aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c218
1 files changed, 108 insertions, 110 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6459588befc3..15792d8b6272 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,37 +50,40 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
51static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst); 52static int stale_bundle(struct dst_entry *dst);
53static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst, 53static int xfrm_bundle_ok(struct xfrm_dst *xdst, int family);
54 struct flowi *fl, int family, int strict);
55 54
56 55
57static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 56static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
58 int dir); 57 int dir);
59 58
60static inline int 59static inline int
61__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) 60__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
62{ 61{
63 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && 62 const struct flowi4 *fl4 = &fl->u.ip4;
64 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && 63
65 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 64 return addr_match(&fl4->daddr, &sel->daddr, sel->prefixlen_d) &&
66 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 65 addr_match(&fl4->saddr, &sel->saddr, sel->prefixlen_s) &&
67 (fl->proto == sel->proto || !sel->proto) && 66 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
68 (fl->oif == sel->ifindex || !sel->ifindex); 67 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
68 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
69 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
69} 70}
70 71
71static inline int 72static inline int
72__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) 73__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
73{ 74{
74 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && 75 const struct flowi6 *fl6 = &fl->u.ip6;
75 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && 76
76 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 77 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
77 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 78 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
78 (fl->proto == sel->proto || !sel->proto) && 79 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
79 (fl->oif == sel->ifindex || !sel->ifindex); 80 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
81 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
82 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
80} 83}
81 84
82int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 85int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
83 unsigned short family) 86 unsigned short family)
84{ 87{
85 switch (family) { 88 switch (family) {
86 case AF_INET: 89 case AF_INET:
@@ -92,8 +95,8 @@ int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
92} 95}
93 96
94static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, 97static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
95 xfrm_address_t *saddr, 98 const xfrm_address_t *saddr,
96 xfrm_address_t *daddr, 99 const xfrm_address_t *daddr,
97 int family) 100 int family)
98{ 101{
99 struct xfrm_policy_afinfo *afinfo; 102 struct xfrm_policy_afinfo *afinfo;
@@ -311,7 +314,9 @@ static inline unsigned int idx_hash(struct net *net, u32 index)
311 return __idx_hash(index, net->xfrm.policy_idx_hmask); 314 return __idx_hash(index, net->xfrm.policy_idx_hmask);
312} 315}
313 316
314static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir) 317static struct hlist_head *policy_hash_bysel(struct net *net,
318 const struct xfrm_selector *sel,
319 unsigned short family, int dir)
315{ 320{
316 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 321 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
317 unsigned int hash = __sel_hash(sel, family, hmask); 322 unsigned int hash = __sel_hash(sel, family, hmask);
@@ -321,7 +326,10 @@ static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selecto
321 net->xfrm.policy_bydst[dir].table + hash); 326 net->xfrm.policy_bydst[dir].table + hash);
322} 327}
323 328
324static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir) 329static struct hlist_head *policy_hash_direct(struct net *net,
330 const xfrm_address_t *daddr,
331 const xfrm_address_t *saddr,
332 unsigned short family, int dir)
325{ 333{
326 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 334 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
327 unsigned int hash = __addr_hash(daddr, saddr, family, hmask); 335 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
@@ -864,32 +872,33 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
864 * 872 *
865 * Returns 0 if policy found, else an -errno. 873 * Returns 0 if policy found, else an -errno.
