xfrm_policy.c revision e6e0871cce2ae04f5790543ad2f4ec36b23260ba
1/* 2 * xfrm_policy.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * Kazunori MIYAZAWA @USAGI 10 * YOSHIFUJI Hideaki 11 * Split up af-specific portion 12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor 13 * 14 */ 15 16#include <linux/slab.h> 17#include <linux/kmod.h> 18#include <linux/list.h> 19#include <linux/spinlock.h> 20#include <linux/workqueue.h> 21#include <linux/notifier.h> 22#include <linux/netdevice.h> 23#include <linux/netfilter.h> 24#include <linux/module.h> 25#include <linux/cache.h> 26#include <net/xfrm.h> 27#include <net/ip.h> 28#include <linux/audit.h> 29#include <linux/cache.h> 30 31#include "xfrm_hash.h" 32 33int sysctl_xfrm_larval_drop __read_mostly; 34 35DEFINE_MUTEX(xfrm_cfg_mutex); 36EXPORT_SYMBOL(xfrm_cfg_mutex); 37 38static DEFINE_RWLOCK(xfrm_policy_lock); 39 40unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; 41EXPORT_SYMBOL(xfrm_policy_count); 42 43static DEFINE_RWLOCK(xfrm_policy_afinfo_lock); 44static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO]; 45 46static struct kmem_cache *xfrm_dst_cache __read_mostly; 47 48static struct work_struct xfrm_policy_gc_work; 49static HLIST_HEAD(xfrm_policy_gc_list); 50static DEFINE_SPINLOCK(xfrm_policy_gc_lock); 51 52static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family); 53static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 54static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family); 55static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo); 56 57static inline int 58__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) 59{ 60 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && 61 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && 62 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 63 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 64 (fl->proto == sel->proto || !sel->proto) && 65 (fl->oif == sel->ifindex || !sel->ifindex); 66} 67 68static inline int 69__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) 70{ 71 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && 72 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && 73 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 74 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 75 (fl->proto == sel->proto || !sel->proto) && 76 (fl->oif == sel->ifindex || !sel->ifindex); 77} 78 79int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 80 unsigned short family) 81{ 82 switch (family) { 83 case AF_INET: 84 return __xfrm4_selector_match(sel, fl); 85 case AF_INET6: 86 return __xfrm6_selector_match(sel, fl); 87 } 88 return 0; 89} 90 91int xfrm_register_type(struct xfrm_type *type, unsigned short family) 92{ 93 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family); 94 struct xfrm_type **typemap; 95 int err = 0; 96 97 if (unlikely(afinfo == NULL)) 98 return -EAFNOSUPPORT; 99 typemap = afinfo->type_map; 100 101 if (likely(typemap[type->proto] == NULL)) 102 typemap[type->proto] = type; 103 else 104 err = -EEXIST; 105 xfrm_policy_unlock_afinfo(afinfo); 106 return err; 107} 108EXPORT_SYMBOL(xfrm_register_type); 109 110int xfrm_unregister_type(struct xfrm_type *type, unsigned short family) 111{ 112 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family); 113 struct xfrm_type **typemap; 114 int err = 0; 115 116 if (unlikely(afinfo == NULL)) 117 return -EAFNOSUPPORT; 118 typemap = afinfo->type_map; 119 120 if (unlikely(typemap[type->proto] != type)) 121 err = -ENOENT; 122 else 123 typemap[type->proto] = NULL; 124 xfrm_policy_unlock_afinfo(afinfo); 125 return err; 126} 127EXPORT_SYMBOL(xfrm_unregister_type); 128 129struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 130{ 131 struct xfrm_policy_afinfo *afinfo; 132 struct xfrm_type **typemap; 133 struct xfrm_type *type; 134 int modload_attempted = 0; 135 136retry: 137 afinfo = xfrm_policy_get_afinfo(family); 138 if (unlikely(afinfo == NULL)) 139 return NULL; 140 typemap = afinfo->type_map; 141 142 type = typemap[proto]; 143 if (unlikely(type && !try_module_get(type->owner))) 144 type = NULL; 145 if (!type && !modload_attempted) { 146 xfrm_policy_put_afinfo(afinfo); 147 request_module("xfrm-type-%d-%d", 148 (int) family, (int) proto); 149 modload_attempted = 1; 150 goto retry; 151 } 152 153 xfrm_policy_put_afinfo(afinfo); 154 return type; 155} 156 157int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, 158 unsigned short family) 159{ 160 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 161 int err = 0; 162 163 if (unlikely(afinfo == NULL)) 164 return -EAFNOSUPPORT; 165 166 if (likely(afinfo->dst_lookup != NULL)) 167 err = afinfo->dst_lookup(dst, fl); 168 else 169 err = -EINVAL; 170 xfrm_policy_put_afinfo(afinfo); 171 return err; 172} 173EXPORT_SYMBOL(xfrm_dst_lookup); 174 175void xfrm_put_type(struct xfrm_type *type) 176{ 177 module_put(type->owner); 178} 179 180int xfrm_register_mode(struct xfrm_mode *mode, int family) 181{ 182 struct xfrm_policy_afinfo *afinfo; 183 struct xfrm_mode **modemap; 184 int err; 185 186 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 187 return -EINVAL; 188 189 afinfo = xfrm_policy_lock_afinfo(family); 190 if (unlikely(afinfo == NULL)) 191 return -EAFNOSUPPORT; 192 193 err = -EEXIST; 194 modemap = afinfo->mode_map; 195 if (likely(modemap[mode->encap] == NULL)) { 196 modemap[mode->encap] = mode; 197 err = 0; 198 } 199 200 xfrm_policy_unlock_afinfo(afinfo); 201 return err; 202} 203EXPORT_SYMBOL(xfrm_register_mode); 204 205int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 206{ 207 struct xfrm_policy_afinfo *afinfo; 208 struct xfrm_mode **modemap; 209 int err; 210 211 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 212 return -EINVAL; 213 214 afinfo = xfrm_policy_lock_afinfo(family); 215 if (unlikely(afinfo == NULL)) 216 return -EAFNOSUPPORT; 217 218 err = -ENOENT; 219 modemap = afinfo->mode_map; 220 if (likely(modemap[mode->encap] == mode)) { 221 modemap[mode->encap] = NULL; 222 err = 0; 223 } 224 225 xfrm_policy_unlock_afinfo(afinfo); 226 return err; 227} 228EXPORT_SYMBOL(xfrm_unregister_mode); 229 230struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 231{ 232 struct xfrm_policy_afinfo *afinfo; 233 struct xfrm_mode *mode; 234 int modload_attempted = 0; 235 236 if (unlikely(encap >= XFRM_MODE_MAX)) 237 return NULL; 238 239retry: 240 afinfo = xfrm_policy_get_afinfo(family); 241 if (unlikely(afinfo == NULL)) 242 return NULL; 243 244 mode = afinfo->mode_map[encap]; 245 if (unlikely(mode && !try_module_get(mode->owner))) 246 mode = NULL; 247 if (!mode && !modload_attempted) { 248 xfrm_policy_put_afinfo(afinfo); 249 request_module("xfrm-mode-%d-%d", family, encap); 250 modload_attempted = 1; 251 goto retry; 252 } 253 254 xfrm_policy_put_afinfo(afinfo); 255 return mode; 256} 257 258void xfrm_put_mode(struct xfrm_mode *mode) 259{ 260 module_put(mode->owner); 261} 262 263static inline unsigned long make_jiffies(long secs) 264{ 265 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 266 return MAX_SCHEDULE_TIMEOUT-1; 267 else 268 return secs*HZ; 269} 270 271static void xfrm_policy_timer(unsigned long data) 272{ 273 struct xfrm_policy *xp = (struct xfrm_policy*)data; 274 unsigned long now = get_seconds(); 275 long next = LONG_MAX; 276 int warn = 0; 277 int dir; 278 279 read_lock(&xp->lock); 280 281 if (xp->dead) 282 goto out; 283 284 dir = xfrm_policy_id2dir(xp->index); 285 286 if (xp->lft.hard_add_expires_seconds) { 287 long tmo = xp->lft.hard_add_expires_seconds + 288 xp->curlft.add_time - now; 289 if (tmo <= 0) 290 goto expired; 291 if (tmo < next) 292 next = tmo; 293 } 294 if (xp->lft.hard_use_expires_seconds) { 295 long tmo = xp->lft.hard_use_expires_seconds + 296 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 297 if (tmo <= 0) 298 goto expired; 299 if (tmo < next) 300 next = tmo; 301 } 302 if (xp->lft.soft_add_expires_seconds) { 303 long tmo = xp->lft.soft_add_expires_seconds + 304 xp->curlft.add_time - now; 305 if (tmo <= 0) { 306 warn = 1; 307 tmo = XFRM_KM_TIMEOUT; 308 } 309 if (tmo < next) 310 next = tmo; 311 } 312 if (xp->lft.soft_use_expires_seconds) { 313 long tmo = xp->lft.soft_use_expires_seconds + 314 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 315 if (tmo <= 0) { 316 warn = 1; 317 tmo = XFRM_KM_TIMEOUT; 318 } 319 if (tmo < next) 320 next = tmo; 321 } 322 323 if (warn) 324 km_policy_expired(xp, dir, 0, 0); 325 if (next != LONG_MAX && 326 !mod_timer(&xp->timer, jiffies + make_jiffies(next))) 327 xfrm_pol_hold(xp); 328 329out: 330 read_unlock(&xp->lock); 331 xfrm_pol_put(xp); 332 return; 333 334expired: 335 read_unlock(&xp->lock); 336 if (!xfrm_policy_delete(xp, dir)) 337 km_policy_expired(xp, dir, 1, 0); 338 xfrm_pol_put(xp); 339} 340 341 342/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2 343 * SPD calls. 