aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
authorGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
committerGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
commitc71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
treeecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /net/xfrm/xfrm_policy.c
parentea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent6a00f206debf8a5c8899055726ad127dbeeed098 (diff)
Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp
Conflicts: litmus/sched_cedf.c
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c257
1 files changed, 143 insertions, 114 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cbab6e1a8c9c..5ce74a385525 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,34 +50,40 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
51static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst); 52static int stale_bundle(struct dst_entry *dst);
53static int xfrm_bundle_ok(struct xfrm_dst *xdst);
54
53 55
54static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 56static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
55 int dir); 57 int dir);
56 58
57static inline int 59static inline int
58__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) 60__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
59{ 61{
60 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && 62 const struct flowi4 *fl4 = &fl->u.ip4;
61 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && 63
62 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 64 return addr_match(&fl4->daddr, &sel->daddr, sel->prefixlen_d) &&
63 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 65 addr_match(&fl4->saddr, &sel->saddr, sel->prefixlen_s) &&
64 (fl->proto == sel->proto || !sel->proto) && 66 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
65 (fl->oif == sel->ifindex || !sel->ifindex); 67 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
68 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
69 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
66} 70}
67 71
68static inline int 72static inline int
69__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) 73__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
70{ 74{
71 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && 75 const struct flowi6 *fl6 = &fl->u.ip6;
72 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && 76
73 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 77 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
74 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 78 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
75 (fl->proto == sel->proto || !sel->proto) && 79 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
76 (fl->oif == sel->ifindex || !sel->ifindex); 80 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
81 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
82 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
77} 83}
78 84
79int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 85int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
80 unsigned short family) 86 unsigned short family)
81{ 87{
82 switch (family) { 88 switch (family) {
83 case AF_INET: 89 case AF_INET:
@@ -89,8 +95,8 @@ int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
89} 95}
90 96
91static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, 97static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
92 xfrm_address_t *saddr, 98 const xfrm_address_t *saddr,
93 xfrm_address_t *daddr, 99 const xfrm_address_t *daddr,
94 int family) 100 int family)
95{ 101{
96 struct xfrm_policy_afinfo *afinfo; 102 struct xfrm_policy_afinfo *afinfo;
@@ -308,7 +314,9 @@ static inline unsigned int idx_hash(struct net *net, u32 index)
308 return __idx_hash(index, net->xfrm.policy_idx_hmask); 314 return __idx_hash(index, net->xfrm.policy_idx_hmask);
309} 315}
310 316
311static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir) 317static struct hlist_head *policy_hash_bysel(struct net *net,
318 const struct xfrm_selector *sel,
319 unsigned short family, int dir)
312{ 320{
313 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 321 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
314 unsigned int hash = __sel_hash(sel, family, hmask); 322 unsigned int hash = __sel_hash(sel, family, hmask);
@@ -318,7 +326,10 @@ static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selecto
318 net->xfrm.policy_bydst[dir].table + hash); 326 net->xfrm.policy_bydst[dir].table + hash);
319} 327}
320 328
321static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir) 329static struct hlist_head *policy_hash_direct(struct net *net,
330 const xfrm_address_t *daddr,
331 const xfrm_address_t *saddr,
332 unsigned short family, int dir)
322{ 333{
323 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 334 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
324 unsigned int hash = __addr_hash(daddr, saddr, family, hmask); 335 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
@@ -861,32 +872,33 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
861 * 872 *
862 * Returns 0 if policy found, else an -errno. 873 * Returns 0 if policy found, else an -errno.