866 */ 874 */
867static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, 875static int xfrm_policy_match(const struct xfrm_policy *pol,
876 const struct flowi *fl,
868 u8 type, u16 family, int dir) 877 u8 type, u16 family, int dir)
869{ 878{
870 struct xfrm_selector *sel = &pol->selector; 879 const struct xfrm_selector *sel = &pol->selector;
871 int match, ret = -ESRCH; 880 int match, ret = -ESRCH;
872 881
873 if (pol->family != family || 882 if (pol->family != family ||
874 (fl->mark & pol->mark.m) != pol->mark.v || 883 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
875 pol->type != type) 884 pol->type != type)
876 return ret; 885 return ret;
877 886
878 match = xfrm_selector_match(sel, fl, family); 887 match = xfrm_selector_match(sel, fl, family);
879 if (match) 888 if (match)
880 ret = security_xfrm_policy_lookup(pol->security, fl->secid, 889 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
881 dir); 890 dir);
882 891
883 return ret; 892 return ret;
884} 893}
885 894
886static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, 895static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
887 struct flowi *fl, 896 const struct flowi *fl,
888 u16 family, u8 dir) 897 u16 family, u8 dir)
889{ 898{
890 int err; 899 int err;
891 struct xfrm_policy *pol, *ret; 900 struct xfrm_policy *pol, *ret;
892 xfrm_address_t *daddr, *saddr; 901 const xfrm_address_t *daddr, *saddr;
893 struct hlist_node *entry; 902 struct hlist_node *entry;
894 struct hlist_head *chain; 903 struct hlist_head *chain;
895 u32 priority = ~0U; 904 u32 priority = ~0U;
@@ -941,7 +950,7 @@ fail:
941} 950}
942 951
943static struct xfrm_policy * 952static struct xfrm_policy *
944__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir) 953__xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
945{ 954{
946#ifdef CONFIG_XFRM_SUB_POLICY 955#ifdef CONFIG_XFRM_SUB_POLICY
947 struct xfrm_policy *pol; 956 struct xfrm_policy *pol;
@@ -954,7 +963,7 @@ __xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
954} 963}
955 964
956static struct flow_cache_object * 965static struct flow_cache_object *
957xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, 966xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
958 u8 dir, struct flow_cache_object *old_obj, void *ctx) 967 u8 dir, struct flow_cache_object *old_obj, void *ctx)
959{ 968{
960 struct xfrm_policy *pol; 969 struct xfrm_policy *pol;
@@ -990,7 +999,8 @@ static inline int policy_to_flow_dir(int dir)
990 } 999 }
991} 1000}
992 1001
993static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl) 1002static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1003 const struct flowi *fl)
994{ 1004{
995 struct xfrm_policy *pol; 1005 struct xfrm_policy *pol;
996 1006
@@ -1006,7 +1016,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1006 goto out; 1016 goto out;
1007 } 1017 }
1008 err = security_xfrm_policy_lookup(pol->security, 1018 err = security_xfrm_policy_lookup(pol->security,
1009 fl->secid, 1019 fl->flowi_secid,
1010 policy_to_flow_dir(dir)); 1020 policy_to_flow_dir(dir));
1011 if (!err) 1021 if (!err)
1012 xfrm_pol_hold(pol); 1022 xfrm_pol_hold(pol);
@@ -1098,7 +1108,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1098 return 0; 1108 return 0;
1099} 1109}
1100 1110
1101static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir) 1111static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1102{ 1112{
1103 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC); 1113 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1104 1114
@@ -1157,9 +1167,8 @@ xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1157/* Resolve list of templates for the flow, given policy. */ 1167/* Resolve list of templates for the flow, given policy. */
1158 1168
1159static int 1169static int
1160xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, 1170xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1161 struct xfrm_state **xfrm, 1171 struct xfrm_state **xfrm, unsigned short family)
1162 unsigned short family)
1163{ 1172{
1164 struct net *net = xp_net(policy); 1173 struct net *net = xp_net(policy);
1165 int nx; 1174 int nx;
@@ -1214,9 +1223,8 @@ fail:
1214} 1223}
1215 1224
1216static int 1225static int
1217xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl, 1226xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1218 struct xfrm_state **xfrm, 1227 struct xfrm_state **xfrm, unsigned short family)
1219 unsigned short family)
1220{ 1228{
1221 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1229 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1222 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1230 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
@@ -1256,7 +1264,7 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1256 * still valid. 1264 * still valid.