344 */ 345 346struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp) 347{ 348 struct xfrm_policy *policy; 349 350 policy = kzalloc(sizeof(struct xfrm_policy), gfp); 351 352 if (policy) { 353 INIT_HLIST_NODE(&policy->bydst); 354 INIT_HLIST_NODE(&policy->byidx); 355 rwlock_init(&policy->lock); 356 atomic_set(&policy->refcnt, 1); 357 init_timer(&policy->timer); 358 policy->timer.data = (unsigned long)policy; 359 policy->timer.function = xfrm_policy_timer; 360 } 361 return policy; 362} 363EXPORT_SYMBOL(xfrm_policy_alloc); 364 365/* Destroy xfrm_policy: descendant resources must be released to this moment. */ 366 367void __xfrm_policy_destroy(struct xfrm_policy *policy) 368{ 369 BUG_ON(!policy->dead); 370 371 BUG_ON(policy->bundles); 372 373 if (del_timer(&policy->timer)) 374 BUG(); 375 376 security_xfrm_policy_free(policy); 377 kfree(policy); 378} 379EXPORT_SYMBOL(__xfrm_policy_destroy); 380 381static void xfrm_policy_gc_kill(struct xfrm_policy *policy) 382{ 383 struct dst_entry *dst; 384 385 while ((dst = policy->bundles) != NULL) { 386 policy->bundles = dst->next; 387 dst_free(dst); 388 } 389 390 if (del_timer(&policy->timer)) 391 atomic_dec(&policy->refcnt); 392 393 if (atomic_read(&policy->refcnt) > 1) 394 flow_cache_flush(); 395 396 xfrm_pol_put(policy); 397} 398 399static void xfrm_policy_gc_task(struct work_struct *work) 400{ 401 struct xfrm_policy *policy; 402 struct hlist_node *entry, *tmp; 403 struct hlist_head gc_list; 404 405 spin_lock_bh(&xfrm_policy_gc_lock); 406 gc_list.first = xfrm_policy_gc_list.first; 407 INIT_HLIST_HEAD(&xfrm_policy_gc_list); 408 spin_unlock_bh(&xfrm_policy_gc_lock); 409 410 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst) 411 xfrm_policy_gc_kill(policy); 412} 413 414/* Rule must be locked. Release descentant resources, announce 415 * entry dead. The rule must be unlinked from lists to the moment. 416 */ 417 418static void xfrm_policy_kill(struct xfrm_policy *policy) 419{ 420 int dead; 421 422 write_lock_bh(&policy->lock); 423 dead = policy->dead; 424 policy->dead = 1; 425 write_unlock_bh(&policy->lock); 426 427 if (unlikely(dead)) { 428 WARN_ON(1); 429 return; 430 } 431 432 spin_lock(&xfrm_policy_gc_lock); 433 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list); 434 spin_unlock(&xfrm_policy_gc_lock); 435 436 schedule_work(&xfrm_policy_gc_work); 437} 438 439struct xfrm_policy_hash { 440 struct hlist_head *table; 441 unsigned int hmask; 442}; 443 444static struct hlist_head xfrm_policy_inexact[XFRM_POLICY_MAX*2]; 445static struct xfrm_policy_hash xfrm_policy_bydst[XFRM_POLICY_MAX*2] __read_mostly; 446static struct hlist_head *xfrm_policy_byidx __read_mostly; 447static unsigned int xfrm_idx_hmask __read_mostly; 448static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024; 449 450static inline unsigned int idx_hash(u32 index) 451{ 452 return __idx_hash(index, xfrm_idx_hmask); 453} 454 455static struct hlist_head *policy_hash_bysel(struct xfrm_selector *sel, unsigned short family, int dir) 456{ 457 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 458 unsigned int hash = __sel_hash(sel, family, hmask); 459 460 return (hash == hmask + 1 ? 461 &xfrm_policy_inexact[dir] : 462 xfrm_policy_bydst[dir].table + hash); 463} 464 465static struct hlist_head *policy_hash_direct(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir) 466{ 467 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 468 unsigned int hash = __addr_hash(daddr, saddr, family, hmask); 469 470 return xfrm_policy_bydst[dir].table + hash; 471} 472 473static void xfrm_dst_hash_transfer(struct hlist_head *list, 474 struct hlist_head *ndsttable, 475 unsigned int nhashmask) 476{ 477 struct hlist_node *entry, *tmp; 478 struct xfrm_policy *pol; 479 480 hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) { 481 unsigned int h; 482 483 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr, 484 pol->family, nhashmask); 485 hlist_add_head(&pol->bydst, ndsttable+h); 486 } 487} 488 489static void xfrm_idx_hash_transfer(struct hlist_head *list, 490 struct hlist_head *nidxtable, 491 unsigned int nhashmask) 492{ 493 struct hlist_node *entry, *tmp; 494 struct xfrm_policy *pol; 495 496 hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) { 497 unsigned int h; 498 499 h = __idx_hash(pol->index, nhashmask); 500 hlist_add_head(&pol->byidx, nidxtable+h); 501 } 502} 503 504static unsigned long xfrm_new_hash_mask(unsigned int old_hmask) 505{ 506 return ((old_hmask + 1) << 1) - 1; 507} 508 509static void xfrm_bydst_resize(int dir) 510{ 511 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 512 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 513 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 514 struct hlist_head *odst = xfrm_policy_bydst[dir].table; 515 struct hlist_head *ndst = xfrm_hash_alloc(nsize); 516 int i; 517 518 if (!ndst) 519 return; 520 521 write_lock_bh(&xfrm_policy_lock); 522 523 for (i = hmask; i >= 0; i--) 524 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask); 525 526 xfrm_policy_bydst[dir].table = ndst; 527 xfrm_policy_bydst[dir].hmask = nhashmask; 528 529 write_unlock_bh(&xfrm_policy_lock); 530 531 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head)); 532} 533 534static void xfrm_byidx_resize(int total) 535{ 536 unsigned int hmask = xfrm_idx_hmask; 537 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 538 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 539 struct hlist_head *oidx = xfrm_policy_byidx; 540 struct hlist_head *nidx = xfrm_hash_alloc(nsize); 541 int i; 542 543 if (!nidx) 544 return; 545 546 write_lock_bh(&xfrm_policy_lock); 547 548 for (i = hmask; i >= 0; i--) 549 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask); 550 551 xfrm_policy_byidx = nidx; 552 xfrm_idx_hmask = nhashmask; 553 554 write_unlock_bh(&xfrm_policy_lock); 555 556 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head)); 557} 558 559static inline int xfrm_bydst_should_resize(int dir, int *total) 560{ 561 unsigned int cnt = xfrm_policy_count[dir]; 562 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 563 564 if (total) 565 *total += cnt; 566 567 if ((hmask + 1) < xfrm_policy_hashmax && 568 cnt > hmask) 569 return 1; 570 571 return 0; 572} 573 574static inline int xfrm_byidx_should_resize(int total) 575{ 576 unsigned int hmask = xfrm_idx_hmask; 577 578 if ((hmask + 1) < xfrm_policy_hashmax && 579 total > hmask) 580 return 1; 581 582 return 0; 583} 584 585void xfrm_spd_getinfo(struct xfrmk_spdinfo *si) 586{ 587 read_lock_bh(&xfrm_policy_lock); 588 si->incnt = xfrm_policy_count[XFRM_POLICY_IN]; 589 si->outcnt = xfrm_policy_count[XFRM_POLICY_OUT]; 590 si->fwdcnt = xfrm_policy_count[XFRM_POLICY_FWD]; 591 si->inscnt = xfrm_policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX]; 592 si->outscnt = xfrm_policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX]; 593 si->fwdscnt = xfrm_policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX]; 594 si->spdhcnt = xfrm_idx_hmask; 595 si->spdhmcnt = xfrm_policy_hashmax; 596 read_unlock_bh(&xfrm_policy_lock); 597} 598EXPORT_SYMBOL(xfrm_spd_getinfo); 599 600static DEFINE_MUTEX(hash_resize_mutex); 601static void xfrm_hash_resize(struct work_struct *__unused) 602{ 603 int dir, total; 604 605 mutex_lock(&hash_resize_mutex); 606 607 total = 0; 608 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 609 if (xfrm_bydst_should_resize(dir, &total)) 610 xfrm_bydst_resize(dir); 611 } 612 if (xfrm_byidx_should_resize(total)) 613 xfrm_byidx_resize(total); 614 615 mutex_unlock(&hash_resize_mutex); 616} 617 618static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize); 619 620/* Generate new index... KAME seems to generate them ordered by cost 621 * of an absolute inpredictability of ordering of rules. This will not pass. */ 622static u32 xfrm_gen_index(u8 type, int dir) 623{ 624 static u32 idx_generator; 625 626 for (;;) { 627 struct hlist_node *entry; 628 struct hlist_head *list; 629 struct xfrm_policy *p; 630 u32 idx; 631 int found; 632 633 idx = (idx_generator | dir); 634 idx_generator += 8; 635 if (idx == 0) 636 idx = 8; 637 list = xfrm_policy_byidx + idx_hash(idx); 638 found = 0; 639 hlist_for_each_entry(p, entry, list, byidx) { 640 if (p->index == idx) { 641 found = 1; 642 break; 643 } 644 } 645 if (!found) 646 return idx; 647 } 648} 649 650static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2) 651{ 652 u32 *p1 = (u32 *) s1; 653 u32 *p2 = (u32 *) s2; 654 int len = sizeof(struct xfrm_selector) / sizeof(u32); 655 int i; 656 657 for (i = 0; i < len; i++) { 