863 */ 874 */
864static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, 875static int xfrm_policy_match(const struct xfrm_policy *pol,
876 const struct flowi *fl,
865 u8 type, u16 family, int dir) 877 u8 type, u16 family, int dir)
866{ 878{
867 struct xfrm_selector *sel = &pol->selector; 879 const struct xfrm_selector *sel = &pol->selector;
868 int match, ret = -ESRCH; 880 int match, ret = -ESRCH;
869 881
870 if (pol->family != family || 882 if (pol->family != family ||
871 (fl->mark & pol->mark.m) != pol->mark.v || 883 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
872 pol->type != type) 884 pol->type != type)
873 return ret; 885 return ret;
874 886
875 match = xfrm_selector_match(sel, fl, family); 887 match = xfrm_selector_match(sel, fl, family);
876 if (match) 888 if (match)
877 ret = security_xfrm_policy_lookup(pol->security, fl->secid, 889 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
878 dir); 890 dir);
879 891
880 return ret; 892 return ret;
881} 893}
882 894
883static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, 895static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
884 struct flowi *fl, 896 const struct flowi *fl,
885 u16 family, u8 dir) 897 u16 family, u8 dir)
886{ 898{
887 int err; 899 int err;
888 struct xfrm_policy *pol, *ret; 900 struct xfrm_policy *pol, *ret;
889 xfrm_address_t *daddr, *saddr; 901 const xfrm_address_t *daddr, *saddr;
890 struct hlist_node *entry; 902 struct hlist_node *entry;
891 struct hlist_head *chain; 903 struct hlist_head *chain;
892 u32 priority = ~0U; 904 u32 priority = ~0U;
@@ -938,7 +950,7 @@ fail:
938} 950}
939 951
940static struct xfrm_policy * 952static struct xfrm_policy *
941__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir) 953__xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
942{ 954{
943#ifdef CONFIG_XFRM_SUB_POLICY 955#ifdef CONFIG_XFRM_SUB_POLICY
944 struct xfrm_policy *pol; 956 struct xfrm_policy *pol;
@@ -951,7 +963,7 @@ __xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
951} 963}
952 964
953static struct flow_cache_object * 965static struct flow_cache_object *
954xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, 966xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
955 u8 dir, struct flow_cache_object *old_obj, void *ctx) 967 u8 dir, struct flow_cache_object *old_obj, void *ctx)
956{ 968{
957 struct xfrm_policy *pol; 969 struct xfrm_policy *pol;
@@ -987,7 +999,8 @@ static inline int policy_to_flow_dir(int dir)
987 } 999 }
988} 1000}
989 1001
990static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl) 1002static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1003 const struct flowi *fl)
991{ 1004{
992 struct xfrm_policy *pol; 1005 struct xfrm_policy *pol;
993 1006
@@ -1003,7 +1016,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1003 goto out; 1016 goto out;
1004 } 1017 }
1005 err = security_xfrm_policy_lookup(pol->security, 1018 err = security_xfrm_policy_lookup(pol->security,
1006 fl->secid, 1019 fl->flowi_secid,
1007 policy_to_flow_dir(dir)); 1020 policy_to_flow_dir(dir));
1008 if (!err) 1021 if (!err)
1009 xfrm_pol_hold(pol); 1022 xfrm_pol_hold(pol);
@@ -1095,7 +1108,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1095 return 0; 1108 return 0;
1096} 1109}
1097 1110
1098static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir) 1111static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1099{ 1112{
1100 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC); 1113 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1101 1114
@@ -1154,9 +1167,8 @@ xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1154/* Resolve list of templates for the flow, given policy. */ 1167/* Resolve list of templates for the flow, given policy. */
1155 1168
1156static int 1169static int
1157xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, 1170xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1158 struct xfrm_state **xfrm, 1171 struct xfrm_state **xfrm, unsigned short family)
1159 unsigned short family)
1160{ 1172{
1161 struct net *net = xp_net(policy); 1173 struct net *net = xp_net(policy);
1162 int nx; 1174 int nx;
@@ -1211,9 +1223,8 @@ fail:
1211} 1223}
1212 1224
1213static int 1225static int
1214xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl, 1226xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1215 struct xfrm_state **xfrm, 1227 struct xfrm_state **xfrm, unsigned short family)
1216 unsigned short family)
1217{ 1228{
1218 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1229 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1219 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1230 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
@@ -1253,7 +1264,7 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1253 * still valid. 1264 * still valid.
