1 files changed, 242 insertions, 42 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1dd20cf17982..5ebb9ba479b1 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -19,6 +19,9 @@
 #include <net/route.h>
 #include <net/ipv6.h>
 #include <net/ip6_fib.h>
+#ifdef CONFIG_XFRM_STATISTICS
+#include <net/snmp.h>
+#endif
 #define XFRM_PROTO_ESP          50
 #define XFRM_PROTO_AH           51
@@ -34,6 +37,17 @@
 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
        MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
+#ifdef CONFIG_XFRM_STATISTICS
+DECLARE_SNMP_STAT(struct linux_xfrm_mib, xfrm_statistics);
+#define XFRM_INC_STATS(field)           SNMP_INC_STATS(xfrm_statistics, field)
+#define XFRM_INC_STATS_BH(field)        SNMP_INC_STATS_BH(xfrm_statistics, field)
+#define XFRM_INC_STATS_USER(field)      SNMP_INC_STATS_USER(xfrm_statistics, field)
+#else
+#define XFRM_INC_STATS(field)
+#define XFRM_INC_STATS_BH(field)
+#define XFRM_INC_STATS_USER(field)
+#endif
 extern struct sock *xfrm_nl;
 extern u32 sysctl_xfrm_aevent_etime;
 extern u32 sysctl_xfrm_aevent_rseqth;
@@ -183,7 +197,7 @@ struct xfrm_state
        struct timer_list       timer;
        /* Last used time */
-        u64                     lastused;
+        unsigned long           lastused;
        /* Reference to data common to all the instances of this
         * transformer. */
@@ -227,22 +241,26 @@ struct km_event
        u32     event;
 };
+struct net_device;
 struct xfrm_type;
 struct xfrm_dst;
 struct xfrm_policy_afinfo {
        unsigned short          family;
        struct dst_ops          *dst_ops;
        void                    (*garbage_collect)(void);
-        int                     (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
+        struct dst_entry        *(*dst_lookup)(int tos, xfrm_address_t *saddr,
+                                               xfrm_address_t *daddr);
        int                     (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
        struct dst_entry        *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
-        int                     (*bundle_create)(struct xfrm_policy *policy, 
-                                                 struct xfrm_state **xfrm, 
-                                                 int nx,
-                                                 struct flowi *fl, 
-                                                 struct dst_entry **dst_p);
        void                    (*decode_session)(struct sk_buff *skb,
-                                                  struct flowi *fl);
+                                                  struct flowi *fl,
+                                                  int reverse);
+        int                     (*get_tos)(struct flowi *fl);
+        int                     (*init_path)(struct xfrm_dst *path,
+                                             struct dst_entry *dst,
+                                             int nfheader_len);
+        int                     (*fill_dst)(struct xfrm_dst *xdst,
+                                            struct net_device *dev);
 };
 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
@@ -257,6 +275,8 @@ extern int __xfrm_state_delete(struct xfrm_state *x);
 struct xfrm_state_afinfo {
        unsigned int            family;
+        unsigned int            proto;
+        unsigned int            eth_proto;
        struct module           *owner;
        struct xfrm_type        *type_map[IPPROTO_MAX];
        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
@@ -267,6 +287,12 @@ struct xfrm_state_afinfo {
        int                     (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
        int                     (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
        int                     (*output)(struct sk_buff *skb);
+        int                     (*extract_input)(struct xfrm_state *x,
+                                                 struct sk_buff *skb);
+        int                     (*extract_output)(struct xfrm_state *x,
+                                                  struct sk_buff *skb);
+        int                     (*transport_finish)(struct sk_buff *skb,
+                                                    int async);
 };
 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
@@ -282,6 +308,8 @@ struct xfrm_type
        __u8                    flags;
 #define XFRM_TYPE_NON_FRAGMENT  1
 #define XFRM_TYPE_REPLAY_PROT   2
+#define XFRM_TYPE_LOCAL_COADDR  4
+#define XFRM_TYPE_REMOTE_COADDR 8
        int                     (*init_state)(struct xfrm_state *x);
        void                    (*destructor)(struct xfrm_state *);
@@ -289,8 +317,6 @@ struct xfrm_type
        int                     (*output)(struct xfrm_state *, struct sk_buff *pskb);
        int                     (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
        int                     (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
-        xfrm_address_t          *(*local_addr)(struct xfrm_state *, xfrm_address_t *);
-        xfrm_address_t          *(*remote_addr)(struct xfrm_state *, xfrm_address_t *);
        /* Estimate maximal size of result of transformation of a dgram */
        u32                     (*get_mtu)(struct xfrm_state *, int size);
 };
@@ -299,6 +325,27 @@ extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
 extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
 struct xfrm_mode {
+        /*
+         * Remove encapsulation header.