658 if (p1[i] != p2[i]) 659 return 1; 660 } 661 662 return 0; 663} 664 665int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) 666{ 667 struct xfrm_policy *pol; 668 struct xfrm_policy *delpol; 669 struct hlist_head *chain; 670 struct hlist_node *entry, *newpos; 671 struct dst_entry *gc_list; 672 673 write_lock_bh(&xfrm_policy_lock); 674 chain = policy_hash_bysel(&policy->selector, policy->family, dir); 675 delpol = NULL; 676 newpos = NULL; 677 hlist_for_each_entry(pol, entry, chain, bydst) { 678 if (pol->type == policy->type && 679 !selector_cmp(&pol->selector, &policy->selector) && 680 xfrm_sec_ctx_match(pol->security, policy->security) && 681 !WARN_ON(delpol)) { 682 if (excl) { 683 write_unlock_bh(&xfrm_policy_lock); 684 return -EEXIST; 685 } 686 delpol = pol; 687 if (policy->priority > pol->priority) 688 continue; 689 } else if (policy->priority >= pol->priority) { 690 newpos = &pol->bydst; 691 continue; 692 } 693 if (delpol) 694 break; 695 } 696 if (newpos) 697 hlist_add_after(newpos, &policy->bydst); 698 else 699 hlist_add_head(&policy->bydst, chain); 700 xfrm_pol_hold(policy); 701 xfrm_policy_count[dir]++; 702 atomic_inc(&flow_cache_genid); 703 if (delpol) { 704 hlist_del(&delpol->bydst); 705 hlist_del(&delpol->byidx); 706 xfrm_policy_count[dir]--; 707 } 708 policy->index = delpol ? delpol->index : xfrm_gen_index(policy->type, dir); 709 hlist_add_head(&policy->byidx, xfrm_policy_byidx+idx_hash(policy->index)); 710 policy->curlft.add_time = get_seconds(); 711 policy->curlft.use_time = 0; 712 if (!mod_timer(&policy->timer, jiffies + HZ)) 713 xfrm_pol_hold(policy); 714 write_unlock_bh(&xfrm_policy_lock); 715 716 if (delpol) 717 xfrm_policy_kill(delpol); 718 else if (xfrm_bydst_should_resize(dir, NULL)) 719 schedule_work(&xfrm_hash_work); 720 721 read_lock_bh(&xfrm_policy_lock); 722 gc_list = NULL; 723 entry = &policy->bydst; 724 hlist_for_each_entry_continue(policy, entry, bydst) { 725 struct dst_entry *dst; 726 727 write_lock(&policy->lock); 728 dst = policy->bundles; 729 if (dst) { 730 struct dst_entry *tail = dst; 731 while (tail->next) 732 tail = tail->next; 733 tail->next = gc_list; 734 gc_list = dst; 735 736 policy->bundles = NULL; 737 } 738 write_unlock(&policy->lock); 739 } 740 read_unlock_bh(&xfrm_policy_lock); 741 742 while (gc_list) { 743 struct dst_entry *dst = gc_list; 744 745 gc_list = dst->next; 746 dst_free(dst); 747 } 748 749 return 0; 750} 751EXPORT_SYMBOL(xfrm_policy_insert); 752 753struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir, 754 struct xfrm_selector *sel, 755 struct xfrm_sec_ctx *ctx, int delete, 756 int *err) 757{ 758 struct xfrm_policy *pol, *ret; 759 struct hlist_head *chain; 760 struct hlist_node *entry; 761 762 *err = 0; 763 write_lock_bh(&xfrm_policy_lock); 764 chain = policy_hash_bysel(sel, sel->family, dir); 765 ret = NULL; 766 hlist_for_each_entry(pol, entry, chain, bydst) { 767 if (pol->type == type && 768 !selector_cmp(sel, &pol->selector) && 769 xfrm_sec_ctx_match(ctx, pol->security)) { 770 xfrm_pol_hold(pol); 771 if (delete) { 772 *err = security_xfrm_policy_delete(pol); 773 if (*err) { 774 write_unlock_bh(&xfrm_policy_lock); 775 return pol; 776 } 777 hlist_del(&pol->bydst); 778 hlist_del(&pol->byidx); 779 xfrm_policy_count[dir]--; 780 } 781 ret = pol; 782 break; 783 } 784 } 785 write_unlock_bh(&xfrm_policy_lock); 786 787 if (ret && delete) { 788 atomic_inc(&flow_cache_genid); 789 xfrm_policy_kill(ret); 790 } 791 return ret; 792} 793EXPORT_SYMBOL(xfrm_policy_bysel_ctx); 794 795struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete, 796 int *err) 797{ 798 struct xfrm_policy *pol, *ret; 799 struct hlist_head *chain; 800 struct hlist_node *entry; 801 802 *err = -ENOENT; 803 if (xfrm_policy_id2dir(id) != dir) 804 return NULL; 805 806 *err = 0; 807 write_lock_bh(&xfrm_policy_lock); 808 chain = xfrm_policy_byidx + idx_hash(id); 809 ret = NULL; 810 hlist_for_each_entry(pol, entry, chain, byidx) { 811 if (pol->type == type && pol->index == id) { 812 xfrm_pol_hold(pol); 813 if (delete) { 814 *err = security_xfrm_policy_delete(pol); 815 if (*err) { 816 write_unlock_bh(&xfrm_policy_lock); 817 return pol; 818 } 819 hlist_del(&pol->bydst); 820 hlist_del(&pol->byidx); 821 xfrm_policy_count[dir]--; 822 } 823 ret = pol; 824 break; 825 } 826 } 827 write_unlock_bh(&xfrm_policy_lock); 828 829 if (ret && delete) { 830 atomic_inc(&flow_cache_genid); 831 xfrm_policy_kill(ret); 832 } 833 return ret; 834} 835EXPORT_SYMBOL(xfrm_policy_byid); 836 837#ifdef CONFIG_SECURITY_NETWORK_XFRM 838static inline int 839xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) 840{ 841 int dir, err = 0; 842 843 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 844 struct xfrm_policy *pol; 845 struct hlist_node *entry; 846 int i; 847 848 hlist_for_each_entry(pol, entry, 849 &xfrm_policy_inexact[dir], bydst) { 850 if (pol->type != type) 851 continue; 852 err = security_xfrm_policy_delete(pol); 853 if (err) { 854 xfrm_audit_log(audit_info->loginuid, 855 audit_info->secid, 856 AUDIT_MAC_IPSEC_DELSPD, 0, 857 pol, NULL); 858 return err; 859 } 860 } 861 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 862 hlist_for_each_entry(pol, entry, 863 xfrm_policy_bydst[dir].table + i, 864 bydst) { 865 if (pol->type != type) 866 continue; 867 err = security_xfrm_policy_delete(pol); 868 if (err) { 869 xfrm_audit_log(audit_info->loginuid, 870 audit_info->secid, 871 AUDIT_MAC_IPSEC_DELSPD, 872 0, pol, NULL); 873 return err; 874 } 875 } 876 } 877 } 878 return err; 879} 880#else 881static inline int 882xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) 883{ 884 return 0; 885} 886#endif 887 888int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) 889{ 890 int dir, err = 0; 891 892 write_lock_bh(&xfrm_policy_lock); 893 894 err = xfrm_policy_flush_secctx_check(type, audit_info); 895 if (err) 896 goto out; 897 898 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 899 struct xfrm_policy *pol; 900 struct hlist_node *entry; 901 int i, killed; 902 903 killed = 0; 904 again1: 905 hlist_for_each_entry(pol, entry, 906 &xfrm_policy_inexact[dir], bydst) { 907 if (pol->type != type) 908 continue; 909 hlist_del(&pol->bydst); 910 hlist_del(&pol->byidx); 911 write_unlock_bh(&xfrm_policy_lock); 912 913 xfrm_audit_log(audit_info->loginuid, audit_info->secid, 914 AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); 915 916 xfrm_policy_kill(pol); 917 killed++; 918 919 write_lock_bh(&xfrm_policy_lock); 920 goto again1; 921 } 922 923 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 924 again2: 925 hlist_for_each_entry(pol, entry, 926 xfrm_policy_bydst[dir].table + i, 927 bydst) { 928 if (pol->type != type) 929 continue; 930 hlist_del(&pol->bydst); 931 hlist_del(&pol->byidx); 932 write_unlock_bh(&xfrm_policy_lock); 933 934 xfrm_audit_log(audit_info->loginuid, 935 audit_info->secid, 936 AUDIT_MAC_IPSEC_DELSPD, 1, 937 pol, NULL); 938 939 xfrm_policy_kill(pol); 940 killed++; 941 942 write_lock_bh(&xfrm_policy_lock); 943 goto again2; 944 } 945 } 946 947 xfrm_policy_count[dir] -= killed; 948 } 949 atomic_inc(&flow_cache_genid); 950out: 951 write_unlock_bh(&xfrm_policy_lock); 952 return err; 953} 954EXPORT_SYMBOL(xfrm_policy_flush); 955 956int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), 957 void *data) 958{ 959 struct xfrm_policy *pol, *last = NULL; 960 struct hlist_node *entry; 961 int dir, last_dir = 0, count, error; 962 963 read_lock_bh(&xfrm_policy_lock); 964 count = 0; 965 966 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) { 967 struct hlist_head *table = xfrm_policy_bydst[dir].table; 968 int i; 969 970 hlist_for_each_entry(pol, entry, 971 &xfrm_policy_inexact[dir], bydst) { 972 if (pol->type != type) 973 continue; 974 if (last) { 975 error = func(last, last_dir % XFRM_POLICY_MAX, 976 count, data); 977 if (error) 978 goto out; 979 } 980 last = pol; 981 last_dir = dir; 982 count++; 983 } 984 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 985 hlist_for_each_entry(pol, entry, table + i, bydst) { 986 if (pol->type != type) 987 continue; 988 if (last) { 989 error = func(last, last_dir % XFRM_POLICY_MAX, 990 count, data); 991 if (error) 992 goto out; 993 } 994 last = pol; 995 last_dir = dir; 996 count++; 997 } 998 } 999 } 1000 if (count == 0) { 1001 error = -ENOENT; 1002 goto out; 1003 } 1004 error = func(last, last_dir % XFRM_POLICY_MAX, 0, data); 1005out: 1006 read_unlock_bh(&xfrm_policy_lock); 1007 return error; 1008} 1009EXPORT_SYMBOL(xfrm_policy_walk); 1010 1011/* 1012 * Find policy to apply to this flow. 1013 * 1014 * Returns 0 if policy found, else an -errno. 