1254 */ 1265 */
1255 1266
1256static inline int xfrm_get_tos(struct flowi *fl, int family) 1267static inline int xfrm_get_tos(const struct flowi *fl, int family)
1257{ 1268{
1258 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1269 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1259 int tos; 1270 int tos;
@@ -1337,10 +1348,14 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1337 default: 1348 default:
1338 BUG(); 1349 BUG();
1339 } 1350 }
1340 xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS); 1351 xdst = dst_alloc(dst_ops, NULL, 0, 0, 0);
1352 memset(&xdst->u.rt6.rt6i_table, 0, sizeof(*xdst) - sizeof(struct dst_entry));
1341 xfrm_policy_put_afinfo(afinfo); 1353 xfrm_policy_put_afinfo(afinfo);
1342 1354
1343 xdst->flo.ops = &xfrm_bundle_fc_ops; 1355 if (likely(xdst))
1356 xdst->flo.ops = &xfrm_bundle_fc_ops;
1357 else
1358 xdst = ERR_PTR(-ENOBUFS);
1344 1359
1345 return xdst; 1360 return xdst;
1346} 1361}
@@ -1363,7 +1378,7 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1363} 1378}
1364 1379
1365static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, 1380static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1366 struct flowi *fl) 1381 const struct flowi *fl)
1367{ 1382{
1368 struct xfrm_policy_afinfo *afinfo = 1383 struct xfrm_policy_afinfo *afinfo =
1369 xfrm_policy_get_afinfo(xdst->u.dst.ops->family); 1384 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1386,12 +1401,13 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1386 1401
1387static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 1402static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1388 struct xfrm_state **xfrm, int nx, 1403 struct xfrm_state **xfrm, int nx,
1389 struct flowi *fl, 1404 const struct flowi *fl,
1390 struct dst_entry *dst) 1405 struct dst_entry *dst)
1391{ 1406{
1392 struct net *net = xp_net(policy); 1407 struct net *net = xp_net(policy);
1393 unsigned long now = jiffies; 1408 unsigned long now = jiffies;
1394 struct net_device *dev; 1409 struct net_device *dev;
1410 struct xfrm_mode *inner_mode;
1395 struct dst_entry *dst_prev = NULL; 1411 struct dst_entry *dst_prev = NULL;
1396 struct dst_entry *dst0 = NULL; 1412 struct dst_entry *dst0 = NULL;
1397 int i = 0; 1413 int i = 0;
@@ -1422,6 +1438,17 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1422 goto put_states; 1438 goto put_states;
1423 } 1439 }
1424 1440
1441 if (xfrm[i]->sel.family == AF_UNSPEC) {
1442 inner_mode = xfrm_ip2inner_mode(xfrm[i],
1443 xfrm_af2proto(family));
1444 if (!inner_mode) {
1445 err = -EAFNOSUPPORT;
1446 dst_release(dst);
1447 goto put_states;
1448 }
1449 } else
1450 inner_mode = xfrm[i]->inner_mode;
1451
1425 if (!dst_prev) 1452 if (!dst_prev)
1426 dst0 = dst1; 1453 dst0 = dst1;
1427 else { 1454 else {
@@ -1430,7 +1457,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1430 } 1457 }
1431 1458
1432 xdst->route = dst; 1459 xdst->route = dst;
1433 memcpy(&dst1->metrics, &dst->metrics, sizeof(dst->metrics)); 1460 dst_copy_metrics(dst1, dst);
1434 1461
1435 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { 1462 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
1436 family = xfrm[i]->props.family; 1463 family = xfrm[i]->props.family;
@@ -1450,7 +1477,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1450 dst1->lastuse = now; 1477 dst1->lastuse = now;
1451 1478
1452 dst1->input = dst_discard; 1479 dst1->input = dst_discard;
1453 dst1->output = xfrm[i]->outer_mode->afinfo->output; 1480 dst1->output = inner_mode->afinfo->output;
1454 1481
1455 dst1->next = dst_prev; 1482 dst1->next = dst_prev;
