode/proto/algo, permitted by selector.
0107    If no appropriate entry found, it is requested from key manager.
0108
0109    PROBLEMS:
0110    Q: How to find all the bundles referring to a physical path for
0111       PMTU discovery? Seems, dst should contain list of all parents...
0112       and enter to infinite locking hierarchy disaster.
0113       No! It is easier, we will not search for them, let them find us.
0114       We add genid to each dst plus pointer to genid of raw IP route,
0115       pmtu disc will update pmtu on raw IP route and increase its genid.
0116       dst_check() will see this for top level and trigger resyncing
0117       metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
0118  */
0119
0120 struct xfrm_state_walk {
0121     struct list_head    all;
0122     u8          state;
0123     u8          dying;
0124     u8          proto;
0125     u32         seq;
0126     struct xfrm_address_filter *filter;
0127 };
0128
0129 enum {
0130     XFRM_DEV_OFFLOAD_IN = 1,
0131     XFRM_DEV_OFFLOAD_OUT,
0132 };
0133
0134 struct xfrm_dev_offload {
0135     struct net_device   *dev;
0136     netdevice_tracker   dev_tracker;
0137     struct net_device   *real_dev;
0138     unsigned long       offload_handle;
0139     u8          dir : 2;
0140 };
0141
0142 struct xfrm_mode {
0143     u8 encap;
0144     u8 family;
0145     u8 flags;
0146 };
0147
0148 /* Flags for xfrm_mode. */
0149 enum {
0150     XFRM_MODE_FLAG_TUNNEL = 1,
0151 };
0152
0153 enum xfrm_replay_mode {
0154     XFRM_REPLAY_MODE_LEGACY,
0155     XFRM_REPLAY_MODE_BMP,
0156     XFRM_REPLAY_MODE_ESN,
0157 };
0158
0159 /* Full description of state of transformer. */
0160 struct xfrm_state {
0161     possible_net_t      xs_net;
0162     union {
0163         struct hlist_node   gclist;
0164         struct hlist_node   bydst;
0165     };
0166     struct hlist_node   bysrc;
0167     struct hlist_node   byspi;
0168     struct hlist_node   byseq;
0169
0170     refcount_t      refcnt;
0171     spinlock_t      lock;
0172
0173     struct xfrm_id      id;
0174     struct xfrm_selector    sel;
0175     struct xfrm_mark    mark;
0176     u32         if_id;
0177     u32         tfcpad;
0178
0179     u32         genid;
0180
0181     /* Key manager bits */
0182     struct xfrm_state_walk  km;
0183
0184     /* Parameters of this state. */
0185     struct {
0186         u32     reqid;
0187         u8      mode;
0188         u8      replay_window;
0189         u8      aalgo, ealgo, calgo;
0190         u8      flags;
0191         u16     family;
0192         xfrm_address_t  saddr;
0193         int     header_len;
0194         int     trailer_len;
0195         u32     extra_flags;
0196         struct xfrm_mark    smark;
0197     } props;
0198
0199     struct xfrm_lifetime_cfg lft;
0200
0201     /* Data for transformer */
0202     struct xfrm_algo_auth   *aalg;
0203     struct xfrm_algo    *ealg;
0204     struct xfrm_algo    *calg;
0205     struct xfrm_algo_aead   *aead;
0206     const char      *geniv;
0207
0208     /* mapping change rate limiting */
0209     __be16 new_mapping_sport;
0210     u32 new_mapping;    /* seconds */
0211     u32 mapping_maxage; /* seconds for input SA */
0212
0213     /* Data for encapsulator */
0214     struct xfrm_encap_tmpl  *encap;
0215     struct sock __rcu   *encap_sk;
0216
0217     /* Data for care-of address */
0218     xfrm_address_t  *coaddr;
0219
0220     /* IPComp needs an IPIP tunnel for handling uncompressed packets */
0221     struct xfrm_state   *tunnel;
0222
0223     /* If a tunnel, number of users + 1 */
0224     atomic_t        tunnel_users;
0225
0226     /* State for replay detection */
0227     struct xfrm_replay_state replay;
0228     struct xfrm_replay_state_esn *replay_esn;
0229
0230     /* Replay detection state at the time we sent the last notification */
0231     struct xfrm_replay_state preplay;
0232     struct xfrm_replay_state_esn *preplay_esn;
0233
0234     /* replay detection mode */
0235     enum xfrm_replay_mode    repl_mode;
0236     /* internal flag that only holds state for delayed aevent at the
0237      * moment
0238     */
0239     u32         xflags;
0240
0241     /* Replay detection notification settings */
0242     u32         replay_maxage;
0243     u32         replay_maxdiff;
0244
0245     /* Replay detection notification timer */
0246     struct timer_list   rtimer;
0247
0248     /* Statistics */
0249     struct xfrm_stats   stats;
0250
0251     struct xfrm_lifetime_cur curlft;
0252     struct hrtimer      mtimer;
0253
0254     struct xfrm_dev_offload xso;
0255
0256     /* used to fix curlft->add_time when changing date */
0257     long        saved_tmo;
0258
0259     /* Last used time */
0260     time64_t        lastused;
0261
0262     struct page_frag xfrag;
0263
0264     /* Reference to data common to all the instances of this
0265      * transformer. */
0266     const struct xfrm_type  *type;
0267     struct xfrm_mode    inner_mode;
0268     struct xfrm_mode    inner_mode_iaf;
0269     struct xfrm_mode    outer_mode;
0270
0271     const struct xfrm_type_offload  *type_offload;
0272
0273     /* Security context */
0274     struct xfrm_sec_ctx *security;
0275
0276     /* Private data of this transformer, format is opaque,
0277      * interpreted by xfrm_type methods. */
0278     void            *data;
0279 };
0280
0281 static inline struct net *xs_net(struct xfrm_state *x)
0282 {
0283     return read_pnet(&x->xs_net);
0284 }
0285
0286 /* xflags - make enum if more show up */
0287 #define XFRM_TIME_DEFER 1
0288 #define XFRM_SOFT_EXPIRE 2
0289
0290 enum {
0291     XFRM_STATE_VOID,
0292     XFRM_STATE_ACQ,
0293     XFRM_STATE_VALID,
0294     XFRM_STATE_ERROR,
0295     XFRM_STATE_EXPIRED,
0296     XFRM_STATE_DEAD
0297 };
0298
0299 /* callback structure passed from either netlink or pfkey */
0300 struct km_event {
0301     union {
0302         u32 hard;
0303         u32 proto;
0304         u32 byid;
0305         u32 aevent;
0306         u32 type;
0307     } data;
0308
0309     u32 seq;
0310     u32 portid;
0311     u32 event;
0312     struct net *net;
0313 };
0314
0315 struct xfrm_if_cb {
0316     struct xfrm_if  *(*decode_session)(struct sk_buff *skb,
0317                        unsigned short family);
0318 };
0319
0320 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
0321 void xfrm_if_unregister_cb(void);
0322
0323 struct net_device;
0324 struct xfrm_type;
0325 struct xfrm_dst;
0326 struct xfrm_policy_afinfo {
0327     struct dst_ops      *dst_ops;
0328     struct dst_entry    *(*dst_lookup)(struct net *net,
0329                            int tos, int oif,
0330                            const xfrm_address_t *saddr,
0331                            const xfrm_address_t *daddr,
0332                            u32 mark);
0333     int         (*get_saddr)(struct net *net, int oif,
0334                          xfrm_address_t *saddr,
0335                          xfrm_address_t *daddr,
0336                          u32 mark);
0337     int         (*fill_dst)(struct xfrm_dst *xdst,
0338                         struct net_device *dev,
0339                         const struct flowi *fl);
0340     struct dst_entry    *(*blackhole_route)(struct net *net, struct dst_entry *orig);
0341 };
0342
0343 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
0344 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
0345 void km_policy_notify(struct xfrm_policy *xp, int dir,
0346               const struct km_event *c);
0347 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
0348
0349 struct xfrm_tmpl;
0350 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
0351          struct xfrm_policy *pol);
0352 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
0353 int __xfrm_state_delete(struct xfrm_state *x);
0354
0355 struct xfrm_state_afinfo {
0356     u8              family;
0357     u8              proto;
0358
0359     const struct xfrm_type_offload *type_offload_esp;