1015 */ 1016static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, 1017 u8 type, u16 family, int dir) 1018{ 1019 struct xfrm_selector *sel = &pol->selector; 1020 int match, ret = -ESRCH; 1021 1022 if (pol->family != family || 1023 pol->type != type) 1024 return ret; 1025 1026 match = xfrm_selector_match(sel, fl, family); 1027 if (match) 1028 ret = security_xfrm_policy_lookup(pol, fl->secid, dir); 1029 1030 return ret; 1031} 1032 1033static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl, 1034 u16 family, u8 dir) 1035{ 1036 int err; 1037 struct xfrm_policy *pol, *ret; 1038 xfrm_address_t *daddr, *saddr; 1039 struct hlist_node *entry; 1040 struct hlist_head *chain; 1041 u32 priority = ~0U; 1042 1043 daddr = xfrm_flowi_daddr(fl, family); 1044 saddr = xfrm_flowi_saddr(fl, family); 1045 if (unlikely(!daddr || !saddr)) 1046 return NULL; 1047 1048 read_lock_bh(&xfrm_policy_lock); 1049 chain = policy_hash_direct(daddr, saddr, family, dir); 1050 ret = NULL; 1051 hlist_for_each_entry(pol, entry, chain, bydst) { 1052 err = xfrm_policy_match(pol, fl, type, family, dir); 1053 if (err) { 1054 if (err == -ESRCH) 1055 continue; 1056 else { 1057 ret = ERR_PTR(err); 1058 goto fail; 1059 } 1060 } else { 1061 ret = pol; 1062 priority = ret->priority; 1063 break; 1064 } 1065 } 1066 chain = &xfrm_policy_inexact[dir]; 1067 hlist_for_each_entry(pol, entry, chain, bydst) { 1068 err = xfrm_policy_match(pol, fl, type, family, dir); 1069 if (err) { 1070 if (err == -ESRCH) 1071 continue; 1072 else { 1073 ret = ERR_PTR(err); 1074 goto fail; 1075 } 1076 } else if (pol->priority < priority) { 1077 ret = pol; 1078 break; 1079 } 1080 } 1081 if (ret) 1082 xfrm_pol_hold(ret); 1083fail: 1084 read_unlock_bh(&xfrm_policy_lock); 1085 1086 return ret; 1087} 1088 1089static int xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir, 1090 void **objp, atomic_t **obj_refp) 1091{ 1092 struct xfrm_policy *pol; 1093 int err = 0; 1094 1095#ifdef CONFIG_XFRM_SUB_POLICY 1096 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir); 1097 if (IS_ERR(pol)) { 1098 err = PTR_ERR(pol); 1099 pol = NULL; 1100 } 1101 if (pol || err) 1102 goto end; 1103#endif 1104 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, fl, family, dir); 1105 if (IS_ERR(pol)) { 1106 err = PTR_ERR(pol); 1107 pol = NULL; 1108 } 1109#ifdef CONFIG_XFRM_SUB_POLICY 1110end: 1111#endif 1112 if ((*objp = (void *) pol) != NULL) 1113 *obj_refp = &pol->refcnt; 1114 return err; 1115} 1116 1117static inline int policy_to_flow_dir(int dir) 1118{ 1119 if (XFRM_POLICY_IN == FLOW_DIR_IN && 1120 XFRM_POLICY_OUT == FLOW_DIR_OUT && 1121 XFRM_POLICY_FWD == FLOW_DIR_FWD) 1122 return dir; 1123 switch (dir) { 1124 default: 1125 case XFRM_POLICY_IN: 1126 return FLOW_DIR_IN; 1127 case XFRM_POLICY_OUT: 1128 return FLOW_DIR_OUT; 1129 case XFRM_POLICY_FWD: 1130 return FLOW_DIR_FWD; 1131 } 1132} 1133 1134static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl) 1135{ 1136 struct xfrm_policy *pol; 1137 1138 read_lock_bh(&xfrm_policy_lock); 1139 if ((pol = sk->sk_policy[dir]) != NULL) { 1140 int match = xfrm_selector_match(&pol->selector, fl, 1141 sk->sk_family); 1142 int err = 0; 1143 1144 if (match) { 1145 err = security_xfrm_policy_lookup(pol, fl->secid, 1146 policy_to_flow_dir(dir)); 1147 if (!err) 1148 xfrm_pol_hold(pol); 1149 else if (err == -ESRCH) 1150 pol = NULL; 1151 else 1152 pol = ERR_PTR(err); 1153 } else 1154 pol = NULL; 1155 } 1156 read_unlock_bh(&xfrm_policy_lock); 1157 return pol; 1158} 1159 1160static void __xfrm_policy_link(struct xfrm_policy *pol, int dir) 1161{ 1162 struct hlist_head *chain = policy_hash_bysel(&pol->selector, 1163 pol->family, dir); 1164 1165 hlist_add_head(&pol->bydst, chain); 1166 hlist_add_head(&pol->byidx, xfrm_policy_byidx+idx_hash(pol->index)); 1167 xfrm_policy_count[dir]++; 1168 xfrm_pol_hold(pol); 1169 1170 if (xfrm_bydst_should_resize(dir, NULL)) 1171 schedule_work(&xfrm_hash_work); 1172} 1173 1174static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 1175 int dir) 1176{ 1177 if (hlist_unhashed(&pol->bydst)) 1178 return NULL; 1179 1180 hlist_del(&pol->bydst); 1181 hlist_del(&pol->byidx); 1182 xfrm_policy_count[dir]--; 1183 1184 return pol; 1185} 1186 1187int xfrm_policy_delete(struct xfrm_policy *pol, int dir) 1188{ 1189 write_lock_bh(&xfrm_policy_lock); 1190 pol = __xfrm_policy_unlink(pol, dir); 1191 write_unlock_bh(&xfrm_policy_lock); 1192 if (pol) { 1193 if (dir < XFRM_POLICY_MAX) 1194 atomic_inc(&flow_cache_genid); 1195 xfrm_policy_kill(pol); 1196 return 0; 1197 } 1198 return -ENOENT; 1199} 1200EXPORT_SYMBOL(xfrm_policy_delete); 1201 1202int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) 1203{ 1204 struct xfrm_policy *old_pol; 1205 1206#ifdef CONFIG_XFRM_SUB_POLICY 1207 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN) 1208 return -EINVAL; 1209#endif 1210 1211 write_lock_bh(&xfrm_policy_lock); 1212 old_pol = sk->sk_policy[dir]; 1213 sk->sk_policy[dir] = pol; 1214 if (pol) { 1215 pol->curlft.add_time = get_seconds(); 1216 pol->index = xfrm_gen_index(pol->type, XFRM_POLICY_MAX+dir); 1217 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir); 1218 } 1219 if (old_pol) 1220 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); 1221 write_unlock_bh(&xfrm_policy_lock); 1222 1223 if (old_pol) { 1224 xfrm_policy_kill(old_pol); 1225 } 1226 return 0; 1227} 1228 1229static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir) 1230{ 1231 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC); 1232 1233 if (newp) { 1234 newp->selector = old->selector; 1235 if (security_xfrm_policy_clone(old, newp)) { 1236 kfree(newp); 1237 return NULL; /* ENOMEM */ 1238 } 1239 newp->lft = old->lft; 1240 newp->curlft = old->curlft; 1241 newp->action = old->action; 1242 newp->flags = old->flags; 1243 newp->xfrm_nr = old->xfrm_nr; 1244 newp->index = old->index; 1245 newp->type = old->type; 1246 memcpy(newp->xfrm_vec, old->xfrm_vec, 1247 newp->xfrm_nr*sizeof(struct xfrm_tmpl)); 1248 write_lock_bh(&xfrm_policy_lock); 1249 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir); 1250 write_unlock_bh(&xfrm_policy_lock); 1251 xfrm_pol_put(newp); 1252 } 1253 return newp; 1254} 1255 1256int __xfrm_sk_clone_policy(struct sock *sk) 1257{ 1258 struct xfrm_policy *p0 = sk->sk_policy[0], 1259 *p1 = sk->sk_policy[1]; 1260 1261 sk->sk_policy[0] = sk->sk_policy[1] = NULL; 1262 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL) 1263 return -ENOMEM; 1264 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL) 1265 return -ENOMEM; 1266 return 0; 1267} 1268 1269static int 1270xfrm_get_saddr(xfrm_address_t *local, xfrm_address_t *remote, 1271 unsigned short family) 1272{ 1273 int err; 1274 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1275 1276 if (unlikely(afinfo == NULL)) 1277 return -EINVAL; 1278 err = afinfo->get_saddr(local, remote); 1279 xfrm_policy_put_afinfo(afinfo); 1280 return err; 1281} 1282 1283/* Resolve list of templates for the flow, given policy. */ 1284 1285static int 1286xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, 1287 struct xfrm_state **xfrm, 1288 unsigned short family) 1289{ 1290 int nx; 1291 int i, error; 1292 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family); 1293 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family); 1294 xfrm_address_t tmp; 1295 1296 for (nx=0, i = 0; i < policy->xfrm_nr; i++) { 1297 struct xfrm_state *x; 1298 xfrm_address_t *remote = daddr; 1299 xfrm_address_t *local = saddr; 1300 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i]; 1301 1302 if (tmpl->mode == XFRM_MODE_TUNNEL || 1303 tmpl->mode == XFRM_MODE_BEET) { 1304 remote = &tmpl->id.daddr; 1305 local = &tmpl->saddr; 1306 family = tmpl->encap_family; 1307 if (xfrm_addr_any(local, family)) { 1308 error = xfrm_get_saddr(&tmp, remote, family); 1309 if (error) 1310 goto fail; 1311 local = &tmp; 1312 } 1313 } 1314 1315 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family); 1316 1317 if (x && x->km.state == XFRM_STATE_VALID) { 1318 xfrm[nx++] = x; 1319 daddr = remote; 1320 saddr = local; 1321 continue; 1322 } 1323 if (x) { 1324 error = (x->km.state == XFRM_STATE_ERROR ? 1325 -EINVAL : -EAGAIN); 1326 xfrm_state_put(x); 1327 } 1328 1329 if (!tmpl->optional) 1330 goto fail; 1331 } 1332 return nx; 1333 1334fail: 1335 for (nx--; nx>=0; nx--) 1336 xfrm_state_put(xfrm[nx]); 1337 return error; 1338} 1339 1340static int 1341xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl, 1342 struct xfrm_state **xfrm, 1343 unsigned short family) 1344{ 1345 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1346 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1347 int cnx = 0; 1348 int error; 1349 int ret; 1350 int i; 1351 1352 for (i = 0; i < npols; i++) { 1353 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) { 1354 error = -ENOBUFS; 1355 goto fail; 1356 } 1357 1358 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family); 1359 if (ret < 0) { 1360 error = ret; 1361 goto fail; 1362 } else 1363 cnx += ret; 1364 } 1365 1366 /* found states are sorted for outbound processing */ 1367 if (npols > 1) 1368 xfrm_state_sort(xfrm, tpp, cnx, family); 1369 1370 return cnx; 1371 1372 fail: 1373 for (cnx--; cnx>=0; cnx--) 1374 xfrm_state_put(tpp[cnx]); 1375 return error; 1376 1377} 1378 1379/* Check that the bundle accepts the flow and its components are 1380 * still valid. 