1456 dst_prev = dst1; 1483 dst_prev = dst1;
@@ -1502,7 +1529,7 @@ free_dst:
1502} 1529}
1503 1530
1504static int inline 1531static int inline
1505xfrm_dst_alloc_copy(void **target, void *src, int size) 1532xfrm_dst_alloc_copy(void **target, const void *src, int size)
1506{ 1533{
1507 if (!*target) { 1534 if (!*target) {
1508 *target = kmalloc(size, GFP_ATOMIC); 1535 *target = kmalloc(size, GFP_ATOMIC);
@@ -1514,7 +1541,7 @@ xfrm_dst_alloc_copy(void **target, void *src, int size)
1514} 1541}
1515 1542
1516static int inline 1543static int inline
1517xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) 1544xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
1518{ 1545{
1519#ifdef CONFIG_XFRM_SUB_POLICY 1546#ifdef CONFIG_XFRM_SUB_POLICY
1520 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1547 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1526,7 +1553,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
1526} 1553}
1527 1554
1528static int inline 1555static int inline
1529xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) 1556xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
1530{ 1557{
1531#ifdef CONFIG_XFRM_SUB_POLICY 1558#ifdef CONFIG_XFRM_SUB_POLICY
1532 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1559 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1536,7 +1563,7 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1536#endif 1563#endif
1537} 1564}
1538 1565
1539static int xfrm_expand_policies(struct flowi *fl, u16 family, 1566static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1540 struct xfrm_policy **pols, 1567 struct xfrm_policy **pols,
1541 int *num_pols, int *num_xfrms) 1568 int *num_pols, int *num_xfrms)
1542{ 1569{
@@ -1582,7 +1609,7 @@ static int xfrm_expand_policies(struct flowi *fl, u16 family,
1582 1609
1583static struct xfrm_dst * 1610static struct xfrm_dst *
1584xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, 1611xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1585 struct flowi *fl, u16 family, 1612 const struct flowi *fl, u16 family,
1586 struct dst_entry *dst_orig) 1613 struct dst_entry *dst_orig)
1587{ 1614{
1588 struct net *net = xp_net(pols[0]); 1615 struct net *net = xp_net(pols[0]);
@@ -1625,7 +1652,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1625} 1652}
1626 1653
1627static struct flow_cache_object * 1654static struct flow_cache_object *
1628xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir, 1655xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
1629 struct flow_cache_object *oldflo, void *ctx) 1656 struct flow_cache_object *oldflo, void *ctx)
1630{ 1657{
1631 struct dst_entry *dst_orig = (struct dst_entry *)ctx; 1658 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
@@ -1724,18 +1751,36 @@ error:
1724 return ERR_PTR(err); 1751 return ERR_PTR(err);
1725} 1752}
1726 1753
1754static struct dst_entry *make_blackhole(struct net *net, u16 family,
1755 struct dst_entry *dst_orig)
1756{
1757 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1758 struct dst_entry *ret;
1759
1760 if (!afinfo) {
1761 dst_release(dst_orig);
1762 ret = ERR_PTR(-EINVAL);
1763 } else {
1764 ret = afinfo->blackhole_route(net, dst_orig);
1765 }
1766 xfrm_policy_put_afinfo(afinfo);
1767
1768 return ret;
1769}
1770
1727/* Main function: finds/creates a bundle for given flow. 1771/* Main function: finds/creates a bundle for given flow.
1728 * 1772 *
1729 * At the moment we eat a raw IP route. Mostly to speed up lookups 1773 * At the moment we eat a raw IP route. Mostly to speed up lookups
1730 * on interfaces with disabled IPsec. 1774 * on interfaces with disabled IPsec.