1257 */ 1265 */
1258 1266
1259static inline int xfrm_get_tos(struct flowi *fl, int family) 1267static inline int xfrm_get_tos(const struct flowi *fl, int family)
1260{ 1268{
1261 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1269 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1262 int tos; 1270 int tos;
@@ -1340,7 +1348,7 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1340 default: 1348 default:
1341 BUG(); 1349 BUG();
1342 } 1350 }
1343 xdst = dst_alloc(dst_ops); 1351 xdst = dst_alloc(dst_ops, 0);
1344 xfrm_policy_put_afinfo(afinfo); 1352 xfrm_policy_put_afinfo(afinfo);
1345 1353
1346 if (likely(xdst)) 1354 if (likely(xdst))
@@ -1369,7 +1377,7 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1369} 1377}
1370 1378
1371static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, 1379static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1372 struct flowi *fl) 1380 const struct flowi *fl)
1373{ 1381{
1374 struct xfrm_policy_afinfo *afinfo = 1382 struct xfrm_policy_afinfo *afinfo =
1375 xfrm_policy_get_afinfo(xdst->u.dst.ops->family); 1383 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1392,7 +1400,7 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1392 1400
1393static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 1401static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1394 struct xfrm_state **xfrm, int nx, 1402 struct xfrm_state **xfrm, int nx,
1395 struct flowi *fl, 1403 const struct flowi *fl,
1396 struct dst_entry *dst) 1404 struct dst_entry *dst)
1397{ 1405{
1398 struct net *net = xp_net(policy); 1406 struct net *net = xp_net(policy);
@@ -1508,7 +1516,7 @@ free_dst:
1508} 1516}
1509 1517
1510static int inline 1518static int inline
1511xfrm_dst_alloc_copy(void **target, void *src, int size) 1519xfrm_dst_alloc_copy(void **target, const void *src, int size)
1512{ 1520{
1513 if (!*target) { 1521 if (!*target) {
1514 *target = kmalloc(size, GFP_ATOMIC); 1522 *target = kmalloc(size, GFP_ATOMIC);
@@ -1520,7 +1528,7 @@ xfrm_dst_alloc_copy(void **target, void *src, int size)
1520} 1528}
1521 1529
1522static int inline 1530static int inline
1523xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) 1531xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
1524{ 1532{
1525#ifdef CONFIG_XFRM_SUB_POLICY 1533#ifdef CONFIG_XFRM_SUB_POLICY
1526 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1534 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1532,7 +1540,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
1532} 1540}
1533 1541
1534static int inline 1542static int inline
1535xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) 1543xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
1536{ 1544{
1537#ifdef CONFIG_XFRM_SUB_POLICY 1545#ifdef CONFIG_XFRM_SUB_POLICY
1538 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1546 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1542,7 +1550,7 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1542#endif 1550#endif
1543} 1551}
1544 1552
1545static int xfrm_expand_policies(struct flowi *fl, u16 family, 1553static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1546 struct xfrm_policy **pols, 1554 struct xfrm_policy **pols,
1547 int *num_pols, int *num_xfrms) 1555 int *num_pols, int *num_xfrms)
1548{ 1556{
@@ -1588,7 +1596,7 @@ static int xfrm_expand_policies(struct flowi *fl, u16 family,
1588 1596
1589static struct xfrm_dst * 1597static struct xfrm_dst *
1590xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, 1598xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1591 struct flowi *fl, u16 family, 1599 const struct flowi *fl, u16 family,
1592 struct dst_entry *dst_orig) 1600 struct dst_entry *dst_orig)
1593{ 1601{
1594 struct net *net = xp_net(pols[0]); 1602 struct net *net = xp_net(pols[0]);
@@ -1631,7 +1639,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1631} 1639}
1632 1640
1633static struct flow_cache_object * 1641static struct flow_cache_object *
1634xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir, 1642xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
1635 struct flow_cache_object *oldflo, void *ctx) 1643 struct flow_cache_object *oldflo, void *ctx)
1636{ 1644{
1637 struct dst_entry *dst_orig = (struct dst_entry *)ctx; 1645 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
@@ -1730,18 +1738,36 @@ error:
1730 return ERR_PTR(err); 1738 return ERR_PTR(err);
1731} 1739}
1732 1740
1741static struct dst_entry *make_blackhole(struct net *net, u16 family,
1742 struct dst_entry *dst_orig)
1743{
1744 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1745 struct dst_entry *ret;
1746
1747 if (!afinfo) {
1748 dst_release(dst_orig);
1749 ret = ERR_PTR(-EINVAL);
1750 } else {
1751 ret = afinfo->blackhole_route(net, dst_orig);
1752 }
1753 xfrm_policy_put_afinfo(afinfo);
1754
1755 return ret;
1756}
1757
1733/* Main function: finds/creates a bundle for given flow. 1758/* Main function: finds/creates a bundle for given flow.