1381 */ 1382 1383static struct dst_entry * 1384xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family) 1385{ 1386 struct dst_entry *x; 1387 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1388 if (unlikely(afinfo == NULL)) 1389 return ERR_PTR(-EINVAL); 1390 x = afinfo->find_bundle(fl, policy); 1391 xfrm_policy_put_afinfo(afinfo); 1392 return x; 1393} 1394 1395/* Allocate chain of dst_entry's, attach known xfrm's, calculate 1396 * all the metrics... Shortly, bundle a bundle. 1397 */ 1398 1399static int 1400xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx, 1401 struct flowi *fl, struct dst_entry **dst_p, 1402 unsigned short family) 1403{ 1404 int err; 1405 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1406 if (unlikely(afinfo == NULL)) 1407 return -EINVAL; 1408 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p); 1409 xfrm_policy_put_afinfo(afinfo); 1410 return err; 1411} 1412 1413static int inline 1414xfrm_dst_alloc_copy(void **target, void *src, int size) 1415{ 1416 if (!*target) { 1417 *target = kmalloc(size, GFP_ATOMIC); 1418 if (!*target) 1419 return -ENOMEM; 1420 } 1421 memcpy(*target, src, size); 1422 return 0; 1423} 1424 1425static int inline 1426xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) 1427{ 1428#ifdef CONFIG_XFRM_SUB_POLICY 1429 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1430 return xfrm_dst_alloc_copy((void **)&(xdst->partner), 1431 sel, sizeof(*sel)); 1432#else 1433 return 0; 1434#endif 1435} 1436 1437static int inline 1438xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) 1439{ 1440#ifdef CONFIG_XFRM_SUB_POLICY 1441 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1442 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); 1443#else 1444 return 0; 1445#endif 1446} 1447 1448static int stale_bundle(struct dst_entry *dst); 1449 1450/* Main function: finds/creates a bundle for given flow. 1451 * 1452 * At the moment we eat a raw IP route. Mostly to speed up lookups 1453 * on interfaces with disabled IPsec. 1454 */ 1455int __xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, 1456 struct sock *sk, int flags) 1457{ 1458 struct xfrm_policy *policy; 1459 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1460 int npols; 1461 int pol_dead; 1462 int xfrm_nr; 1463 int pi; 1464 struct xfrm_state *xfrm[XFRM_MAX_DEPTH]; 1465 struct dst_entry *dst, *dst_orig = *dst_p; 1466 int nx = 0; 1467 int err; 1468 u32 genid; 1469 u16 family; 1470 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1471 1472restart: 1473 genid = atomic_read(&flow_cache_genid); 1474 policy = NULL; 1475 for (pi = 0; pi < ARRAY_SIZE(pols); pi++) 1476 pols[pi] = NULL; 1477 npols = 0; 1478 pol_dead = 0; 1479 xfrm_nr = 0; 1480 1481 if (sk && sk->sk_policy[1]) { 1482 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 1483 if (IS_ERR(policy)) 1484 return PTR_ERR(policy); 1485 } 1486 1487 if (!policy) { 1488 /* To accelerate a bit... */ 1489 if ((dst_orig->flags & DST_NOXFRM) || 1490 !xfrm_policy_count[XFRM_POLICY_OUT]) 1491 return 0; 1492 1493 policy = flow_cache_lookup(fl, dst_orig->ops->family, 1494 dir, xfrm_policy_lookup); 1495 if (IS_ERR(policy)) 1496 return PTR_ERR(policy); 1497 } 1498 1499 if (!policy) 1500 return 0; 1501 1502 family = dst_orig->ops->family; 1503 policy->curlft.use_time = get_seconds(); 1504 pols[0] = policy; 1505 npols ++; 1506 xfrm_nr += pols[0]->xfrm_nr; 1507 1508 switch (policy->action) { 1509 case XFRM_POLICY_BLOCK: 1510 /* Prohibit the flow */ 1511 err = -EPERM; 1512 goto error; 1513 1514 case XFRM_POLICY_ALLOW: 1515#ifndef CONFIG_XFRM_SUB_POLICY 1516 if (policy->xfrm_nr == 0) { 1517 /* Flow passes not transformed. */ 1518 xfrm_pol_put(policy); 1519 return 0; 1520 } 1521#endif 1522 1523 /* Try to find matching bundle. 1524 * 1525 * LATER: help from flow cache. It is optional, this 1526 * is required only for output policy. 1527 */ 1528 dst = xfrm_find_bundle(fl, policy, family); 1529 if (IS_ERR(dst)) { 1530 err = PTR_ERR(dst); 1531 goto error; 1532 } 1533 1534 if (dst) 1535 break; 1536 1537#ifdef CONFIG_XFRM_SUB_POLICY 1538 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 1539 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, 1540 fl, family, 1541 XFRM_POLICY_OUT); 1542 if (pols[1]) { 1543 if (IS_ERR(pols[1])) { 1544 err = PTR_ERR(pols[1]); 1545 goto error; 1546 } 1547 if (pols[1]->action == XFRM_POLICY_BLOCK) { 1548 err = -EPERM; 1549 goto error; 1550 } 1551 npols ++; 1552 xfrm_nr += pols[1]->xfrm_nr; 1553 } 1554 } 1555 1556 /* 1557 * Because neither flowi nor bundle information knows about 1558 * transformation template size. On more than one policy usage 1559 * we can realize whether all of them is bypass or not after 1560 * they are searched. See above not-transformed bypass 1561 * is surrounded by non-sub policy configuration, too. 1562 */ 1563 if (xfrm_nr == 0) { 1564 /* Flow passes not transformed. */ 1565 xfrm_pols_put(pols, npols); 1566 return 0; 1567 } 1568 1569#endif 1570 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family); 1571 1572 if (unlikely(nx<0)) { 1573 err = nx; 1574 if (err == -EAGAIN && sysctl_xfrm_larval_drop) { 1575 /* EREMOTE tells the caller to generate 1576 * a one-shot blackhole route. 1577 */ 1578 xfrm_pol_put(policy); 1579 return -EREMOTE; 1580 } 1581 if (err == -EAGAIN && flags) { 1582 DECLARE_WAITQUEUE(wait, current); 1583 1584 add_wait_queue(&km_waitq, &wait); 1585 set_current_state(TASK_INTERRUPTIBLE); 1586 schedule(); 1587 set_current_state(TASK_RUNNING); 1588 remove_wait_queue(&km_waitq, &wait); 1589 1590 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family); 1591 1592 if (nx == -EAGAIN && signal_pending(current)) { 1593 err = -ERESTART; 1594 goto error; 1595 } 1596 if (nx == -EAGAIN || 1597 genid != atomic_read(&flow_cache_genid)) { 1598 xfrm_pols_put(pols, npols); 1599 goto restart; 1600 } 1601 err = nx; 1602 } 1603 if (err < 0) 1604 goto error; 1605 } 1606 if (nx == 0) { 1607 /* Flow passes not transformed. */ 1608 xfrm_pols_put(pols, npols); 1609 return 0; 1610 } 1611 1612 dst = dst_orig; 1613 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family); 1614 1615 if (unlikely(err)) { 1616 int i; 1617 for (i=0; i<nx; i++) 1618 xfrm_state_put(xfrm[i]); 1619 goto error; 1620 } 1621 1622 for (pi = 0; pi < npols; pi++) { 1623 read_lock_bh(&pols[pi]->lock); 1624 pol_dead |= pols[pi]->dead; 1625 read_unlock_bh(&pols[pi]->lock); 1626 } 1627 1628 write_lock_bh(&policy->lock); 1629 if (unlikely(pol_dead || stale_bundle(dst))) { 1630 /* Wow! While we worked on resolving, this 1631 * policy has gone. Retry. It is not paranoia, 1632 * we just cannot enlist new bundle to dead object. 1633 * We can't enlist stable bundles either. 1634 */ 1635 write_unlock_bh(&policy->lock); 1636 if (dst) 1637 dst_free(dst); 1638 1639 err = -EHOSTUNREACH; 1640 goto error; 1641 } 1642 1643 if (npols > 1) 1644 err = xfrm_dst_update_parent(dst, &pols[1]->selector); 1645 else 1646 err = xfrm_dst_update_origin(dst, fl); 1647 if (unlikely(err)) { 1648 write_unlock_bh(&policy->lock); 1649 if (dst) 1650 dst_free(dst); 1651 goto error; 1652 } 1653 1654 dst->next = policy->bundles; 1655 policy->bundles = dst; 1656 dst_hold(dst); 1657 write_unlock_bh(&policy->lock); 1658 } 1659 *dst_p = dst; 1660 dst_release(dst_orig); 1661 xfrm_pols_put(pols, npols); 1662 return 0; 1663 1664error: 1665 dst_release(dst_orig); 1666 xfrm_pols_put(pols, npols); 1667 *dst_p = NULL; 1668 return err; 1669} 1670EXPORT_SYMBOL(__xfrm_lookup); 1671 1672int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, 1673 struct sock *sk, int flags) 1674{ 1675 int err = __xfrm_lookup(dst_p, fl, sk, flags); 1676 1677 if (err == -EREMOTE) { 1678 dst_release(*dst_p); 1679 *dst_p = NULL; 1680 err = -EAGAIN; 1681 } 1682 1683 return err; 1684} 1685EXPORT_SYMBOL(xfrm_lookup); 1686 1687static inline int 1688xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl) 1689{ 1690 struct xfrm_state *x; 1691 int err; 1692 1693 if (!skb->sp || idx < 0 || idx >= skb->sp->len) 1694 return 0; 1695 x = skb->sp->xvec[idx]; 1696 if (!x->type->reject) 1697 return 0; 1698 xfrm_state_hold(x); 1699 err = x->type->reject(x, skb, fl); 1700 xfrm_state_put(x); 1701 return err; 1702} 1703 1704/* When skb is transformed back to its "native" form, we have to 1705 * check policy restrictions. At the moment we make this in maximally 1706 * stupid way. Shame on me. :-) Of course, connected sockets must 1707 * have policy cached at them. 1708 */ 1709 1710static inline int 1711xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 1712 unsigned short family) 1713{ 1714 if (xfrm_state_kern(x)) 1715 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family); 1716 return x->id.proto == tmpl->id.proto && 1717 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && 1718 (x->props.reqid == tmpl->reqid || !tmpl->reqid) && 1719 x->props.mode == tmpl->mode && 1720 ((tmpl->aalgos & (1<<x->props.aalgo)) || 1721 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && 1722 !