+         *
+         * The IP header will be moved over the top of the encapsulation
+         * header.
+         *
+         * On entry, the transport header shall point to where the IP header
+         * should be and the network header shall be set to where the IP
+         * header currently is.  skb->data shall point to the start of the
+         * payload.
+         */
+        int (*input2)(struct xfrm_state *x, struct sk_buff *skb);
+        /*
+         * This is the actual input entry point.
+         *
+         * For transport mode and equivalent this would be identical to
+         * input2 (which does not need to be set).  While tunnel mode
+         * and equivalent would set this to the tunnel encapsulation function
+         * xfrm4_prepare_input that would in turn call input2.
+         */
        int (*input)(struct xfrm_state *x, struct sk_buff *skb);
        /*
@@ -312,7 +359,18 @@ struct xfrm_mode {
         * header.  The value of the network header will always point
         * to the top IP header while skb->data will point to the payload.
         */
-        int (*output)(struct xfrm_state *x,struct sk_buff *skb);
+        int (*output2)(struct xfrm_state *x,struct sk_buff *skb);
+        /*
+         * This is the actual output entry point.
+         *
+         * For transport mode and equivalent this would be identical to
+         * output2 (which does not need to be set).  While tunnel mode
+         * and equivalent would set this to a tunnel encapsulation function
+         * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn
+         * call output2.
+         */
+        int (*output)(struct xfrm_state *x, struct sk_buff *skb);
        struct xfrm_state_afinfo *afinfo;
        struct module *owner;
@@ -454,6 +512,51 @@ struct xfrm_skb_cb {
 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
+/*
+ * This structure is used by the afinfo prepare_input/prepare_output functions
+ * to transmit header information to the mode input/output functions.
+ */
+struct xfrm_mode_skb_cb {
+        union {
+                struct inet_skb_parm h4;
+                struct inet6_skb_parm h6;
+        } header;
+        /* Copied from header for IPv4, always set to zero and DF for IPv6. */
+        __be16 id;
+        __be16 frag_off;
+        /* TOS for IPv4, class for IPv6. */
+        u8 tos;
+        /* TTL for IPv4, hop limitfor IPv6. */
+        u8 ttl;
+        /* Protocol for IPv4, NH for IPv6. */
+        u8 protocol;
+        /* Used by IPv6 only, zero for IPv4. */
+        u8 flow_lbl[3];
+};
+#define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
+/*
+ * This structure is used by the input processing to locate the SPI and
+ * related information.