1731 */ 1775 */
1732int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, 1776struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
1733 struct sock *sk, int flags) 1777 const struct flowi *fl,
1778 struct sock *sk, int flags)
1734{ 1779{
1735 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1780 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1736 struct flow_cache_object *flo; 1781 struct flow_cache_object *flo;
1737 struct xfrm_dst *xdst; 1782 struct xfrm_dst *xdst;
1738 struct dst_entry *dst, *dst_orig = *dst_p, *route; 1783 struct dst_entry *dst, *route;
1739 u16 family = dst_orig->ops->family; 1784 u16 family = dst_orig->ops->family;
1740 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1785 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1741 int i, err, num_pols, num_xfrms = 0, drop_pols = 0; 1786 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
@@ -1772,6 +1817,8 @@ restart:
1772 goto no_transform; 1817 goto no_transform;
1773 } 1818 }
1774 1819
1820 dst_hold(&xdst->u.dst);
1821
1775 spin_lock_bh(&xfrm_policy_sk_bundle_lock); 1822 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1776 xdst->u.dst.next = xfrm_policy_sk_bundles; 1823 xdst->u.dst.next = xfrm_policy_sk_bundles;
1777 xfrm_policy_sk_bundles = &xdst->u.dst; 1824 xfrm_policy_sk_bundles = &xdst->u.dst;
@@ -1817,9 +1864,10 @@ restart:
1817 dst_release(dst); 1864 dst_release(dst);
1818 xfrm_pols_put(pols, drop_pols); 1865 xfrm_pols_put(pols, drop_pols);
1819 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); 1866 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1820 return -EREMOTE; 1867
1868 return make_blackhole(net, family, dst_orig);
1821 } 1869 }
1822 if (flags & XFRM_LOOKUP_WAIT) { 1870 if (fl->flowi_flags & FLOWI_FLAG_CAN_SLEEP) {
1823 DECLARE_WAITQUEUE(wait, current); 1871 DECLARE_WAITQUEUE(wait, current);
1824 1872
1825 add_wait_queue(&net->xfrm.km_waitq, &wait); 1873 add_wait_queue(&net->xfrm.km_waitq, &wait);
@@ -1861,47 +1909,33 @@ no_transform:
1861 goto error; 1909 goto error;
1862 } else if (num_xfrms > 0) { 1910 } else if (num_xfrms > 0) {
1863 /* Flow transformed */ 1911 /* Flow transformed */
1864 *dst_p = dst;
1865 dst_release(dst_orig); 1912 dst_release(dst_orig);
1866 } else { 1913 } else {
1867 /* Flow passes untransformed */ 1914 /* Flow passes untransformed */
1868 dst_release(dst); 1915 dst_release(dst);
1916 dst = dst_orig;
1869 } 1917 }
1870ok: 1918ok:
1871 xfrm_pols_put(pols, drop_pols); 1919 xfrm_pols_put(pols, drop_pols);
1872 return 0; 1920 return dst;
1873 1921
1874nopol: 1922nopol:
1875 if (!(flags & XFRM_LOOKUP_ICMP)) 1923 if (!(flags & XFRM_LOOKUP_ICMP)) {
1924 dst = dst_orig;
1876 goto ok; 1925 goto ok;
1926 }
1877 err = -ENOENT; 1927 err = -ENOENT;
1878error: 1928error:
1879 dst_release(dst); 1929 dst_release(dst);
1880dropdst: 1930dropdst:
1881 dst_release(dst_orig); 1931 dst_release(dst_orig);
1882 *dst_p = NULL;
1883 xfrm_pols_put(pols, drop_pols); 1932 xfrm_pols_put(pols, drop_pols);
1884 return err; 1933 return ERR_PTR(err);
1885}
1886EXPORT_SYMBOL(__xfrm_lookup);
1887
1888int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1889 struct sock *sk, int flags)
1890{
1891 int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
1892
1893 if (err == -EREMOTE) {
1894 dst_release(*dst_p);
1895 *dst_p = NULL;
1896 err = -EAGAIN;
1897 }
1898
1899 return err;
1900} 1934}
1901EXPORT_SYMBOL(xfrm_lookup); 1935EXPORT_SYMBOL(xfrm_lookup);
1902 1936
1903static inline int 1937static inline int
1904xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl) 1938xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
1905{ 1939{
1906 struct xfrm_state *x; 1940 struct xfrm_state *x;
1907 1941
@@ -1920,7 +1954,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
1920 */ 1954 */
1921 1955
1922static inline int 1956static inline int
1923xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 1957xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
1924 unsigned short family) 1958 unsigned short family)
1925{ 1959{
1926 if (xfrm_state_kern(x)) 1960 if (xfrm_state_kern(x))
@@ -1943,7 +1977,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1943 * Otherwise "-2 - errored_index" is returned. 1977 * Otherwise "-2 - errored_index" is returned.