(x->props.mode != XFRM_MODE_TRANSPORT && 1723 xfrm_state_addr_cmp(tmpl, x, family)); 1724} 1725 1726/* 1727 * 0 or more than 0 is returned when validation is succeeded (either bypass 1728 * because of optional transport mode, or next index of the mathced secpath 1729 * state with the template. 1730 * -1 is returned when no matching template is found. 1731 * Otherwise "-2 - errored_index" is returned. 1732 */ 1733static inline int 1734xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, 1735 unsigned short family) 1736{ 1737 int idx = start; 1738 1739 if (tmpl->optional) { 1740 if (tmpl->mode == XFRM_MODE_TRANSPORT) 1741 return start; 1742 } else 1743 start = -1; 1744 for (; idx < sp->len; idx++) { 1745 if (xfrm_state_ok(tmpl, sp->xvec[idx], family)) 1746 return ++idx; 1747 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { 1748 if (start == -1) 1749 start = -2-idx; 1750 break; 1751 } 1752 } 1753 return start; 1754} 1755 1756int 1757xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) 1758{ 1759 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1760 int err; 1761 1762 if (unlikely(afinfo == NULL)) 1763 return -EAFNOSUPPORT; 1764 1765 afinfo->decode_session(skb, fl); 1766 err = security_xfrm_decode_session(skb, &fl->secid); 1767 xfrm_policy_put_afinfo(afinfo); 1768 return err; 1769} 1770EXPORT_SYMBOL(xfrm_decode_session); 1771 1772static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 1773{ 1774 for (; k < sp->len; k++) { 1775 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 1776 *idxp = k; 1777 return 1; 1778 } 1779 } 1780 1781 return 0; 1782} 1783 1784int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, 1785 unsigned short family) 1786{ 1787 struct xfrm_policy *pol; 1788 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1789 int npols = 0; 1790 int xfrm_nr; 1791 int pi; 1792 struct flowi fl; 1793 u8 fl_dir = policy_to_flow_dir(dir); 1794 int xerr_idx = -1; 1795 1796 if (xfrm_decode_session(skb, &fl, family) < 0) 1797 return 0; 1798 nf_nat_decode_session(skb, &fl, family); 1799 1800 /* First, check used SA against their selectors. */ 1801 if (skb->sp) { 1802 int i; 1803 1804 for (i=skb->sp->len-1; i>=0; i--) { 1805 struct xfrm_state *x = skb->sp->xvec[i]; 1806 if (!xfrm_selector_match(&x->sel, &fl, family)) 1807 return 0; 1808 } 1809 } 1810 1811 pol = NULL; 1812 if (sk && sk->sk_policy[dir]) { 1813 pol = xfrm_sk_policy_lookup(sk, dir, &fl); 1814 if (IS_ERR(pol)) 1815 return 0; 1816 } 1817 1818 if (!pol) 1819 pol = flow_cache_lookup(&fl, family, fl_dir, 1820 xfrm_policy_lookup); 1821 1822 if (IS_ERR(pol)) 1823 return 0; 1824 1825 if (!pol) { 1826 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) { 1827 xfrm_secpath_reject(xerr_idx, skb, &fl); 1828 return 0; 1829 } 1830 return 1; 1831 } 1832 1833 pol->curlft.use_time = get_seconds(); 1834 1835 pols[0] = pol; 1836 npols ++; 1837#ifdef CONFIG_XFRM_SUB_POLICY 1838 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 1839 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, 1840 &fl, family, 1841 XFRM_POLICY_IN); 1842 if (pols[1]) { 1843 if (IS_ERR(pols[1])) 1844 return 0; 1845 pols[1]->curlft.use_time = get_seconds(); 1846 npols ++; 1847 } 1848 } 1849#endif 1850 1851 if (pol->action == XFRM_POLICY_ALLOW) { 1852 struct sec_path *sp; 1853 static struct sec_path dummy; 1854 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH]; 1855 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH]; 1856 struct xfrm_tmpl **tpp = tp; 1857 int ti = 0; 1858 int i, k; 1859 1860 if ((sp = skb->sp) == NULL) 1861 sp = &dummy; 1862 1863 for (pi = 0; pi < npols; pi++) { 1864 if (pols[pi] != pol && 1865 pols[pi]->action != XFRM_POLICY_ALLOW) 1866 goto reject; 1867 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) 1868 goto reject_error; 1869 for (i = 0; i < pols[pi]->xfrm_nr; i++) 1870 tpp[ti++] = &pols[pi]->xfrm_vec[i]; 1871 } 1872 xfrm_nr = ti; 1873 if (npols > 1) { 1874 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); 1875 tpp = stp; 1876 } 1877 1878 /* For each tunnel xfrm, find the first matching tmpl. 1879 * For each tmpl before that, find corresponding xfrm. 1880 * Order is _important_. Later we will implement 1881 * some barriers, but at the moment barriers 1882 * are implied between each two transformations. 1883 */ 1884 for (i = xfrm_nr-1, k = 0; i >= 0; i--) { 1885 k = xfrm_policy_ok(tpp[i], sp, k, family); 1886 if (k < 0) { 1887 if (k < -1) 1888 /* "-2 - errored_index" returned */ 1889 xerr_idx = -(2+k); 1890 goto reject; 1891 } 1892 } 1893 1894 if (secpath_has_nontransport(sp, k, &xerr_idx)) 1895 goto reject; 1896 1897 xfrm_pols_put(pols, npols); 1898 return 1; 1899 } 1900 1901reject: 1902 xfrm_secpath_reject(xerr_idx, skb, &fl); 1903reject_error: 1904 xfrm_pols_put(pols, npols); 1905 return 0; 1906} 1907EXPORT_SYMBOL(__xfrm_policy_check); 1908 1909int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) 1910{ 1911 struct flowi fl; 1912 1913 if (xfrm_decode_session(skb, &fl, family) < 0) 1914 return 0; 1915 1916 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0; 1917} 1918EXPORT_SYMBOL(__xfrm_route_forward); 1919 1920/* Optimize later using cookies and generation ids. */ 1921 1922static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie) 1923{ 1924 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete 1925 * to "-1" to force all XFRM destinations to get validated by 1926 * dst_ops->check on every use. We do this because when a 1927 * normal route referenced by an XFRM dst is obsoleted we do 1928 * not go looking around for all parent referencing XFRM dsts 1929 * so that we can invalidate them. It is just too much work. 1930 * Instead we make the checks here on every use. For example: 1931 * 1932 * XFRM dst A --> IPv4 dst X 1933 * 1934 * X is the "xdst->route" of A (X is also the "dst->path" of A 1935 * in this example). If X is marked obsolete, "A" will not 1936 * notice. That's what we are validating here via the 1937 * stale_bundle() check. 1938 * 1939 * When a policy's bundle is pruned, we dst_free() the XFRM 1940 * dst which causes it's ->obsolete field to be set to a 1941 * positive non-zero integer. If an XFRM dst has been pruned 1942 * like this, we want to force a new route lookup. 1943 */ 1944 if (dst->obsolete < 0 && !stale_bundle(dst)) 1945 return dst; 1946 1947 return NULL; 1948} 1949 1950static int stale_bundle(struct dst_entry *dst) 1951{ 1952 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0); 1953} 1954 1955void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 1956{ 1957 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) { 1958 dst->dev = &loopback_dev; 1959 dev_hold(&loopback_dev); 1960 dev_put(dev); 1961 } 1962} 1963EXPORT_SYMBOL(xfrm_dst_ifdown); 1964 1965static void xfrm_link_failure(struct sk_buff *skb) 1966{ 1967 /* Impossible. Such dst must be popped before reaches point of failure. */ 1968 return; 1969} 1970 1971static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) 1972{ 1973 if (dst) { 1974 if (dst->obsolete) { 1975 dst_release(dst); 1976 dst = NULL; 1977 } 1978 } 1979 return dst; 1980} 1981 1982static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p) 1983{ 1984 struct dst_entry *dst, **dstp; 1985 1986 write_lock(&pol->lock); 1987 dstp = &pol->bundles; 1988 while ((dst=*dstp) != NULL) { 1989 if (func(dst)) { 1990 *dstp = dst->next; 1991 dst->next = *gc_list_p; 1992 *gc_list_p = dst; 1993 } else { 1994 dstp = &dst->next; 1995 } 1996 } 1997 write_unlock(&pol->lock); 1998} 1999 2000static void xfrm_prune_bundles(int (*func)(struct dst_entry *)) 2001{ 2002 struct dst_entry *gc_list = NULL; 2003 int dir; 2004 2005 read_lock_bh(&xfrm_policy_lock); 2006 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 2007 struct xfrm_policy *pol; 2008 struct hlist_node *entry; 2009 struct