0360
0361     const struct xfrm_type      *type_esp;
0362     const struct xfrm_type      *type_ipip;
0363     const struct xfrm_type      *type_ipip6;
0364     const struct xfrm_type      *type_comp;
0365     const struct xfrm_type      *type_ah;
0366     const struct xfrm_type      *type_routing;
0367     const struct xfrm_type      *type_dstopts;
0368
0369     int         (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
0370     int         (*transport_finish)(struct sk_buff *skb,
0371                             int async);
0372     void            (*local_error)(struct sk_buff *skb, u32 mtu);
0373 };
0374
0375 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
0376 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
0377 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
0378 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
0379
0380 struct xfrm_input_afinfo {
0381     u8          family;
0382     bool            is_ipip;
0383     int         (*callback)(struct sk_buff *skb, u8 protocol,
0384                         int err);
0385 };
0386
0387 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
0388 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
0389
0390 void xfrm_flush_gc(void);
0391 void xfrm_state_delete_tunnel(struct xfrm_state *x);
0392
0393 struct xfrm_type {
0394     struct module       *owner;
0395     u8          proto;
0396     u8          flags;
0397 #define XFRM_TYPE_NON_FRAGMENT  1
0398 #define XFRM_TYPE_REPLAY_PROT   2
0399 #define XFRM_TYPE_LOCAL_COADDR  4
0400 #define XFRM_TYPE_REMOTE_COADDR 8
0401
0402     int         (*init_state)(struct xfrm_state *x);
0403     void            (*destructor)(struct xfrm_state *);
0404     int         (*input)(struct xfrm_state *, struct sk_buff *skb);
0405     int         (*output)(struct xfrm_state *, struct sk_buff *pskb);
0406     int         (*reject)(struct xfrm_state *, struct sk_buff *,
0407                       const struct flowi *);
0408 };
0409
0410 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
0411 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
0412
0413 struct xfrm_type_offload {
0414     struct module   *owner;
0415     u8      proto;
0416     void        (*encap)(struct xfrm_state *, struct sk_buff *pskb);
0417     int     (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
0418     int     (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
0419 };
0420
0421 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
0422 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
0423
0424 static inline int xfrm_af2proto(unsigned int family)
0425 {
0426     switch(family) {
0427     case AF_INET:
0428         return IPPROTO_IPIP;
0429     case AF_INET6:
0430         return IPPROTO_IPV6;
0431     default:
0432         return 0;
0433     }
0434 }
0435
0436 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
0437 {
0438     if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
0439         (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
0440         return &x->inner_mode;
0441     else
0442         return &x->inner_mode_iaf;
0443 }
0444
0445 struct xfrm_tmpl {
0446 /* id in template is interpreted as:
0447  * daddr - destination of tunnel, may be zero for transport mode.
0448  * spi   - zero to acquire spi. Not zero if spi is static, then
0449  *     daddr must be fixed too.
0450  * proto - AH/ESP/IPCOMP
0451  */
0452     struct xfrm_id      id;
0453
0454 /* Source address of tunnel. Ignored, if it is not a tunnel. */
0455     xfrm_address_t      saddr;
0456
0457     unsigned short      encap_family;
0458
0459     u32         reqid;
0460
0461 /* Mode: transport, tunnel etc. */
0462     u8          mode;
0463
0464 /* Sharing mode: unique, this session only, this user only etc. */
0465     u8          share;
0466
0467 /* May skip this transfomration if no SA is found */
0468     u8          optional;
0469
0470 /* Skip aalgos/ealgos/calgos checks. */
0471     u8          allalgs;
0472
0473 /* Bit mask of algos allowed for acquisition */
0474     u32         aalgos;
0475     u32         ealgos;
0476     u32         calgos;
0477 };
0478
0479 #define XFRM_MAX_DEPTH      6
0480 #define XFRM_MAX_OFFLOAD_DEPTH  1
0481
0482 struct xfrm_policy_walk_entry {
0483     struct list_head    all;
0484     u8          dead;
0485 };
0486
0487 struct xfrm_policy_walk {
0488     struct xfrm_policy_walk_entry walk;
0489     u8 type;
0490     u32 seq;
0491 };
0492
0493 struct xfrm_policy_queue {
0494     struct sk_buff_head hold_queue;
0495     struct timer_list   hold_timer;
0496     unsigned long       timeout;
0497 };
0498
0499 struct xfrm_policy {
0500     possible_net_t      xp_net;
0501     struct hlist_node   bydst;
0502     struct hlist_node   byidx;
0503
0504     /* This lock only affects elements except for entry. */
0505     rwlock_t        lock;
0506     refcount_t      refcnt;
0507     u32         pos;
0508     struct timer_list   timer;
0509
0510     atomic_t        genid;
0511     u32         priority;
0512     u32         index;
0513     u32         if_id;
0514     struct xfrm_mark    mark;
0515     struct xfrm_selector    selector;
0516     struct xfrm_lifetime_cfg lft;
0517     struct xfrm_lifetime_cur curlft;
0518     struct xfrm_policy_walk_entry walk;
0519     struct xfrm_policy_queue polq;
0520     bool                    bydst_reinsert;
0521     u8          type;
0522     u8          action;
0523     u8          flags;
0524     u8          xfrm_nr;
0525     u16         family;
0526     struct xfrm_sec_ctx *security;
0527     struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
0528     struct hlist_node   bydst_inexact_list;
0529     struct rcu_head     rcu;
0530 };
0531
0532 static inline struct net *xp_net(const struct xfrm_policy *xp)
0533 {
0534     return read_pnet(&xp->xp_net);
0535 }
0536
0537 struct xfrm_kmaddress {
0538     xfrm_address_t          local;
0539     xfrm_address_t          remote;
0540     u32         reserved;
0541     u16         family;
0542 };
0543
0544 struct xfrm_migrate {
0545     xfrm_address_t      old_daddr;
0546     xfrm_address_t      old_saddr;
0547     xfrm_address_t      new_daddr;
0548     xfrm_address_t      new_saddr;
0549     u8          proto;
0550     u8          mode;
0551     u16         reserved;
0552     u32         reqid;
0553     u16         old_family;
0554     u16         new_family;
0555 };
0556
0557 #define XFRM_KM_TIMEOUT                30
0558 /* what happened */
0559 #define XFRM_REPLAY_UPDATE  XFRM_AE_CR
0560 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
0561
0562 /* default aevent timeout in units of 100ms */
0563 #define XFRM_AE_ETIME           10
0564 /* Async Event timer multiplier */
0565 #define XFRM_AE_ETH_M           10
0566 /* default seq threshold size */
0567 #define XFRM_AE_SEQT_SIZE       2
0568
0569 struct xfrm_mgr {
0570     struct list_head    list;
0571     int         (*notify)(struct xfrm_state *x, const struct km_event *c);
0572     int         (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
0573     struct xfrm_policy  *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
0574     int         (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
0575     int         (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
0576     int         (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
0577     int         (*migrate)(const struct xfrm_selector *sel,
0578                        u8 dir, u8 type,
0579                        const struct xfrm_migrate *m,
0580                        int num_bundles,
0581                        const struct xfrm_kmaddress *k,
0582                        const struct xfrm_encap_tmpl *encap);
0583     bool            (*is_alive)(const struct km_event *c);
0584 };
0585
0586 void xfrm_register_km(struct xfrm_mgr *km);
0587 void xfrm_unregister_km(struct xfrm_mgr *km);
0588
0589 struct xfrm_tunnel_skb_cb {
0590     union {