1944 */ 1978 */
1945static inline int 1979static inline int
1946xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, 1980xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
1947 unsigned short family) 1981 unsigned short family)
1948{ 1982{
1949 int idx = start; 1983 int idx = start;
@@ -1975,13 +2009,13 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1975 return -EAFNOSUPPORT; 2009 return -EAFNOSUPPORT;
1976 2010
1977 afinfo->decode_session(skb, fl, reverse); 2011 afinfo->decode_session(skb, fl, reverse);
1978 err = security_xfrm_decode_session(skb, &fl->secid); 2012 err = security_xfrm_decode_session(skb, &fl->flowi_secid);
1979 xfrm_policy_put_afinfo(afinfo); 2013 xfrm_policy_put_afinfo(afinfo);
1980 return err; 2014 return err;
1981} 2015}
1982EXPORT_SYMBOL(__xfrm_decode_session); 2016EXPORT_SYMBOL(__xfrm_decode_session);
1983 2017
1984static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 2018static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
1985{ 2019{
1986 for (; k < sp->len; k++) { 2020 for (; k < sp->len; k++) {
1987 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 2021 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
@@ -2156,7 +2190,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2156 struct net *net = dev_net(skb->dev); 2190 struct net *net = dev_net(skb->dev);
2157 struct flowi fl; 2191 struct flowi fl;
2158 struct dst_entry *dst; 2192 struct dst_entry *dst;
2159 int res; 2193 int res = 1;
2160 2194
2161 if (xfrm_decode_session(skb, &fl, family) < 0) { 2195 if (xfrm_decode_session(skb, &fl, family) < 0) {
2162 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); 2196 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
@@ -2164,9 +2198,12 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2164 } 2198 }
2165 2199
2166 skb_dst_force(skb); 2200 skb_dst_force(skb);
2167 dst = skb_dst(skb);
2168 2201
2169 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; 2202 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0);
2203 if (IS_ERR(dst)) {
2204 res = 0;
2205 dst = NULL;
2206 }
2170 skb_dst_set(skb, dst); 2207 skb_dst_set(skb, dst);
2171 return res; 2208 return res;
2172} 2209}
@@ -2204,7 +2241,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2204 2241
2205static int stale_bundle(struct dst_entry *dst) 2242static int stale_bundle(struct dst_entry *dst)
2206{ 2243{
2207 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0); 2244 return !xfrm_bundle_ok((struct xfrm_dst *)dst);
2208} 2245}
2209 2246
2210void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 2247void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2268,7 +2305,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
2268 if (pmtu > route_mtu_cached) 2305 if (pmtu > route_mtu_cached)
2269 pmtu = route_mtu_cached; 2306 pmtu = route_mtu_cached;
2270 2307
2271 dst->metrics[RTAX_MTU-1] = pmtu; 2308 dst_metric_set(dst, RTAX_MTU, pmtu);
2272 } while ((dst = dst->next)); 2309 } while ((dst = dst->next));
2273} 2310}
2274 2311
@@ -2276,8 +2313,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
2276 * still valid. 2313 * still valid.
2277 */ 2314 */
2278 2315
2279int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, 2316static int xfrm_bundle_ok(struct xfrm_dst *first)
2280 struct flowi *fl, int family, int strict)
2281{ 2317{
2282 struct dst_entry *dst = &first->u.dst; 2318 struct dst_entry *dst = &first->u.dst;
2283 struct xfrm_dst *last; 2319 struct xfrm_dst *last;
@@ -2286,26 +2322,12 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2286 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 2322 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2287 (dst->dev && !netif_running(dst->dev))) 2323 (dst->dev && !netif_running(dst->dev)))
2288 return 0; 2324 return 0;
2289#ifdef CONFIG_XFRM_SUB_POLICY
2290 if (fl) {
2291 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2292 return 0;
2293 if (first->partner &&
2294 !xfrm_selector_match(first->partner, fl, family))
2295 return 0;
2296 }
2297#endif
2298 2325
2299 last = NULL; 2326 last = NULL;
2300 2327
2301 do { 2328 do {
2302 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2329 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2303 2330
2304 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2305 return 0;
2306 if (fl && pol &&
2307 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2308 return 0;
2309 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2331 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2310 return 0; 2332 return 0;
2311 if (xdst->xfrm_genid != dst->xfrm->genid) 2333 if (xdst->xfrm_genid != dst->xfrm->genid)