hlist_head *table; 2010 int i; 2011 2012 hlist_for_each_entry(pol, entry, 2013 &xfrm_policy_inexact[dir], bydst) 2014 prune_one_bundle(pol, func, &gc_list); 2015 2016 table = xfrm_policy_bydst[dir].table; 2017 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 2018 hlist_for_each_entry(pol, entry, table + i, bydst) 2019 prune_one_bundle(pol, func, &gc_list); 2020 } 2021 } 2022 read_unlock_bh(&xfrm_policy_lock); 2023 2024 while (gc_list) { 2025 struct dst_entry *dst = gc_list; 2026 gc_list = dst->next; 2027 dst_free(dst); 2028 } 2029} 2030 2031static int unused_bundle(struct dst_entry *dst) 2032{ 2033 return !atomic_read(&dst->__refcnt); 2034} 2035 2036static void __xfrm_garbage_collect(void) 2037{ 2038 xfrm_prune_bundles(unused_bundle); 2039} 2040 2041static int xfrm_flush_bundles(void) 2042{ 2043 xfrm_prune_bundles(stale_bundle); 2044 return 0; 2045} 2046 2047void xfrm_init_pmtu(struct dst_entry *dst) 2048{ 2049 do { 2050 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2051 u32 pmtu, route_mtu_cached; 2052 2053 pmtu = dst_mtu(dst->child); 2054 xdst->child_mtu_cached = pmtu; 2055 2056 pmtu = xfrm_state_mtu(dst->xfrm, pmtu); 2057 2058 route_mtu_cached = dst_mtu(xdst->route); 2059 xdst->route_mtu_cached = route_mtu_cached; 2060 2061 if (pmtu > route_mtu_cached) 2062 pmtu = route_mtu_cached; 2063 2064 dst->metrics[RTAX_MTU-1] = pmtu; 2065 } while ((dst = dst->next)); 2066} 2067 2068EXPORT_SYMBOL(xfrm_init_pmtu); 2069 2070/* Check that the bundle accepts the flow and its components are 2071 * still valid. 2072 */ 2073 2074int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, 2075 struct flowi *fl, int family, int strict) 2076{ 2077 struct dst_entry *dst = &first->u.dst; 2078 struct xfrm_dst *last; 2079 u32 mtu; 2080 2081 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 2082 (dst->dev && !netif_running(dst->dev))) 2083 return 0; 2084#ifdef CONFIG_XFRM_SUB_POLICY 2085 if (fl) { 2086 if (first->origin && !flow_cache_uli_match(first->origin, fl)) 2087 return 0; 2088 if (first->partner && 2089 !xfrm_selector_match(first->partner, fl, family)) 2090 return 0; 2091 } 2092#endif 2093 2094 last = NULL; 2095 2096 do { 2097 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2098 2099 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family)) 2100 return 0; 2101 if (fl && pol && 2102 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl)) 2103 return 0; 2104 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2105 return 0; 2106 if (xdst->genid != dst->xfrm->genid) 2107 return 0; 2108 2109 if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL && 2110 !xfrm_state_addr_flow_check(dst->xfrm, fl, family)) 2111 return 0; 2112 2113 mtu = dst_mtu(dst->child); 2114 if (xdst->child_mtu_cached != mtu) { 2115 last = xdst; 2116 xdst->child_mtu_cached = mtu; 2117 } 2118 2119 if (!dst_check(xdst->route, xdst->route_cookie)) 2120 return 0; 2121 mtu = dst_mtu(xdst->route); 2122 if (xdst->route_mtu_cached != mtu) { 2123 last = xdst; 2124 xdst->route_mtu_cached = mtu; 2125 } 2126 2127 dst = dst->child; 2128 } while (dst->xfrm); 2129 2130 if (likely(!last)) 2131 return 1; 2132 2133 mtu = last->child_mtu_cached; 2134 for (;;) { 2135 dst = &last->u.dst; 2136 2137 mtu = xfrm_state_mtu(dst->xfrm, mtu); 2138 if (mtu > last->route_mtu_cached) 2139 mtu = last->route_mtu_cached; 2140 dst->metrics[RTAX_MTU-1] = mtu; 2141 2142 if (last == first) 2143 break; 2144 2145 last = (struct xfrm_dst *)last->u.dst.next; 2146 last->child_mtu_cached = mtu; 2147 } 2148 2149 return 1; 2150} 2151 2152EXPORT_SYMBOL(xfrm_bundle_ok); 2153 2154#ifdef CONFIG_AUDITSYSCALL 2155/* Audit addition and deletion of SAs and ipsec policy */ 2156 2157void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, 2158 struct xfrm_policy *xp, struct xfrm_state *x) 2159{ 2160 2161 char *secctx; 2162 u32 secctx_len; 2163 struct xfrm_sec_ctx *sctx = NULL; 2164 struct audit_buffer *audit_buf; 2165 int family; 2166 extern int audit_enabled; 2167 2168 if (audit_enabled == 0) 2169 return; 2170 2171 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || 2172 type == AUDIT_MAC_IPSEC_DELSA) && !x); 2173 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || 2174 type == AUDIT_MAC_IPSEC_DELSPD) && !xp); 2175 2176 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); 2177 if (audit_buf == NULL) 2178 return; 2179 2180 switch(type) { 2181 case AUDIT_MAC_IPSEC_ADDSA: 2182 audit_log_format(audit_buf, "SAD add: auid=%u", auid); 2183 break; 2184 case AUDIT_MAC_IPSEC_DELSA: 2185 audit_log_format(audit_buf, "SAD delete: auid=%u", auid); 2186 break; 2187 case AUDIT_MAC_IPSEC_ADDSPD: 2188 audit_log_format(audit_buf, "SPD add: auid=%u", auid); 2189 break; 2190 case AUDIT_MAC_IPSEC_DELSPD: 2191 audit_log_format(audit_buf, "SPD delete: auid=%u", auid); 2192 break; 2193 default: 2194 return; 2195 } 2196 2197 if (sid != 0 && 2198 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { 2199 audit_log_format(audit_buf, " subj=%s", secctx); 2200 security_release_secctx(secctx, secctx_len); 2201 } else 2202 audit_log_task_context(audit_buf); 2203 2204 if (xp) { 2205 family = xp->selector.family; 2206 if (xp->security) 2207 sctx = xp->security; 2208 } else { 2209 family = x->props.family; 2210 if (x->security) 2211 sctx = x->security; 2212 } 2213 2214 if (sctx) 2215 audit_log_format(audit_buf, 2216 " sec_alg=%u sec_doi=%u sec_obj=%s", 2217 sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); 2218 2219 switch(family) { 2220 case AF_INET: 2221 { 2222 struct in_addr saddr, daddr; 2223 if (xp) { 2224 saddr.s_addr = xp->selector.saddr.a4; 2225 daddr.s_addr = xp->selector.daddr.a4; 2226 } else { 2227 saddr.s_addr = x->props.saddr.a4; 2228 daddr.s_addr = x->id.daddr.a4; 2229 } 2230 audit_log_format(audit_buf, 2231 " src=%u.%u.%u.%u dst=%u.%u.%u.%u", 2232 NIPQUAD(saddr), NIPQUAD(daddr)); 2233 } 2234 break; 2235 case AF_INET6: 2236 { 2237 struct in6_addr saddr6, daddr6; 2238 if (xp) { 2239 memcpy(&saddr6, xp->selector.saddr.a6, 2240 sizeof(struct in6_addr)); 2241 memcpy(&daddr6, xp->selector.daddr.a6, 2242 sizeof(struct in6_addr)); 2243 } else { 2244 memcpy(&saddr6, x->props.saddr.a6, 2245 sizeof(struct in6_addr)); 2246 memcpy(&daddr6, x->id.daddr.a6, 2247 sizeof(struct in6_addr)); 2248 } 2249 audit_log_format(audit_buf, 2250 " src=" NIP6_FMT " dst=" NIP6_FMT, 2251 NIP6(saddr6), NIP6(daddr6)); 2252 } 2253 break; 2254 } 2255 2256 if (x) 2257 audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", 2258 (unsigned long)ntohl(x->id.spi), 2259 (unsigned long)ntohl(x->id.spi), 2260 x->id.proto == IPPROTO_AH ? "AH" : 2261 (x->id.proto == IPPROTO_ESP ? 2262 "ESP" : "IPCOMP")); 2263 2264 audit_log_format(audit_buf, " res=%u", result); 2265 audit_log_end(audit_buf); 2266} 2267 2268EXPORT_SYMBOL(xfrm_audit_log); 2269#endif /* CONFIG_AUDITSYSCALL */ 2270 2271int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2272{ 2273 int err = 0; 2274 if (unlikely(afinfo == NULL)) 2275 return -EINVAL; 2276 if (unlikely(afinfo->family >= NPROTO)) 2277 return -EAFNOSUPPORT; 2278 write_lock_bh(&xfrm_policy_afinfo_lock); 2279 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL)) 2280 err = -ENOBUFS; 2281 else { 2282 struct dst_ops *dst_ops = afinfo->dst_ops; 2283 if (likely(dst_ops->kmem_cachep == NULL)) 2284 dst_ops->kmem_cachep = xfrm_dst_cache; 2285 if (likely(dst_ops->check == NULL)) 2286 dst_ops->check = xfrm_dst_check; 2287 if (likely(dst_ops->negative_advice == NULL)) 2288 dst_ops->negative_advice = xfrm_negative_advice; 2289 if (likely(dst_ops->link_failure == NULL)) 2290 dst_ops->link_failure = xfrm_link_failure; 2291 if (likely(afinfo->garbage_collect == NULL)) 2292 afinfo->garbage_collect = __xfrm_garbage_collect; 2293 xfrm_policy_afinfo[afinfo->family] = afinfo; 2294 } 2295 write_unlock_bh(&xfrm_policy_afinfo_lock); 2296 return err; 2297} 2298EXPORT_SYMBOL(xfrm_policy_register_afinfo); 2299 2300int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) 2301{ 2302 int err = 0; 2303 if (unlikely(afinfo == NULL)) 2304 return -EINVAL; 2305 if (unlikely(afinfo->family >= NPROTO)) 2306 return -EAFNOSUPPORT; 2307 write_lock_bh(&xfrm_policy_afinfo_lock); 2308 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) { 2309 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo)) 2310 err = -EINVAL; 2311 else { 2312 struct dst_ops *dst_ops = afinfo->dst_ops; 2313 xfrm_policy_afinfo[afinfo->family] = NULL; 2314 dst_ops->kmem_cachep = NULL; 2315 dst_ops->check = NULL; 2316 dst_ops->negative_advice = NULL; 2317 dst_ops->link_failure = NULL; 2318 afinfo->garbage_collect = NULL; 2319 } 2320 } 2321 write_unlock_bh(&xfrm_policy_afinfo_lock); 2322 return err; 2323} 2324EXPORT_SYMBOL(xfrm_policy_unregister_afinfo); 