0591         struct inet_skb_parm h4;
0592         struct inet6_skb_parm h6;
0593     } header;
0594
0595     union {
0596         struct ip_tunnel *ip4;
0597         struct ip6_tnl *ip6;
0598     } tunnel;
0599 };
0600
0601 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
0602
0603 /*
0604  * This structure is used for the duration where packets are being
0605  * transformed by IPsec.  As soon as the packet leaves IPsec the
0606  * area beyond the generic IP part may be overwritten.
0607  */
0608 struct xfrm_skb_cb {
0609     struct xfrm_tunnel_skb_cb header;
0610
0611         /* Sequence number for replay protection. */
0612     union {
0613         struct {
0614             __u32 low;
0615             __u32 hi;
0616         } output;
0617         struct {
0618             __be32 low;
0619             __be32 hi;
0620         } input;
0621     } seq;
0622 };
0623
0624 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
0625
0626 /*
0627  * This structure is used by the afinfo prepare_input/prepare_output functions
0628  * to transmit header information to the mode input/output functions.
0629  */
0630 struct xfrm_mode_skb_cb {
0631     struct xfrm_tunnel_skb_cb header;
0632
0633     /* Copied from header for IPv4, always set to zero and DF for IPv6. */
0634     __be16 id;
0635     __be16 frag_off;
0636
0637     /* IP header length (excluding options or extension headers). */
0638     u8 ihl;
0639
0640     /* TOS for IPv4, class for IPv6. */
0641     u8 tos;
0642
0643     /* TTL for IPv4, hop limitfor IPv6. */
0644     u8 ttl;
0645
0646     /* Protocol for IPv4, NH for IPv6. */
0647     u8 protocol;
0648
0649     /* Option length for IPv4, zero for IPv6. */
0650     u8 optlen;
0651
0652     /* Used by IPv6 only, zero for IPv4. */
0653     u8 flow_lbl[3];
0654 };
0655
0656 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
0657
0658 /*
0659  * This structure is used by the input processing to locate the SPI and
0660  * related information.
0661  */
0662 struct xfrm_spi_skb_cb {
0663     struct xfrm_tunnel_skb_cb header;
0664
0665     unsigned int daddroff;
0666     unsigned int family;
0667     __be32 seq;
0668 };
0669
0670 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
0671
0672 #ifdef CONFIG_AUDITSYSCALL
0673 static inline struct audit_buffer *xfrm_audit_start(const char *op)
0674 {
0675     struct audit_buffer *audit_buf = NULL;
0676
0677     if (audit_enabled == AUDIT_OFF)
0678         return NULL;
0679     audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
0680                     AUDIT_MAC_IPSEC_EVENT);
0681     if (audit_buf == NULL)
0682         return NULL;
0683     audit_log_format(audit_buf, "op=%s", op);
0684     return audit_buf;
0685 }
0686
0687 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
0688                          struct audit_buffer *audit_buf)
0689 {
0690     const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
0691                         audit_get_loginuid(current) :
0692                         INVALID_UID);
0693     const unsigned int ses = task_valid ? audit_get_sessionid(current) :
0694         AUDIT_SID_UNSET;
0695
0696     audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
0697     audit_log_task_context(audit_buf);
0698 }
0699
0700 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
0701 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
0702                   bool task_valid);
0703 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
0704 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
0705 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
0706                       struct sk_buff *skb);
0707 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
0708                  __be32 net_seq);
0709 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
0710 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
0711                    __be32 net_seq);
0712 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
0713                   u8 proto);
0714 #else
0715
0716 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
0717                      bool task_valid)
0718 {
0719 }
0720
0721 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
0722                         bool task_valid)
0723 {
0724 }
0725
0726 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
0727                     bool task_valid)
0728 {
0729 }
0730
0731 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
0732                        bool task_valid)
0733 {
0734 }
0735
0736 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
0737                          struct sk_buff *skb)
0738 {
0739 }
0740
0741 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
0742                        struct sk_buff *skb, __be32 net_seq)
0743 {
0744 }
0745
0746 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
0747                       u16 family)
0748 {
0749 }
0750
0751 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
0752                       __be32 net_spi, __be32 net_seq)
0753 {
0754 }
0755
0756 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
0757                      struct sk_buff *skb, u8 proto)
0758 {
0759 }
0760 #endif /* CONFIG_AUDITSYSCALL */
0761
0762 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
0763 {
0764     if (likely(policy != NULL))
0765         refcount_inc(&policy->refcnt);
0766 }
0767
0768 void xfrm_policy_destroy(struct xfrm_policy *policy);
0769
0770 static inline void xfrm_pol_put(struct xfrm_policy *policy)
0771 {
0772     if (refcount_dec_and_test(&policy->refcnt))
0773         xfrm_policy_destroy(policy);
0774 }
0775
0776 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
0777 {
0778     int i;
0779     for (i = npols - 1; i >= 0; --i)
0780         xfrm_pol_put(pols[i]);
0781 }
0782
0783 void __xfrm_state_destroy(struct xfrm_state *, bool);
0784
0785 static inline void __xfrm_state_put(struct xfrm_state *x)
0786 {
0787     refcount_dec(&x->refcnt);
0788 }
0789
0790 static inline void xfrm_state_put(struct xfrm_state *x)
0791 {
0792     if (refcount_dec_and_test(&x->refcnt))
0793         __xfrm_state_destroy(x, false);
0794 }
0795
0796 static inline void xfrm_state_put_sync(struct xfrm_state *x)
0797 {
0798     if (refcount_dec_and_test(&x->refcnt))
0799         __xfrm_state_destroy(x, true);
0800 }
0801
0802 static inline void xfrm_state_hold(struct xfrm_state *x)
0803 {
0804     refcount_inc(&x->refcnt);
0805 }
0806
0807 static inline bool addr_match(const void *token1, const void *token2,
0808                   unsigned int prefixlen)
0809 {
0810     const __be32 *a1 = token1;
0811     const __be32 *a2 = token2;
0812     unsigned int pdw;
0813     unsigned int pbi;
0814
0815     pdw = prefixlen >> 5;     /* num of whole u32 in prefix */
0816     pbi = prefixlen &  0x1f;  /* num of bits in incomplete u32 in prefix */
0817
0818     if (pdw)
0819         if (memcmp(a1, a2, pdw << 2))
0820             return false;
0821
0822     if (pbi) {
0823         __be32 mask;
0824
0825         mask = htonl((0xffffffff) << (32 - pbi));
0826
0827         if ((a1[pdw] ^ a2[pdw]) & mask)
0828             return false;
0829     }
0830
0831     return true;
0832 }
0833
0834 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
0835 {
0836     /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
0837     if (sizeof(long) == 4 && prefixlen == 0)
0838         return true;
0839     return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
0840 }
0841
0842 static __inline__
0843 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
0844 {
0845     __be16 port;
0846     switch(fl->flowi_proto) {
0847     case IPPROTO_TCP:
0848     case IPPROTO_UDP:
0849     case IPPROTO_UDPLITE:
0850     case IPPROTO_SCTP:
0851         port = uli->ports.sport;
0852         break;
0853     case IPPROTO_ICMP:
0854     case IPPROTO_ICMPV6:
0855         port = htons(uli->icmpt.type);
0856         break;
0857     case IPPROTO_MH:
0858         port = htons(uli->mht.type);
0859         break;
0860     case IPPROTO_GRE:
0861         port = htons(ntohl(uli->gre_key) >> 16);
0862         break;
0863     default:
0864         port = 0;   /*XXX*/
0865     }
0866     return port;
0867 }
0868
0869 static __inline__
0870 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
0871 {
0872     __be16 port;
0873     switch(fl->flowi_proto) {
0874     case IPPROTO_TCP:
0875     case IPPROTO_UDP:
0876     case IPPROTO_UDPLITE:
0877     case IPPROTO_SCTP:
0878         port = uli->ports.dport;
0879         break;
0880     case IPPROTO_ICMP:
0881     case IPPROTO_ICMPV6:
0882         port = htons(uli->icmpt.code);
0883         break;
0884     case IPPROTO_GRE:
0885         port = htons(ntohl(uli->gre_key) & 0xffff);
0886         break;
0887     default:
0888         port = 0;   /*XXX*/
0889     }
0890     return port;
0891 }
0892
0893 bool xfrm_selector_match(const struct xfrm_selector *sel,
0894              const struct flowi *fl, unsigned short family);
0895
0896 #ifdef CONFIG_SECURITY_NETWORK_XFRM
0897 /*  If neither has a context --> match
0898  *  Otherwise, both must have a context and the sids, doi, alg must match
0899  */
0900 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
0901 {
0902     return ((!s1 && !s2) ||
0903         (s1 && s2 &&
0904          (s1->ctx_sid == s2->ctx_sid) &&
0905          (s1->ctx_doi == s2->ctx_doi) &&
0906          (s1->ctx_alg == s2->ctx_alg)));
0907 }
0908 #else
0909 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
0910 {
0911     return true;
0912 }
0913 #endif
0914
0915 /* A struct encoding bundle of transformations to apply to some set of flow.
0916  *
0917  * xdst->child points to the next element of bundle.
0918  * dst->xfrm  points to an instanse of transformer.
0919  *
0920  * Due to unfortunate limitations of current routing cache, which we
0921  * have no time to fix, it mirrors struct rtable and bound to the same
0922  * routing key, including saddr,daddr. However, we can have many of
0923  * bundles differing by session id. All the bundles grow from a parent
0924  * policy rule.
0925  */
0926 struct xfrm_dst {
0927     union {
0928         struct dst_entry    dst;
0929         struct rtable       rt;
0930         struct rt6_info     rt6;
0931     } u;
0932     struct dst_entry *route;
0933     struct dst_entry *child;
0934     struct dst_entry *path;
0935     struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
0936     int num_pols, num_xfrms;
0937     u32 xfrm_genid;
0938     u32 policy_genid;
0939     u32 route_mtu_cached;
0940     u32 child_mtu_cached;
0941     u32 route_cookie;
0942     u32 path_cookie;
0943 };
0944
0945 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
0946 {
0947 #ifdef CONFIG_XFRM
0948     if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
0949         const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
0950
0951         return xdst->path;
0952     }
0953 #endif
0954     return (struct dst_entry *) dst;
0955 }
0956
0957 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
0958 {
0959 #ifdef CONFIG_XFRM
0960     if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
0961         struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
0962         return xdst->child;
0963     }
0964 #endif
0965     return NULL;
0966 }
0967
0968 #ifdef CONFIG_XFRM
0969 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
0970 {
0971     xdst->child = child;
0972 }
0973
0974 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
0975 {
0976     xfrm_pols_put(xdst->pols, xdst->num_pols);
0977     dst_release(xdst->route);
0978     if (likely(xdst->u.dst.xfrm))
0979         xfrm_state_put(xdst->u.dst.xfrm);
0980 }
0981 #endif
0982
0983 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
0984
0985 struct xfrm_if_parms {
0986     int link;       /* ifindex of underlying L2 interface */
0987     u32 if_id;      /* interface identifyer */
0988 };
0989
0990 struct xfrm_if {
0991     struct xfrm_if __rcu *next; /* next interface in list */
0992     struct net_device *dev;     /* virtual device associated with interface */
0993     struct net *net;        /* netns for packet i/o */
0994     struct xfrm_if_parms p;     /* interface parms */
0995
0996     struct gro_cells gro_cells;
0997 };
0998
0999 struct xfrm_offload {
1000     /* Output sequence number for replay protection on offloading. */
1001     struct {
1002         __u32 low;
1003         __u32 hi;
1004     } seq;
1005
1006     __u32           flags;
1007 #define SA_DELETE_REQ       1
1008 #define CRYPTO_DONE     2
1009 #define CRYPTO_NEXT_DONE    4
1010 #define CRYPTO_FALLBACK     8
1011 #define XFRM_GSO_SEGMENT    16
1012 #define XFRM_GRO        32
1013 /* 64 is free */
1014 #define XFRM_DEV_RESUME     128
1015 #define XFRM_XMIT       256
1016
1017     __u32           status;
1018 #define CRYPTO_SUCCESS              1
1019 #define CRYPTO_GENERIC_ERROR            2
1020 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED     4
1021 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED    8
1022 #define CRYPTO_TUNNEL_AH_AUTH_FAILED        16
1023 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED       32
1024 #define CRYPTO_INVALID_PACKET_SYNTAX        64
1025 #define CRYPTO_INVALID_PROTOCOL         128
1026
1027     __u8            proto;
1028     __u8            inner_ipproto;
1029 };
1030
1031 struct sec_path {
1032     int         len;
1033     int         olen;
1034
1035     struct xfrm_state   *xvec[XFRM_MAX_DEPTH];
1036     struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1037 };
1038
1039 struct sec_path *secpath_set(struct sk_buff *skb);
1040
1041 static inline void
1042 secpath_reset(struct sk_buff *skb)
1043 {
1044 #ifdef CONFIG_XFRM
1045     skb_ext_del(skb, SKB_EXT_SEC_PATH);
1046 #endif
1047 }
1048
1049 static inline int
1050 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1051 {
1052     switch (family) {
1053     case AF_INET:
1054         return addr->a4 == 0;
1055     case AF_INET6:
1056         return ipv6_addr_any(&addr->in6);
1057     }
1058     return 0;
1059 }
1060
1061 static inline int
1062 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1063 {
1064     return  (tmpl->saddr.a4 &&
1065          tmpl->saddr.a4 != x->props.saddr.a4);
1066 }
1067
1068 static inline int
1069 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1070 {
1071     return  (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1072          !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1073 }
1074
1075 static inline int
1076 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1077 {
1078     switch (family) {
1079     case AF_INET:
1080         return __xfrm4_state_addr_cmp(tmpl, x);
1081     case AF_INET6:
1082         return __xfrm6_state_addr_cmp(tmpl, x);
1083     }
1084     return !0;
1085 }
1086
1087 #ifdef CONFIG_XFRM
1088 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1089             unsigned short family);
1090
1091 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1092                      int dir)
1093 {
1094     if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1095         return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1096
1097     return false;
1098 }
1099
1100 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1101                          int dir, unsigned short family)
1102 {
1103     if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1104         /* same dst may be used for traffic originating from
1105          * devices with different policy settings.
1106          */
1107         return IPCB(skb)->flags & IPSKB_NOPOLICY;
1108     }
1109     return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1110 }
1111
1112 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1113                        struct sk_buff *skb,
1114                        unsigned int family, int reverse)
1115 {
1116     struct net *net = dev_net(skb->dev);