+ */
+struct xfrm_spi_skb_cb {
+        union {
+                struct inet_skb_parm h4;
+                struct inet6_skb_parm h6;
+        } header;
+        unsigned int daddroff;
+        unsigned int family;
+};
+#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
 /* Audit Information */
 struct xfrm_audit
 {
@@ -462,41 +565,59 @@ struct xfrm_audit
 };
 #ifdef CONFIG_AUDITSYSCALL
-static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
+static inline struct audit_buffer *xfrm_audit_start(const char *op)
 {
        struct audit_buffer *audit_buf = NULL;
-        char *secctx;
-        u32 secctx_len;
+        if (audit_enabled == 0)
+                return NULL;
        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
-                              AUDIT_MAC_IPSEC_EVENT);
+                                    AUDIT_MAC_IPSEC_EVENT);
        if (audit_buf == NULL)
                return NULL;
+        audit_log_format(audit_buf, "op=%s", op);
+        return audit_buf;
+}
-        audit_log_format(audit_buf, "auid=%u", auid);
+static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid,
+                                             struct audit_buffer *audit_buf)
+{
+        char *secctx;
+        u32 secctx_len;
-        if (sid != 0 &&
+        audit_log_format(audit_buf, " auid=%u", auid);
-            security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
+        if (secid != 0 &&
+            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
                audit_log_format(audit_buf, " subj=%s", secctx);
                security_release_secctx(secctx, secctx_len);
        } else
                audit_log_task_context(audit_buf);
-        return audit_buf;
 }
 extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 sid);
+                                  u32 auid, u32 secid);
 extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
-                                  u32 auid, u32 sid);
+                                  u32 auid, u32 secid);
 extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
-                                 u32 auid, u32 sid);
+                                 u32 auid, u32 secid);
 extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
-                                    u32 auid, u32 sid);
+                                    u32 auid, u32 secid);
+extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
+                                             struct sk_buff *skb);
+extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
+extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
+                                      __be32 net_spi, __be32 net_seq);
+extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
+                                     struct sk_buff *skb, u8 proto);
 #else
 #define xfrm_audit_policy_add(x, r, a, s)       do { ; } while (0)
 #define xfrm_audit_policy_delete(x, r, a, s)    do { ; } while (0)
 #define xfrm_audit_state_add(x, r, a, s)        do { ; } while (0)
 #define xfrm_audit_state_delete(x, r, a, s)     do { ; } while (0)
+#define xfrm_audit_state_replay_overflow(x, s)  do { ; } while (0)
+#define xfrm_audit_state_notfound_simple(s, f)  do { ; } while (0)
+#define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0)
+#define xfrm_audit_state_icvfail(x, s, p)       do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
@@ -505,12 +626,12 @@ static inline void xfrm_pol_hold(struct xfrm_policy *policy)
                atomic_inc(&policy->refcnt);
 }
-extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
+extern void xfrm_policy_destroy(struct xfrm_policy *policy);
 static inline void xfrm_pol_put(struct xfrm_policy *policy)
 {
        if (atomic_dec_and_test(&policy->refcnt))
-                __xfrm_policy_destroy(policy);
+                xfrm_policy_destroy(policy);
 }
 #ifdef CONFIG_XFRM_SUB_POLICY
@@ -757,17 +878,25 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short
 }
 #ifdef CONFIG_XFRM
 extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
-static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
+static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+                                       struct sk_buff *skb,
+                                       unsigned int family, int reverse)
 {
+        int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
        if (sk && sk->sk_policy[XFRM_POLICY_IN])
-                return __xfrm_policy_check(sk, dir, skb, family);
+                return __xfrm_policy_check(sk, ndir, skb, family);
        return  (!xfrm_policy_count[dir] && !skb->sp) ||
                (skb->dst->flags & DST_NOPOLICY) ||
-                __xfrm_policy_check(sk, dir, skb, family);
+                __xfrm_policy_check(sk, ndir, skb, family);
+}
+static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
+{
+        return __xfrm_policy_check2(sk, dir, skb, family, 0);
 }
 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
@@ -780,7 +909,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s
        return xfrm_policy_check(sk, dir, skb, AF_INET6);
 }
-extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
+static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
+                                             struct sk_buff *skb)
+{
+        return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
+}
+static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
+                                             struct sk_buff *skb)
+{
+        return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
+}
+extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
+                                 unsigned int family, int reverse);
+static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
+                                      unsigned int family)
+{
+        return __xfrm_decode_session(skb, fl, family, 0);