1734 * 1759 *
1735 * At the moment we eat a raw IP route. Mostly to speed up lookups 1760 * At the moment we eat a raw IP route. Mostly to speed up lookups
1736 * on interfaces with disabled IPsec. 1761 * on interfaces with disabled IPsec.
1737 */ 1762 */
1738int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, 1763struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
1739 struct sock *sk, int flags) 1764 const struct flowi *fl,
1765 struct sock *sk, int flags)
1740{ 1766{
1741 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1767 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1742 struct flow_cache_object *flo; 1768 struct flow_cache_object *flo;
1743 struct xfrm_dst *xdst; 1769 struct xfrm_dst *xdst;
1744 struct dst_entry *dst, *dst_orig = *dst_p, *route; 1770 struct dst_entry *dst, *route;
1745 u16 family = dst_orig->ops->family; 1771 u16 family = dst_orig->ops->family;
1746 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1772 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1747 int i, err, num_pols, num_xfrms = 0, drop_pols = 0; 1773 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
@@ -1778,6 +1804,8 @@ restart:
1778 goto no_transform; 1804 goto no_transform;
1779 } 1805 }
1780 1806
1807 dst_hold(&xdst->u.dst);
1808
1781 spin_lock_bh(&xfrm_policy_sk_bundle_lock); 1809 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1782 xdst->u.dst.next = xfrm_policy_sk_bundles; 1810 xdst->u.dst.next = xfrm_policy_sk_bundles;
1783 xfrm_policy_sk_bundles = &xdst->u.dst; 1811 xfrm_policy_sk_bundles = &xdst->u.dst;
@@ -1823,9 +1851,10 @@ restart:
1823 dst_release(dst); 1851 dst_release(dst);
1824 xfrm_pols_put(pols, drop_pols); 1852 xfrm_pols_put(pols, drop_pols);
1825 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); 1853 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1826 return -EREMOTE; 1854
1855 return make_blackhole(net, family, dst_orig);
1827 } 1856 }
1828 if (flags & XFRM_LOOKUP_WAIT) { 1857 if (fl->flowi_flags & FLOWI_FLAG_CAN_SLEEP) {
1829 DECLARE_WAITQUEUE(wait, current); 1858 DECLARE_WAITQUEUE(wait, current);
1830 1859
1831 add_wait_queue(&net->xfrm.km_waitq, &wait); 1860 add_wait_queue(&net->xfrm.km_waitq, &wait);
@@ -1867,47 +1896,33 @@ no_transform:
1867 goto error; 1896 goto error;
1868 } else if (num_xfrms > 0) { 1897 } else if (num_xfrms > 0) {
1869 /* Flow transformed */ 1898 /* Flow transformed */
1870 *dst_p = dst;
1871 dst_release(dst_orig); 1899 dst_release(dst_orig);
1872 } else { 1900 } else {
1873 /* Flow passes untransformed */ 1901 /* Flow passes untransformed */
1874 dst_release(dst); 1902 dst_release(dst);
1903 dst = dst_orig;
1875 } 1904 }
1876ok: 1905ok:
1877 xfrm_pols_put(pols, drop_pols); 1906 xfrm_pols_put(pols, drop_pols);
1878 return 0; 1907 return dst;
1879 1908
1880nopol: 1909nopol:
1881 if (!(flags & XFRM_LOOKUP_ICMP)) 1910 if (!(flags & XFRM_LOOKUP_ICMP)) {
1911 dst = dst_orig;
1882 goto ok; 1912 goto ok;
1913 }
1883 err = -ENOENT; 1914 err = -ENOENT;
1884error: 1915error:
1885 dst_release(dst); 1916 dst_release(dst);
1886dropdst: 1917dropdst:
1887 dst_release(dst_orig); 1918 dst_release(dst_orig);
1888 *dst_p = NULL;
1889 xfrm_pols_put(pols, drop_pols); 1919 xfrm_pols_put(pols, drop_pols);
1890 return err; 1920 return ERR_PTR(err);
1891}
1892EXPORT_SYMBOL(__xfrm_lookup);
1893
1894int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1895 struct sock *sk, int flags)
1896{
1897 int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
1898
1899 if (err == -EREMOTE) {
1900 dst_release(*dst_p);
1901 *dst_p = NULL;
1902 err = -EAGAIN;
1903 }
1904
1905 return err;
1906} 1921}