1117     int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1118
1119     if (sk && sk->sk_policy[XFRM_POLICY_IN])
1120         return __xfrm_policy_check(sk, ndir, skb, family);
1121
1122     return __xfrm_check_nopolicy(net, skb, dir) ||
1123            __xfrm_check_dev_nopolicy(skb, dir, family) ||
1124            __xfrm_policy_check(sk, ndir, skb, family);
1125 }
1126
1127 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1128 {
1129     return __xfrm_policy_check2(sk, dir, skb, family, 0);
1130 }
1131
1132 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1133 {
1134     return xfrm_policy_check(sk, dir, skb, AF_INET);
1135 }
1136
1137 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1138 {
1139     return xfrm_policy_check(sk, dir, skb, AF_INET6);
1140 }
1141
1142 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1143                          struct sk_buff *skb)
1144 {
1145     return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1146 }
1147
1148 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1149                          struct sk_buff *skb)
1150 {
1151     return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1152 }
1153
1154 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1155               unsigned int family, int reverse);
1156
1157 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1158                       unsigned int family)
1159 {
1160     return __xfrm_decode_session(skb, fl, family, 0);
1161 }
1162
1163 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1164                           struct flowi *fl,
1165                           unsigned int family)
1166 {
1167     return __xfrm_decode_session(skb, fl, family, 1);
1168 }
1169
1170 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1171
1172 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1173 {
1174     struct net *net = dev_net(skb->dev);
1175
1176     if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1177         net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1178         return true;
1179
1180     return (skb_dst(skb)->flags & DST_NOXFRM) ||
1181            __xfrm_route_forward(skb, family);
1182 }
1183
1184 static inline int xfrm4_route_forward(struct sk_buff *skb)
1185 {
1186     return xfrm_route_forward(skb, AF_INET);
1187 }
1188
1189 static inline int xfrm6_route_forward(struct sk_buff *skb)
1190 {
1191     return xfrm_route_forward(skb, AF_INET6);
1192 }
1193
1194 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1195
1196 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1197 {
1198     if (!sk_fullsock(osk))
1199         return 0;
1200     sk->sk_policy[0] = NULL;
1201     sk->sk_policy[1] = NULL;
1202     if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1203         return __xfrm_sk_clone_policy(sk, osk);
1204     return 0;
1205 }
1206
1207 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1208
1209 static inline void xfrm_sk_free_policy(struct sock *sk)
1210 {
1211     struct xfrm_policy *pol;
1212
1213     pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1214     if (unlikely(pol != NULL)) {
1215         xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1216         sk->sk_policy[0] = NULL;
1217     }
1218     pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1219     if (unlikely(pol != NULL)) {
1220         xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1221         sk->sk_policy[1] = NULL;
1222     }
1223 }
1224
1225 #else
1226
1227 static inline void xfrm_sk_free_policy(struct sock *sk) {}
1228 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1229 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1230 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1231 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1232 {
1233     return 1;
1234 }
1235 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1236 {
1237     return 1;
1238 }
1239 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1240 {
1241     return 1;
1242 }
1243 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1244                           struct flowi *fl,
1245                           unsigned int family)
1246 {
1247     return -ENOSYS;
1248 }
1249 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1250                          struct sk_buff *skb)
1251 {
1252     return 1;
1253 }
1254 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1255                          struct sk_buff *skb)
1256 {
1257     return 1;
1258 }
1259 #endif
1260
1261 static __inline__
1262 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1263 {
1264     switch (family){
1265     case AF_INET:
1266         return (xfrm_address_t *)&fl->u.ip4.daddr;
1267     case AF_INET6:
1268         return (xfrm_address_t *)&fl->u.ip6.daddr;
1269     }
1270     return NULL;
1271 }
1272
1273 static __inline__
1274 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1275 {
1276     switch (family){
1277     case AF_INET:
1278         return (xfrm_address_t *)&fl->u.ip4.saddr;
1279     case AF_INET6:
1280         return (xfrm_address_t *)&fl->u.ip6.saddr;
1281     }
1282     return NULL;
1283 }
1284
1285 static __inline__
1286 void xfrm_flowi_addr_get(const struct flowi *fl,
1287              xfrm_address_t *saddr, xfrm_address_t *daddr,
1288              unsigned short family)
1289 {
1290     switch(family) {
1291     case AF_INET:
1292         memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1293         memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1294         break;
1295     case AF_INET6:
1296         saddr->in6 = fl->u.ip6.saddr;
1297         daddr->in6 = fl->u.ip6.daddr;
1298         break;
1299     }
1300 }
1301
1302 static __inline__ int
1303 __xfrm4_state_addr_check(const struct xfrm_state *x,
1304              const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1305 {
1306     if (daddr->a4 == x->id.daddr.a4 &&
1307         (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1308         return 1;
1309     return 0;
1310 }
1311
1312 static __inline__ int
1313 __xfrm6_state_addr_check(const struct xfrm_state *x,
1314              const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1315 {
1316     if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1317         (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1318          ipv6_addr_any((struct in6_addr *)saddr) ||
1319          ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1320         return 1;
1321     return 0;
1322 }
1323
1324 static __inline__ int
1325 xfrm_state_addr_check(const struct xfrm_state *x,
1326               const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1327               unsigned short family)
1328 {
1329     switch (family) {
1330     case AF_INET:
1331         return __xfrm4_state_addr_check(x, daddr, saddr);
1332     case AF_INET6:
1333         return __xfrm6_state_addr_check(x, daddr, saddr);
1334     }
1335     return 0;
1336 }
1337
1338 static __inline__ int
1339 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1340                unsigned short family)
1341 {
1342     switch (family) {
1343     case AF_INET:
1344         return __xfrm4_state_addr_check(x,
1345                         (const xfrm_address_t *)&fl->u.ip4.daddr,
1346                         (const xfrm_address_t *)&fl->u.ip4.saddr);
1347     case AF_INET6:
1348         return __xfrm6_state_addr_check(x,
1349                         (const xfrm_address_t *)&fl->u.ip6.daddr,
1350                         (const xfrm_address_t *)&fl->u.ip6.saddr);
1351     }
1352     return 0;
1353 }
1354
1355 static inline int xfrm_state_kern(const struct xfrm_state *x)
1356 {
1357     return atomic_read(&x->tunnel_users);
1358 }
1359
1360 static inline bool xfrm_id_proto_valid(u8 proto)
1361 {
1362     switch (proto) {
1363     case IPPROTO_AH:
1364     case IPPROTO_ESP:
1365     case IPPROTO_COMP:
1366 #if IS_ENABLED(CONFIG_IPV6)