2325 2326static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family) 2327{ 2328 struct xfrm_policy_afinfo *afinfo; 2329 if (unlikely(family >= NPROTO)) 2330 return NULL; 2331 read_lock(&xfrm_policy_afinfo_lock); 2332 afinfo = xfrm_policy_afinfo[family]; 2333 if (unlikely(!afinfo)) 2334 read_unlock(&xfrm_policy_afinfo_lock); 2335 return afinfo; 2336} 2337 2338static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo) 2339{ 2340 read_unlock(&xfrm_policy_afinfo_lock); 2341} 2342 2343static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family) 2344{ 2345 struct xfrm_policy_afinfo *afinfo; 2346 if (unlikely(family >= NPROTO)) 2347 return NULL; 2348 write_lock_bh(&xfrm_policy_afinfo_lock); 2349 afinfo = xfrm_policy_afinfo[family]; 2350 if (unlikely(!afinfo)) 2351 write_unlock_bh(&xfrm_policy_afinfo_lock); 2352 return afinfo; 2353} 2354 2355static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo) 2356{ 2357 write_unlock_bh(&xfrm_policy_afinfo_lock); 2358} 2359 2360static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 2361{ 2362 switch (event) { 2363 case NETDEV_DOWN: 2364 xfrm_flush_bundles(); 2365 } 2366 return NOTIFY_DONE; 2367} 2368 2369static struct notifier_block xfrm_dev_notifier = { 2370 xfrm_dev_event, 2371 NULL, 2372 0 2373}; 2374 2375static void __init xfrm_policy_init(void) 2376{ 2377 unsigned int hmask, sz; 2378 int dir; 2379 2380 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache", 2381 sizeof(struct xfrm_dst), 2382 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, 2383 NULL); 2384 2385 hmask = 8 - 1; 2386 sz = (hmask+1) * sizeof(struct hlist_head); 2387 2388 xfrm_policy_byidx = xfrm_hash_alloc(sz); 2389 xfrm_idx_hmask = hmask; 2390 if (!xfrm_policy_byidx) 2391 panic("XFRM: failed to allocate byidx hash\n"); 2392 2393 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 2394 struct xfrm_policy_hash *htab; 2395 2396 INIT_HLIST_HEAD(&xfrm_policy_inexact[dir]); 2397 2398 htab = &xfrm_policy_bydst[dir]; 2399 htab->table = xfrm_hash_alloc(sz); 2400 htab->hmask = hmask; 2401 if (!htab->table) 2402 panic("XFRM: failed to allocate bydst hash\n"); 2403 } 2404 2405 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task); 2406 register_netdevice_notifier(&xfrm_dev_notifier); 2407} 2408 2409void __init xfrm_init(void) 2410{ 2411 xfrm_state_init(); 2412 xfrm_policy_init(); 2413 xfrm_input_init(); 2414} 2415 2416#ifdef CONFIG_XFRM_MIGRATE 2417static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2418 struct xfrm_selector *sel_tgt) 2419{ 2420 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 2421 if (sel_tgt->family == sel_cmp->family && 2422 xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr, 2423 sel_cmp->family) == 0 && 2424 xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr, 2425 sel_cmp->family) == 0 && 2426 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d && 2427 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) { 2428 return 1; 2429 } 2430 } else { 2431 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) { 2432 return 1; 2433 } 2434 } 2435 return 0; 2436} 2437 2438static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel, 2439 u8 dir, u8 type) 2440{ 2441 struct xfrm_policy *pol, *ret = NULL; 2442 struct hlist_node *entry; 2443 struct hlist_head *chain; 2444 u32 priority = ~0U; 2445 2446 read_lock_bh(&xfrm_policy_lock); 2447 chain = policy_hash_direct(&sel->daddr, &sel->saddr, sel->family, dir); 2448 hlist_for_each_entry(pol, entry, chain, bydst) { 2449 if (xfrm_migrate_selector_match(sel, &pol->selector) && 2450 pol->type == type) { 2451 ret = pol; 2452 priority = ret->priority; 2453 break; 2454 } 2455 } 2456 chain = &xfrm_policy_inexact[dir]; 2457 hlist_for_each_entry(pol, entry, chain, bydst) { 2458 if (xfrm_migrate_selector_match(sel, &pol->selector) && 2459 pol->type == type && 2460 pol->priority < priority) { 2461 ret = pol; 2462 break; 2463 } 2464 } 2465 2466 if (ret) 2467 xfrm_pol_hold(ret); 2468 2469 read_unlock_bh(&xfrm_policy_lock); 2470 2471 return ret; 2472} 2473 2474static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t) 2475{ 2476 int match = 0; 2477 2478 if (t->mode == m->mode && t->id.proto == m->proto && 2479 (m->reqid == 0 || t->reqid == m->reqid)) { 2480 switch (t->mode) { 2481 case XFRM_MODE_TUNNEL: 2482 case XFRM_MODE_BEET: 2483 if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr, 2484 m->old_family) == 0 && 2485 xfrm_addr_cmp(&t->saddr, &m->old_saddr, 2486 m->old_family) == 0) { 2487 match = 1; 2488 } 2489 break; 2490 case XFRM_MODE_TRANSPORT: 2491 /* in case of transport mode, template does not store 2492 any IP addresses, hence we just compare mode and 2493 protocol */ 2494 match = 1; 2495 break; 2496 default: 2497 break; 2498 } 2499 } 2500 return match; 2501} 2502 2503/* update endpoint address(es) of template(s) */ 2504static int xfrm_policy_migrate(struct xfrm_policy *pol, 2505 struct xfrm_migrate *m, int num_migrate) 2506{ 2507 struct xfrm_migrate *mp; 2508 struct dst_entry *dst; 2509 int i, j, n = 0; 2510 2511 write_lock_bh(&pol->lock); 2512 if (unlikely(pol->dead)) { 2513 /* target policy has been deleted */ 2514 write_unlock_bh(&pol->lock); 2515 return -ENOENT; 2516 } 2517 2518 for (i = 0; i < pol->xfrm_nr; i++) { 2519 for (j = 0, mp = m; j < num_migrate; j++, mp++) { 2520 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i])) 2521 continue; 2522 n++; 2523 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL) 2524 continue; 2525 /* update endpoints */ 2526 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr, 2527 sizeof(pol->xfrm_vec[i].id.daddr)); 2528 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr, 2529 sizeof(pol->xfrm_vec[i].saddr)); 2530 pol->xfrm_vec[i].encap_family = mp->new_family; 2531 /* flush bundles */ 2532 while ((dst = pol->bundles) != NULL) { 2533 pol->bundles = dst->next; 2534 dst_free(dst); 2535 } 2536 } 2537 } 2538 2539 write_unlock_bh(&pol->lock); 2540 2541 if (!n) 2542 return -ENODATA; 2543 2544 return 0; 2545} 2546 2547static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate) 2548{ 2549 int i, j; 2550 2551 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) 2552 return -EINVAL; 2553 2554 for (i = 0; i < num_migrate; i++) { 2555 if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr, 2556 m[i].old_family) == 0) && 2557 (xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr, 2558 m[i].old_family) == 0)) 2559 return -EINVAL; 2560 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) || 2561 xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) 2562 return -EINVAL; 2563 2564 /* check if there is any duplicated entry */ 2565 for (j = i + 1; j < num_migrate; j++) { 2566 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr, 2567 sizeof(m[i].old_daddr)) && 2568 !memcmp(&m[i].old_saddr, &m[j].old_saddr, 2569 sizeof(m[i].old_saddr)) && 2570 m[i].proto == m[j].proto && 2571 m[i].mode == m[j].mode && 2572 m[i].reqid == m[j].reqid && 2573 m[i].old_family == m[j].old_family) 2574 return -EINVAL; 2575 } 2576 } 2577 2578 return 0; 2579} 2580 2581int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2582 struct xfrm_migrate *m, int num_migrate) 2583{ 2584 int i, err, nx_cur = 0, nx_new = 0; 2585 struct xfrm_policy *pol = NULL; 2586 struct xfrm_state *x, *xc; 2587 struct xfrm_state *x_cur[XFRM_MAX_DEPTH]; 2588 struct xfrm_state *x_new[XFRM_MAX_DEPTH]; 2589 struct xfrm_migrate *mp; 2590 2591 if ((err = xfrm_migrate_check(m, num_migrate)) < 0) 2592 goto out; 2593 2594 /* Stage 1 - find policy */ 2595 if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) { 2596 err = -ENOENT; 2597 goto out; 2598 } 2599 2600 /* Stage 2 - find and update state(s) */ 2601 for (i = 0, mp = m; i < num_migrate; i++, mp++) { 2602 if ((x = xfrm_migrate_state_find(mp))) { 2603 x_cur[nx_cur] = x; 2604 nx_cur++; 2605 if ((xc = xfrm_state_migrate(x, mp))) { 2606 x_new[nx_new] = xc; 2607 nx_new++; 2608 } else { 2609 err = -ENODATA; 2610 goto restore_state; 2611 } 2612 } 2613 } 2614 2615 /* Stage 3 - update policy */ 2616 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0) 2617 goto restore_state; 2618 2619 /* Stage 4 - delete old state(s) */ 2620 if (nx_cur) { 2621 xfrm_states_put(x_cur, nx_cur); 2622 xfrm_states_delete(x_cur, nx_cur); 2623 } 2624 2625 /* Stage 5 - announce */ 2626 km_migrate(sel, dir, type, m, num_migrate); 2627 2628 xfrm_pol_put(pol); 2629 2630 return 0; 2631out: 2632 return err; 2633 2634restore_state: 2635 if (pol) 2636 xfrm_pol_put(pol); 2637 if (nx_cur) 2638 xfrm_states_put(x_cur, nx_cur); 2639 if (nx_new) 2640 xfrm_states_delete(x_new, nx_new); 2641 2642 return err; 2643} 2644EXPORT_SYMBOL(xfrm_migrate); 2645#endif 2646