1907EXPORT_SYMBOL(xfrm_lookup); 1922EXPORT_SYMBOL(xfrm_lookup);
1908 1923
1909static inline int 1924static inline int
1910xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl) 1925xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
1911{ 1926{
1912 struct xfrm_state *x; 1927 struct xfrm_state *x;
1913 1928
@@ -1926,7 +1941,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
1926 */ 1941 */
1927 1942
1928static inline int 1943static inline int
1929xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 1944xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
1930 unsigned short family) 1945 unsigned short family)
1931{ 1946{
1932 if (xfrm_state_kern(x)) 1947 if (xfrm_state_kern(x))
@@ -1949,7 +1964,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1949 * Otherwise "-2 - errored_index" is returned. 1964 * Otherwise "-2 - errored_index" is returned.
1950 */ 1965 */
1951static inline int 1966static inline int
1952xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, 1967xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
1953 unsigned short family) 1968 unsigned short family)
1954{ 1969{
1955 int idx = start; 1970 int idx = start;
@@ -1981,13 +1996,13 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1981 return -EAFNOSUPPORT; 1996 return -EAFNOSUPPORT;
1982 1997
1983 afinfo->decode_session(skb, fl, reverse); 1998 afinfo->decode_session(skb, fl, reverse);
1984 err = security_xfrm_decode_session(skb, &fl->secid); 1999 err = security_xfrm_decode_session(skb, &fl->flowi_secid);
1985 xfrm_policy_put_afinfo(afinfo); 2000 xfrm_policy_put_afinfo(afinfo);
1986 return err; 2001 return err;
1987} 2002}
1988EXPORT_SYMBOL(__xfrm_decode_session); 2003EXPORT_SYMBOL(__xfrm_decode_session);
1989 2004
1990static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 2005static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
1991{ 2006{
1992 for (; k < sp->len; k++) { 2007 for (; k < sp->len; k++) {
1993 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 2008 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
@@ -2162,7 +2177,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2162 struct net *net = dev_net(skb->dev); 2177 struct net *net = dev_net(skb->dev);
2163 struct flowi fl; 2178 struct flowi fl;
2164 struct dst_entry *dst; 2179 struct dst_entry *dst;
2165 int res; 2180 int res = 1;
2166 2181
2167 if (xfrm_decode_session(skb, &fl, family) < 0) { 2182 if (xfrm_decode_session(skb, &fl, family) < 0) {
2168 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); 2183 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
@@ -2170,9 +2185,12 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2170 } 2185 }
2171 2186
2172 skb_dst_force(skb); 2187 skb_dst_force(skb);
2173 dst = skb_dst(skb);
2174 2188
2175 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; 2189 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0);
2190 if (IS_ERR(dst)) {
2191 res = 0;
2192 dst = NULL;
2193 }
2176 skb_dst_set(skb, dst); 2194 skb_dst_set(skb, dst);
2177 return res; 2195 return res;
2178} 2196}
@@ -2210,7 +2228,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2210 2228
2211static int stale_bundle(struct dst_entry *dst) 2229static int stale_bundle(struct dst_entry *dst)
2212{ 2230{
2213 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0); 2231 return !xfrm_bundle_ok((struct xfrm_dst *)dst, AF_UNSPEC);
2214} 2232}
2215 2233
2216void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 2234void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2282,8 +2300,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
2282 * still valid. 2300 * still valid.