1367     case IPPROTO_ROUTING:
1368     case IPPROTO_DSTOPTS:
1369 #endif
1370         return true;
1371     default:
1372         return false;
1373     }
1374 }
1375
1376 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1377 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1378 {
1379     return (!userproto || proto == userproto ||
1380         (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1381                           proto == IPPROTO_ESP ||
1382                           proto == IPPROTO_COMP)));
1383 }
1384
1385 /*
1386  * xfrm algorithm information
1387  */
1388 struct xfrm_algo_aead_info {
1389     char *geniv;
1390     u16 icv_truncbits;
1391 };
1392
1393 struct xfrm_algo_auth_info {
1394     u16 icv_truncbits;
1395     u16 icv_fullbits;
1396 };
1397
1398 struct xfrm_algo_encr_info {
1399     char *geniv;
1400     u16 blockbits;
1401     u16 defkeybits;
1402 };
1403
1404 struct xfrm_algo_comp_info {
1405     u16 threshold;
1406 };
1407
1408 struct xfrm_algo_desc {
1409     char *name;
1410     char *compat;
1411     u8 available:1;
1412     u8 pfkey_supported:1;
1413     union {
1414         struct xfrm_algo_aead_info aead;
1415         struct xfrm_algo_auth_info auth;
1416         struct xfrm_algo_encr_info encr;
1417         struct xfrm_algo_comp_info comp;
1418     } uinfo;
1419     struct sadb_alg desc;
1420 };
1421
1422 /* XFRM protocol handlers.  */
1423 struct xfrm4_protocol {
1424     int (*handler)(struct sk_buff *skb);
1425     int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1426                  int encap_type);
1427     int (*cb_handler)(struct sk_buff *skb, int err);
1428     int (*err_handler)(struct sk_buff *skb, u32 info);
1429
1430     struct xfrm4_protocol __rcu *next;
1431     int priority;
1432 };
1433
1434 struct xfrm6_protocol {
1435     int (*handler)(struct sk_buff *skb);
1436     int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1437                  int encap_type);
1438     int (*cb_handler)(struct sk_buff *skb, int err);
1439     int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1440                u8 type, u8 code, int offset, __be32 info);
1441
1442     struct xfrm6_protocol __rcu *next;
1443     int priority;
1444 };
1445
1446 /* XFRM tunnel handlers.  */
1447 struct xfrm_tunnel {
1448     int (*handler)(struct sk_buff *skb);
1449     int (*cb_handler)(struct sk_buff *skb, int err);
1450     int (*err_handler)(struct sk_buff *skb, u32 info);
1451
1452     struct xfrm_tunnel __rcu *next;
1453     int priority;
1454 };
1455
1456 struct xfrm6_tunnel {
1457     int (*handler)(struct sk_buff *skb);
1458     int (*cb_handler)(struct sk_buff *skb, int err);
1459     int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1460                u8 type, u8 code, int offset, __be32 info);
1461     struct xfrm6_tunnel __rcu *next;
1462     int priority;
1463 };
1464
1465 void xfrm_init(void);
1466 void xfrm4_init(void);
1467 int xfrm_state_init(struct net *net);
1468 void xfrm_state_fini(struct net *net);
1469 void xfrm4_state_init(void);
1470 void xfrm4_protocol_init(void);
1471 #ifdef CONFIG_XFRM
1472 int xfrm6_init(void);
1473 void xfrm6_fini(void);
1474 int xfrm6_state_init(void);
1475 void xfrm6_state_fini(void);
1476 int xfrm6_protocol_init(void);
1477 void xfrm6_protocol_fini(void);
1478 #else
1479 static inline int xfrm6_init(void)
1480 {
1481     return 0;
1482 }
1483 static inline void xfrm6_fini(void)
1484 {
1485     ;
1486 }
1487 #endif
1488
1489 #ifdef CONFIG_XFRM_STATISTICS
1490 int xfrm_proc_init(struct net *net);
1491 void xfrm_proc_fini(struct net *net);
1492 #endif
1493
1494 int xfrm_sysctl_init(struct net *net);
1495 #ifdef CONFIG_SYSCTL
1496 void xfrm_sysctl_fini(struct net *net);
1497 #else
1498 static inline void xfrm_sysctl_fini(struct net *net)
1499 {
1500 }
1501 #endif
1502
1503 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1504               struct xfrm_address_filter *filter);
1505 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1506             int (*func)(struct xfrm_state *, int, void*), void *);
1507 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1508 struct xfrm_state *xfrm_state_alloc(struct net *net);
1509 void xfrm_state_free(struct xfrm_state *x);
1510 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1511                    const xfrm_address_t *saddr,
1512                    const struct flowi *fl,
1513                    struct xfrm_tmpl *tmpl,
1514                    struct xfrm_policy *pol, int *err,
1515                    unsigned short family, u32 if_id);
1516 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1517                        xfrm_address_t *daddr,
1518                        xfrm_address_t *saddr,
1519                        unsigned short family,
1520                        u8 mode, u8 proto, u32 reqid);
1521 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1522                           unsigned short family);
1523 int xfrm_state_check_expire(struct xfrm_state *x);
1524 void xfrm_state_insert(struct xfrm_state *x);
1525 int xfrm_state_add(struct xfrm_state *x);
1526 int xfrm_state_update(struct xfrm_state *x);
1527 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1528                      const xfrm_address_t *daddr, __be32 spi,
1529                      u8 proto, unsigned short family);
1530 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1531                         const xfrm_address_t *daddr,
1532                         const xfrm_address_t *saddr,
1533                         u8 proto,
1534                         unsigned short family);
1535 #ifdef CONFIG_XFRM_SUB_POLICY
1536 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1537             unsigned short family);
1538 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1539              unsigned short family);
1540 #else
1541 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1542                   int n, unsigned short family)
1543 {
1544 }
1545
1546 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1547                    int n, unsigned short family)
1548 {
1549 }
1550 #endif
1551
1552 struct xfrmk_sadinfo {
1553     u32 sadhcnt; /* current hash bkts */
1554     u32 sadhmcnt; /* max allowed hash bkts */
1555     u32 sadcnt; /* current running count */
1556 };
1557
1558 struct xfrmk_spdinfo {
1559     u32 incnt;
1560     u32 outcnt;
1561     u32 fwdcnt;
1562     u32 inscnt;
1563     u32 outscnt;
1564     u32 fwdscnt;
1565     u32 spdhcnt;
1566     u32 spdhmcnt;
1567 };
1568
1569 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1570 int xfrm_state_delete(struct xfrm_state *x);
1571 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1572 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1573 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1574 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1575 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1576 int xfrm_init_replay(struct xfrm_state *x);
1577 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1578 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1579 int xfrm_init_state(struct xfrm_state *x);
1580 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1581 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1582 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1583              int (*finish)(struct net *, struct sock *,
1584                        struct sk_buff *));
1585 int xfrm_trans_queue(struct sk_buff *skb,
1586              int (*finish)(struct net *, struct sock *,
1587                    struct sk_buff *));
1588 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1589 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1590
1591 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1592 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1593 #endif
1594
1595 void xfrm_local_error(struct sk_buff *skb, int mtu);