@@ -2314,11 +2336,6 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2314 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid)) 2336 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2315 return 0; 2337 return 0;
2316 2338
2317 if (strict && fl &&
2318 !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2319 !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
2320 return 0;
2321
2322 mtu = dst_mtu(dst->child); 2339 mtu = dst_mtu(dst->child);
2323 if (xdst->child_mtu_cached != mtu) { 2340 if (xdst->child_mtu_cached != mtu) {
2324 last = xdst; 2341 last = xdst;
@@ -2346,7 +2363,7 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2346 mtu = xfrm_state_mtu(dst->xfrm, mtu); 2363 mtu = xfrm_state_mtu(dst->xfrm, mtu);
2347 if (mtu > last->route_mtu_cached) 2364 if (mtu > last->route_mtu_cached)
2348 mtu = last->route_mtu_cached; 2365 mtu = last->route_mtu_cached;
2349 dst->metrics[RTAX_MTU-1] = mtu; 2366 dst_metric_set(dst, RTAX_MTU, mtu);
2350 2367
2351 if (last == first) 2368 if (last == first)
2352 break; 2369 break;
@@ -2358,7 +2375,15 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2358 return 1; 2375 return 1;
2359} 2376}
2360 2377
2361EXPORT_SYMBOL(xfrm_bundle_ok); 2378static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
2379{
2380 return dst_metric_advmss(dst->path);
2381}
2382
2383static unsigned int xfrm_default_mtu(const struct dst_entry *dst)
2384{
2385 return dst_mtu(dst->path);
2386}
2362 2387
2363int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2388int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2364{ 2389{
@@ -2377,6 +2402,10 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2377 dst_ops->kmem_cachep = xfrm_dst_cache; 2402 dst_ops->kmem_cachep = xfrm_dst_cache;
2378 if (likely(dst_ops->check == NULL)) 2403 if (likely(dst_ops->check == NULL))
2379 dst_ops->check = xfrm_dst_check; 2404 dst_ops->check = xfrm_dst_check;
2405 if (likely(dst_ops->default_advmss == NULL))
2406 dst_ops->default_advmss = xfrm_default_advmss;
2407 if (likely(dst_ops->default_mtu == NULL))
2408 dst_ops->default_mtu = xfrm_default_mtu;
2380 if (likely(dst_ops->negative_advice == NULL)) 2409 if (likely(dst_ops->negative_advice == NULL))
2381 dst_ops->negative_advice = xfrm_negative_advice; 2410 dst_ops->negative_advice = xfrm_negative_advice;
2382 if (likely(dst_ops->link_failure == NULL)) 2411 if (likely(dst_ops->link_failure == NULL))
@@ -2717,8 +2746,8 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2717#endif 2746#endif
2718 2747
2719#ifdef CONFIG_XFRM_MIGRATE 2748#ifdef CONFIG_XFRM_MIGRATE
2720static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2749static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
2721 struct xfrm_selector *sel_tgt) 2750 const struct xfrm_selector *sel_tgt)
2722{ 2751{
2723 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 2752 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2724 if (sel_tgt->family == sel_cmp->family && 2753 if (sel_tgt->family == sel_cmp->family &&
@@ -2738,7 +2767,7 @@ static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2738 return 0; 2767 return 0;
2739} 2768}
2740 2769
2741static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel, 2770static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
2742 u8 dir, u8 type) 2771 u8 dir, u8 type)
2743{ 2772{
2744 struct xfrm_policy *pol, *ret = NULL; 2773 struct xfrm_policy *pol, *ret = NULL;
@@ -2774,7 +2803,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
2774 return ret; 2803 return ret;
2775} 2804}
2776 2805
2777static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t) 2806static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
2778{ 2807{
2779 int match = 0; 2808 int match = 0;
2780 2809
@@ -2844,7 +2873,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2844 return 0; 2873 return 0;
2845} 2874}
2846 2875
2847static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate) 2876static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
2848{ 2877{
2849 int i, j; 2878 int i, j;
2850 2879
@@ -2878,7 +2907,7 @@ static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
2878 return 0; 2907 return 0;
2879} 2908}
2880 2909
2881int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2910int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2882 struct xfrm_migrate *m, int num_migrate, 2911 struct xfrm_migrate *m, int num_migrate,
2883 struct xfrm_kmaddress *k) 2912 struct xfrm_kmaddress *k)
2884{ 2913{
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-15 18:10:08 -0400