2283 */ 2301 */
2284 2302
2285static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, 2303static int xfrm_bundle_ok(struct xfrm_dst *first, int family)
2286 struct flowi *fl, int family, int strict)
2287{ 2304{
2288 struct dst_entry *dst = &first->u.dst; 2305 struct dst_entry *dst = &first->u.dst;
2289 struct xfrm_dst *last; 2306 struct xfrm_dst *last;
@@ -2292,26 +2309,12 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2292 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 2309 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2293 (dst->dev && !netif_running(dst->dev))) 2310 (dst->dev && !netif_running(dst->dev)))
2294 return 0; 2311 return 0;
2295#ifdef CONFIG_XFRM_SUB_POLICY
2296 if (fl) {
2297 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2298 return 0;
2299 if (first->partner &&
2300 !xfrm_selector_match(first->partner, fl, family))
2301 return 0;
2302 }
2303#endif
2304 2312
2305 last = NULL; 2313 last = NULL;
2306 2314
2307 do { 2315 do {
2308 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2316 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2309 2317
2310 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2311 return 0;
2312 if (fl && pol &&
2313 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2314 return 0;
2315 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2318 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2316 return 0; 2319 return 0;
2317 if (xdst->xfrm_genid != dst->xfrm->genid) 2320 if (xdst->xfrm_genid != dst->xfrm->genid)
@@ -2320,11 +2323,6 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2320 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid)) 2323 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2321 return 0; 2324 return 0;
2322 2325
2323 if (strict && fl &&
2324 !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2325 !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
2326 return 0;
2327
2328 mtu = dst_mtu(dst->child); 2326 mtu = dst_mtu(dst->child);
2329 if (xdst->child_mtu_cached != mtu) { 2327 if (xdst->child_mtu_cached != mtu) {
2330 last = xdst; 2328 last = xdst;
@@ -2735,8 +2733,8 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2735#endif 2733#endif
2736 2734
2737#ifdef CONFIG_XFRM_MIGRATE 2735#ifdef CONFIG_XFRM_MIGRATE
2738static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2736static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
2739 struct xfrm_selector *sel_tgt) 2737 const struct xfrm_selector *sel_tgt)
2740{ 2738{
2741 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 2739 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2742 if (sel_tgt->family == sel_cmp->family && 2740 if (sel_tgt->family == sel_cmp->family &&
@@ -2756,7 +2754,7 @@ static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2756 return 0; 2754 return 0;
2757} 2755}
2758 2756
2759static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel, 2757static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
2760 u8 dir, u8 type) 2758 u8 dir, u8 type)
2761{ 2759{
2762 struct xfrm_policy *pol, *ret = NULL; 2760 struct xfrm_policy *pol, *ret = NULL;
@@ -2792,7 +2790,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
2792 return ret; 2790 return ret;
2793} 2791}
2794 2792
2795static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t) 2793static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
2796{ 2794{
2797 int match = 0; 2795 int match = 0;
2798 2796
@@ -2862,7 +2860,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2862 return 0; 2860 return 0;
2863} 2861}
2864 2862
2865static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate) 2863static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
2866{ 2864{
2867 int i, j; 2865 int i, j;
2868 2866
@@ -2896,7 +2894,7 @@ static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
2896 return 0; 2894 return 0;
2897} 2895}
2898 2896
2899int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2897int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2900 struct xfrm_migrate *m, int num_migrate, 2898 struct xfrm_migrate *m, int num_migrate,
2901 struct xfrm_kmaddress *k) 2899 struct xfrm_kmaddress *k)
2902{ 2900{
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-02 04:44:08 -0400