[IPSEC]: Sync series - core changes

This patch provides the core functionality needed for sync events
for ipsec. Derived work of Krisztian KOVACS <hidden@balabit.hu>

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 75 insertions, 1 deletions

diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 6e8880ea49e7..b686548f32e0 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -261,6 +261,8 @@ enum
         NET_CORE_DEV_WEIGHT=17,
         NET_CORE_SOMAXCONN=18,
         NET_CORE_BUDGET=19,
+        NET_CORE_AEVENT_ETIME=20,
+        NET_CORE_AEVENT_RSEQTH=21,
 };
 
 /* /proc/sys/net/ethernet */
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 82fbb758e28f..b54a12940ef6 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -156,6 +156,10 @@ enum {
         XFRM_MSG_FLUSHPOLICY,
 #define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
 
+        XFRM_MSG_NEWAE,
+#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
+        XFRM_MSG_GETAE,
+#define XFRM_MSG_GETAE XFRM_MSG_GETAE
         __XFRM_MSG_MAX
 };
 #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -194,6 +198,21 @@ struct xfrm_encap_tmpl {
         xfrm_address_t  encap_oa;
 };
 
+/* AEVENT flags  */
+enum xfrm_ae_ftype_t {
+        XFRM_AE_UNSPEC,
+        XFRM_AE_RTHR=1, /* replay threshold*/
+        XFRM_AE_RVAL=2, /* replay value */
+        XFRM_AE_LVAL=4, /* lifetime value */
+        XFRM_AE_ETHR=8, /* expiry timer threshold */
+        XFRM_AE_CR=16, /* Event cause is replay update */
+        XFRM_AE_CE=32, /* Event cause is timer expiry */
+        XFRM_AE_CU=64, /* Event cause is policy update */
+        __XFRM_AE_MAX
+
+#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
+};
+
 /* Netlink message attributes.  */
 enum xfrm_attr_type_t {
         XFRMA_UNSPEC,
@@ -205,6 +224,10 @@ enum xfrm_attr_type_t {
         XFRMA_SA,
         XFRMA_POLICY,
         XFRMA_SEC_CTX,          /* struct xfrm_sec_ctx */
+        XFRMA_LTIME_VAL,
+        XFRMA_REPLAY_VAL,
+        XFRMA_REPLAY_THRESH,
+        XFRMA_ETIMER_THRESH,
         __XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -235,6 +258,11 @@ struct xfrm_usersa_id {
         __u8                            proto;
 };
 
+struct xfrm_aevent_id {
+        __u32                           flags;
+        struct xfrm_usersa_id           sa_id;
+};
+
 struct xfrm_userspi_info {
         struct xfrm_usersa_info         info;
         __u32                           min;
@@ -306,6 +334,8 @@ enum xfrm_nlgroups {
 #define XFRMNLGRP_SA            XFRMNLGRP_SA
         XFRMNLGRP_POLICY,
 #define XFRMNLGRP_POLICY        XFRMNLGRP_POLICY
+        XFRMNLGRP_AEVENTS,
+#define XFRMNLGRP_AEVENTS       XFRMNLGRP_AEVENTS
         __XFRMNLGRP_MAX
 };
 #define XFRMNLGRP_MAX   (__XFRMNLGRP_MAX - 1)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 8d362c49b8a9..bc005e62e434 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -20,6 +20,10 @@
 
 #define XFRM_ALIGN8(len)        (((len) + 7) & ~7)
 
+extern struct sock *xfrm_nl;
+extern u32 sysctl_xfrm_aevent_etime;
+extern u32 sysctl_xfrm_aevent_rseqth;
+
 extern struct semaphore xfrm_cfg_sem;
 
 /* Organization of SPD aka "XFRM rules"
@@ -135,6 +139,16 @@ struct xfrm_state
         /* State for replay detection */
         struct xfrm_replay_state replay;
 
+        /* Replay detection state at the time we sent the last notification */
+        struct xfrm_replay_state preplay;
+
+        /* Replay detection notification settings */
+        u32                     replay_maxage;
+        u32                     replay_maxdiff;
+
+        /* Replay detection notification timer */
+        struct timer_list       rtimer;
+
         /* Statistics */
         struct xfrm_stats       stats;
 
@@ -169,6 +183,7 @@ struct km_event
                 u32 hard;
                 u32 proto;
                 u32 byid;
+                u32 aevent;
         } data;
 
         u32     seq;
@@ -305,7 +320,21 @@ struct xfrm_policy
         struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 };
 
-#define XFRM_KM_TIMEOUT         30
+#define XFRM_KM_TIMEOUT                30
+/* which seqno */
+#define XFRM_REPLAY_SEQ         1
+#define XFRM_REPLAY_OSEQ        2
+#define XFRM_REPLAY_SEQ_MASK    3
+/* what happened */
+#define XFRM_REPLAY_UPDATE      XFRM_AE_CR
+#define XFRM_REPLAY_TIMEOUT     XFRM_AE_CE
+
+/* default aevent timeout in units of 100ms */
+#define XFRM_AE_ETIME                   10
+/* Async Event timer multiplier */
+#define XFRM_AE_ETH_M                   10
+/* default seq threshold size */
+#define XFRM_AE_SEQT_SIZE               2
 
 struct xfrm_mgr
 {
@@ -865,6 +894,7 @@ extern int xfrm_state_delete(struct xfrm_state *x);
 extern void xfrm_state_flush(u8 proto);
 extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
 extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
+extern void xfrm_replay_notify(struct xfrm_state *x, int event);
 extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
 extern int xfrm_init_state(struct xfrm_state *x);
@@ -965,4 +995,16 @@ static inline int xfrm_policy_id2dir(u32 index)
         return index & 7;
 }
 
+static inline int xfrm_aevent_is_on(void)
+{
+        return netlink_has_listeners(xfrm_nl,XFRMNLGRP_AEVENTS);
+}
+
+static inline void xfrm_aevent_doreplay(struct xfrm_state *x)
+{
+        if (xfrm_aevent_is_on())
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+
+
 #endif  /* _NET_XFRM_H */