mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-24 17:23:25 -05:00
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2019-07-05 1) A lot of work to remove indirections from the xfrm code. From Florian Westphal. 2) Fix a WARN_ON with ipv6 that triggered because of a forgotten break statement. From Florian Westphal. 3) Remove xfrmi_init_net, it is not needed. From Li RongQing. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
e3b60ffbc1
18 changed files with 385 additions and 416 deletions
|
@ -346,22 +346,19 @@ void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
|
||||||
int __xfrm_state_delete(struct xfrm_state *x);
|
int __xfrm_state_delete(struct xfrm_state *x);
|
||||||
|
|
||||||
struct xfrm_state_afinfo {
|
struct xfrm_state_afinfo {
|
||||||
unsigned int family;
|
u8 family;
|
||||||
unsigned int proto;
|
u8 proto;
|
||||||
__be16 eth_proto;
|
|
||||||
struct module *owner;
|
const struct xfrm_type_offload *type_offload_esp;
|
||||||
const struct xfrm_type *type_map[IPPROTO_MAX];
|
|
||||||
const struct xfrm_type_offload *type_offload_map[IPPROTO_MAX];
|
const struct xfrm_type *type_esp;
|
||||||
|
const struct xfrm_type *type_ipip;
|
||||||
|
const struct xfrm_type *type_ipip6;
|
||||||
|
const struct xfrm_type *type_comp;
|
||||||
|
const struct xfrm_type *type_ah;
|
||||||
|
const struct xfrm_type *type_routing;
|
||||||
|
const struct xfrm_type *type_dstopts;
|
||||||
|
|
||||||
int (*init_flags)(struct xfrm_state *x);
|
|
||||||
void (*init_tempsel)(struct xfrm_selector *sel,
|
|
||||||
const struct flowi *fl);
|
|
||||||
void (*init_temprop)(struct xfrm_state *x,
|
|
||||||
const struct xfrm_tmpl *tmpl,
|
|
||||||
const xfrm_address_t *daddr,
|
|
||||||
const xfrm_address_t *saddr);
|
|
||||||
int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
|
|
||||||
int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
|
|
||||||
int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
|
int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
|
||||||
int (*output_finish)(struct sock *sk, struct sk_buff *skb);
|
int (*output_finish)(struct sock *sk, struct sk_buff *skb);
|
||||||
int (*extract_input)(struct xfrm_state *x,
|
int (*extract_input)(struct xfrm_state *x,
|
||||||
|
@ -407,12 +404,10 @@ struct xfrm_type {
|
||||||
int (*reject)(struct xfrm_state *, struct sk_buff *,
|
int (*reject)(struct xfrm_state *, struct sk_buff *,
|
||||||
const struct flowi *);
|
const struct flowi *);
|
||||||
int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
|
int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
|
||||||
/* Estimate maximal size of result of transformation of a dgram */
|
|
||||||
u32 (*get_mtu)(struct xfrm_state *, int size);
|
|
||||||
};
|
};
|
||||||
|
|
||||||
int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
|
int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
|
||||||
int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
|
void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
|
||||||
|
|
||||||
struct xfrm_type_offload {
|
struct xfrm_type_offload {
|
||||||
char *description;
|
char *description;
|
||||||
|
@ -424,7 +419,7 @@ struct xfrm_type_offload {
|
||||||
};
|
};
|
||||||
|
|
||||||
int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
|
int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
|
||||||
int xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
|
void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
|
||||||
|
|
||||||
static inline int xfrm_af2proto(unsigned int family)
|
static inline int xfrm_af2proto(unsigned int family)
|
||||||
{
|
{
|
||||||
|
@ -1508,21 +1503,19 @@ struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
|
||||||
u8 proto,
|
u8 proto,
|
||||||
unsigned short family);
|
unsigned short family);
|
||||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||||
int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
|
void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
|
||||||
unsigned short family, struct net *net);
|
|
||||||
int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
|
|
||||||
unsigned short family);
|
unsigned short family);
|
||||||
|