+}
+static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
+                                              struct flowi *fl,
+                                              unsigned int family)
+{
+        return __xfrm_decode_session(skb, fl, family, 1);
+}
 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
@@ -841,6 +997,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk
 {
        return 1;
 }
+static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
+                                              struct flowi *fl,
+                                              unsigned int family)
+{
+        return -ENOSYS;
+}
+static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
+                                             struct sk_buff *skb)
+{
+        return 1;
+}
+static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
+                                             struct sk_buff *skb)
+{
+        return 1;
+}
 #endif
 static __inline__
@@ -981,12 +1153,27 @@ struct xfrm6_tunnel {
 extern void xfrm_init(void);
 extern void xfrm4_init(void);
-extern void xfrm6_init(void);
-extern void xfrm6_fini(void);
 extern void xfrm_state_init(void);
 extern void xfrm4_state_init(void);
-extern void xfrm6_state_init(void);
+#ifdef CONFIG_XFRM
+extern int xfrm6_init(void);
+extern void xfrm6_fini(void);
+extern int xfrm6_state_init(void);
 extern void xfrm6_state_fini(void);
+#else
+static inline int xfrm6_init(void)
+{
+        return 0;
+}
+static inline void xfrm6_fini(void)
+{
+        ;
+}
+#endif
+#ifdef CONFIG_XFRM_STATISTICS
+extern int xfrm_proc_init(void);
+#endif
 extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
 extern struct xfrm_state *xfrm_state_alloc(void);
@@ -1045,14 +1232,23 @@ extern int xfrm_state_delete(struct xfrm_state *x);
 extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
 extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
 extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
-extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
+extern int xfrm_replay_check(struct xfrm_state *x,
+                             struct sk_buff *skb, __be32 seq);
 extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
 extern void xfrm_replay_notify(struct xfrm_state *x, int event);
 extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
 extern int xfrm_init_state(struct xfrm_state *x);
+extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
+extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+                      int encap_type);
+extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
+extern int xfrm_output_resume(struct sk_buff *skb, int err);
 extern int xfrm_output(struct sk_buff *skb);
+extern int xfrm4_extract_header(struct sk_buff *skb);
+extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
                           int encap_type);
+extern int xfrm4_transport_finish(struct sk_buff *skb, int async);
 extern int xfrm4_rcv(struct sk_buff *skb);
 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
@@ -1060,10 +1256,15 @@ static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
        return xfrm4_rcv_encap(skb, nexthdr, spi, 0);
 }
+extern int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);
+extern int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm4_output(struct sk_buff *skb);
 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
+extern int xfrm6_extract_header(struct sk_buff *skb);
+extern int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi);
+extern int xfrm6_transport_finish(struct sk_buff *skb, int async);
 extern int xfrm6_rcv(struct sk_buff *skb);
 extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
                            xfrm_address_t *saddr, u8 proto);
@@ -1072,6 +1273,8 @@ extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short
 extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
 extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
 extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
+extern int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);
+extern int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);
 extern int xfrm6_output(struct sk_buff *skb);
 extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
                                 u8 **prevhdr);
@@ -1079,7 +1282,6 @@ extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
 #ifdef CONFIG_XFRM
 extern int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
 extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
-extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
 #else
 static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
 {
@@ -1092,11 +1294,6 @@ static inline int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
        kfree_skb(skb);
        return 0;
 }
-static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
-{
-        return -EINVAL;
-} 
 #endif
 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
@@ -1113,11 +1310,9 @@ extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
 struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
                                  xfrm_address_t *daddr, xfrm_address_t *saddr,
                                  int create, unsigned short family);
-extern int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
 extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
 extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
                          struct flowi *fl, int family, int strict);
-extern void xfrm_init_pmtu(struct dst_entry *dst);
 #ifdef CONFIG_XFRM_MIGRATE
 extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
@@ -1214,4 +1409,9 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
 }
 #endif
+static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
+{
+        return skb->sp->xvec[skb->sp->len - 1];
+}
 #endif  /* _NET_XFRM_H */