1596 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1597 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1598             int encap_type);
1599 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1600 int xfrm4_rcv(struct sk_buff *skb);
1601
1602 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1603 {
1604     XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1605     XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1606     XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1607     return xfrm_input(skb, nexthdr, spi, 0);
1608 }
1609
1610 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1611 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1612 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1613 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1614 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1615 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1616 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1617 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1618           struct ip6_tnl *t);
1619 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1620             int encap_type);
1621 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1622 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1623 int xfrm6_rcv(struct sk_buff *skb);
1624 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1625              xfrm_address_t *saddr, u8 proto);
1626 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1627 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1628 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1629 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1630 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1631 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1632 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1633 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1634
1635 #ifdef CONFIG_XFRM
1636 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1637 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1638 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1639 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1640              int optlen);
1641 #else
1642 static inline int xfrm_user_policy(struct sock *sk, int optname,
1643                    sockptr_t optval, int optlen)
1644 {
1645     return -ENOPROTOOPT;
1646 }
1647 #endif
1648
1649 struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1650                     const xfrm_address_t *saddr,
1651                     const xfrm_address_t *daddr,
1652                     int family, u32 mark);
1653
1654 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1655
1656 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1657 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1658              int (*func)(struct xfrm_policy *, int, int, void*),
1659              void *);
1660 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1661 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1662 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1663                       const struct xfrm_mark *mark,
1664                       u32 if_id, u8 type, int dir,
1665                       struct xfrm_selector *sel,
1666                       struct xfrm_sec_ctx *ctx, int delete,
1667                       int *err);
1668 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1669                      const struct xfrm_mark *mark, u32 if_id,
1670                      u8 type, int dir, u32 id, int delete,
1671                      int *err);
1672 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1673 void xfrm_policy_hash_rebuild(struct net *net);
1674 u32 xfrm_get_acqseq(void);
1675 int verify_spi_info(u8 proto, u32 min, u32 max);
1676 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1677 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1678                  u8 mode, u32 reqid, u32 if_id, u8 proto,
1679                  const xfrm_address_t *daddr,
1680                  const xfrm_address_t *saddr, int create,
1681                  unsigned short family);
1682 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1683
1684 #ifdef CONFIG_XFRM_MIGRATE
1685 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1686            const struct xfrm_migrate *m, int num_bundles,
1687            const struct xfrm_kmaddress *k,
1688            const struct xfrm_encap_tmpl *encap);
1689 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1690                         u32 if_id);
1691 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1692                       struct xfrm_migrate *m,
1693                       struct xfrm_encap_tmpl *encap);
1694 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1695          struct xfrm_migrate *m, int num_bundles,
1696          struct xfrm_kmaddress *k, struct net *net,
1697          struct xfrm_encap_tmpl *encap, u32 if_id);
1698 #endif
1699
1700 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1701 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1702 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1703           xfrm_address_t *addr);
1704
1705 void xfrm_input_init(void);
1706 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1707
1708 void xfrm_probe_algs(void);
1709 int xfrm_count_pfkey_auth_supported(void);
1710 int xfrm_count_pfkey_enc_supported(void);
1711 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1712 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1713 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1714 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1715 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1716 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1717 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1718 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1719 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1720                         int probe);
1721
1722 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1723                     const xfrm_address_t *b)
1724 {
1725     return ipv6_addr_equal((const struct in6_addr *)a,
1726                    (const struct in6_addr *)b);
1727 }
1728
1729 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1730                    const xfrm_address_t *b,
1731                    sa_family_t family)
1732 {
1733     switch (family) {
1734     default:
1735     case AF_INET:
1736         return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1737     case AF_INET6:
1738         return xfrm6_addr_equal(a, b);
1739     }
1740 }
1741
1742 static inline int xfrm_policy_id2dir(u32 index)
1743 {
1744     return index & 7;
1745 }
1746
1747 #ifdef CONFIG_XFRM
1748 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1749 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1750 void xfrm_replay_notify(struct xfrm_state *x, int event);
1751 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1752 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1753
1754 static inline int xfrm_aevent_is_on(struct net *net)
1755 {
1756     struct sock *nlsk;
1757     int ret = 0;
1758
1759     rcu_read_lock();
1760     nlsk = rcu_dereference(net->xfrm.nlsk);
1761     if (nlsk)
1762         ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1763     rcu_read_unlock();
1764     return ret;
1765 }
1766
1767 static inline int xfrm_acquire_is_on(struct net *net)
1768 {
1769     struct sock *nlsk;
1770     int ret = 0;
1771
1772     rcu_read_lock();
1773     nlsk = rcu_dereference(net->xfrm.nlsk);
1774     if (nlsk)
1775         ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1776     rcu_read_unlock();
1777
1778     return ret;
1779 }
1780 #endif
1781
1782 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1783 {
1784     return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1785 }
1786
1787 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1788 {
1789     return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1790 }
1791
1792 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1793 {
1794     return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1795 }
1796
1797 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1798 {
1799     return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1800 }
1801
1802 #ifdef CONFIG_XFRM_MIGRATE
1803 static inline int xfrm_replay_clone(struct xfrm_state *x,
1804                      struct xfrm_state *orig)
1805 {
1806
1807     x->replay_esn = kmemdup(orig->replay_esn,
1808                 xfrm_replay_state_esn_len(orig->replay_esn),
1809                 GFP_KERNEL);
1810     if (!x->replay_esn)
1811         return -ENOMEM;
1812     x->preplay_esn = kmemdup(orig->preplay_esn,
1813                  xfrm_replay_state_esn_len(orig->preplay_esn),
1814                  GFP_KERNEL);
1815     if (!x->preplay_esn)
1816         return -ENOMEM;
1817
1818     return 0;
1819 }
1820
1821 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1822 {
1823     return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1824 }
1825
1826
1827 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1828 {
1829     return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1830 }
1831
1832 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1833 {
1834     return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1835 }
1836
1837 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1838 {
1839     int i;
1840     for (i = 0; i < n; i++)
1841         xfrm_state_put(*(states + i));
1842 }
1843
1844 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1845 {
1846     int i;
1847     for (i = 0; i < n; i++)
1848         xfrm_state_delete(*(states + i));
1849 }
1850 #endif
1851
1852 #ifdef CONFIG_XFRM
1853 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1854 {
1855     struct sec_path *sp = skb_sec_path(skb);
1856
1857     return sp->xvec[sp->len - 1];
1858 }
1859 #endif
1860
1861 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1862 {
1863 #ifdef CONFIG_XFRM
1864     struct sec_path *sp = skb_sec_path(skb);
1865
1866     if (!sp || !sp->olen || sp->len != sp->olen)
1867         return NULL;
1868
1869     return &sp->ovec[sp->olen - 1];
1870 #else
1871     return NULL;
1872 #endif
1873 }
1874
1875 void __init xfrm_dev_init(void);
1876
1877 #ifdef CONFIG_XFRM_OFFLOAD
1878 void xfrm_dev_resume(struct sk_buff *skb);
1879 void xfrm_dev_backlog(struct softnet_data *sd);
1880 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1881 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1882                struct xfrm_user_offload *xuo);
1883 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1884
1885 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1886 {
1887     struct xfrm_dev_offload *xso = &x->xso;
1888
1889     if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1890         xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1891 }
1892
1893 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1894 {
1895     struct xfrm_state *x = dst->xfrm;
1896     struct xfrm_dst *xdst;
1897
1898     if (!x || !x->type_offload)
1899         return false;
1900
1901     xdst = (struct xfrm_dst *) dst;
1902     if (!x->xso.offload_handle && !xdst->child->xfrm)
1903         return true;
1904     if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1905         !xdst->child->xfrm)
1906         return true;
1907
1908     return false;
1909 }
1910
1911 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1912 {
1913     struct xfrm_dev_offload *xso = &x->xso;
1914
1915     if (xso->dev)
1916         xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1917 }
1918
1919 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1920 {
1921     struct xfrm_dev_offload *xso = &x->xso;
1922     struct net_device *dev = xso->dev;
1923
1924     if (dev && dev->xfrmdev_ops) {
1925         if (dev->xfrmdev_ops->xdo_dev_state_free)
1926             dev->xfrmdev_ops->xdo_dev_state_free(x);
1927         xso->dev = NULL;
1928         netdev_put(dev, &xso->dev_tracker);
1929     }
1930 }
1931 #else
1932 static inline void xfrm_dev_resume(struct sk_buff *skb)
1933 {
1934 }
1935
1936 static inline void xfrm_dev_backlog(struct softnet_data *sd)
1937 {
1938 }
1939
1940 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1941 {
1942     return skb;
1943 }
1944
1945 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1946 {
1947     return 0;
1948 }
1949
1950 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1951 {
1952 }
1953
1954 static inline void xfrm_dev_state_free(struct xfrm_state *x)
1955 {
1956 }
1957
1958 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1959 {
1960     return false;
1961 }
1962
1963 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1964 {
1965 }
1966
1967 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1968 {
1969     return false;
1970 }
1971 #endif
1972
1973 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1974 {
1975     if (attrs[XFRMA_MARK])
1976         memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1977     else
1978         m->v = m->m = 0;
1979
1980     return m->v & m->m;
1981 }
1982
1983 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1984 {
1985     int ret = 0;
1986
1987     if (m->m | m->v)
1988         ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1989     return ret;
1990 }
1991
1992 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1993 {
1994     struct xfrm_mark *m = &x->props.smark;
1995
1996     return (m->v & m->m) | (mark & ~m->m);
1997 }
1998
1999 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2000 {
2001     int ret = 0;
2002
2003     if (if_id)
2004         ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2005     return ret;
2006 }
2007
2008 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2009                     unsigned int family)
2010 {
2011     bool tunnel = false;
2012
2013     switch(family) {
2014     case AF_INET:
2015         if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2016             tunnel = true;
2017         break;
2018     case AF_INET6:
2019         if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2020             tunnel = true;
2021         break;
2022     }
2023     if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2024         return -EINVAL;
2025
2026     return 0;
2027 }
2028
2029 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2030 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2031
2032 struct xfrm_translator {
2033     /* Allocate frag_list and put compat translation there */
2034     int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2035
2036     /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2037     struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2038             int maxtype, const struct nla_policy *policy,
2039             struct netlink_ext_ack *extack);
2040
2041     /* Translate 32-bit user_policy from sockptr */
2042     int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2043
2044     struct module *owner;
2045 };
2046
2047 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2048 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2049 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2050 extern struct xfrm_translator *xfrm_get_translator(void);
2051 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2052 #else
2053 static inline struct xfrm_translator *xfrm_get_translator(void)
2054 {
2055     return NULL;
2056 }
2057 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2058 {
2059 }
2060 #endif
2061
2062 #if IS_ENABLED(CONFIG_IPV6)
2063 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2064 {
2065     int proto;
2066
2067     if (!sk || sk->sk_family != AF_INET6)
2068         return false;
2069
2070     proto = sk->sk_protocol;
2071     if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2072         return inet6_sk(sk)->dontfrag;
2073
2074     return false;
2075 }
2076 #endif
2077 #endif  /* _NET_XFRM_H */