void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
|
||||||
|
unsigned short family);
|
||||||
#else
|
#else
|
||||||
static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
|
static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
|
||||||
int n, unsigned short family, struct net *net)
|
|
||||||
{
|
|
||||||
return -ENOSYS;
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
|
|
||||||
int n, unsigned short family)
|
int n, unsigned short family)
|
||||||
{
|
{
|
||||||
return -ENOSYS;
|
}
|
||||||
|
|
||||||
|
static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
|
||||||
|
int n, unsigned short family)
|
||||||
|
{
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -1551,7 +1544,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
|
||||||
void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
|
void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
|
||||||
u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
|
u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
|
||||||
int xfrm_init_replay(struct xfrm_state *x);
|
int xfrm_init_replay(struct xfrm_state *x);
|
||||||
int xfrm_state_mtu(struct xfrm_state *x, int mtu);
|
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
|
||||||
int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
|
int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
|
||||||
int xfrm_init_state(struct xfrm_state *x);
|
int xfrm_init_state(struct xfrm_state *x);
|
||||||
int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
|
int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
|
||||||
|
|
|
@ -590,8 +590,7 @@ static void __exit ah4_fini(void)
|
||||||
{
|
{
|
||||||
if (xfrm4_protocol_deregister(&ah4_protocol, IPPROTO_AH) < 0)
|
if (xfrm4_protocol_deregister(&ah4_protocol, IPPROTO_AH) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
if (xfrm_unregister_type(&ah_type, AF_INET) < 0)
|
xfrm_unregister_type(&ah_type, AF_INET);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ah4_init);
|
module_init(ah4_init);
|
||||||
|
|
|
@ -33,8 +33,6 @@ struct esp_output_extra {
|
||||||
|
|
||||||
#define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
|
#define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
|
||||||
|
|
||||||
static u32 esp4_get_mtu(struct xfrm_state *x, int mtu);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allocate an AEAD request structure with extra space for SG and IV.
|
* Allocate an AEAD request structure with extra space for SG and IV.
|
||||||
*
|
*
|
||||||
|
@ -506,7 +504,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
|
struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
|
||||||
u32 padto;
|
u32 padto;
|
||||||
|
|
||||||
padto = min(x->tfcpad, esp4_get_mtu(x, dst->child_mtu_cached));
|
padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached));
|
||||||
if (skb->len < padto)
|
if (skb->len < padto)
|
||||||
esp.tfclen = padto - skb->len;
|
esp.tfclen = padto - skb->len;
|
||||||
}
|
}
|
||||||
|
@ -788,28 +786,6 @@ out:
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
|
|
||||||
{
|
|
||||||
struct crypto_aead *aead = x->data;
|
|
||||||
u32 blksize = ALIGN(crypto_aead_blocksize(aead), 4);
|
|
||||||
unsigned int net_adj;
|
|
||||||
|
|
||||||
switch (x->props.mode) {
|
|
||||||
case XFRM_MODE_TRANSPORT:
|
|
||||||
case XFRM_MODE_BEET:
|
|
||||||
net_adj = sizeof(struct iphdr);
|
|
||||||
break;
|
|
||||||
case XFRM_MODE_TUNNEL:
|
|
||||||
net_adj = 0;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
BUG();
|
|
||||||
}
|
|
||||||
|
|
||||||
return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
|
|
||||||
net_adj) & ~(blksize - 1)) + net_adj - 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int esp4_err(struct sk_buff *skb, u32 info)
|
static int esp4_err(struct sk_buff *skb, u32 info)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(skb->dev);
|
struct net *net = dev_net(skb->dev);
|
||||||
|
@ -1035,7 +1011,6 @@ static const struct xfrm_type esp_type =
|
||||||
.flags = XFRM_TYPE_REPLAY_PROT,
|
.flags = XFRM_TYPE_REPLAY_PROT,
|
||||||
.init_state = esp_init_state,
|
.init_state = esp_init_state,
|
||||||
.destructor = esp_destroy,
|
.destructor = esp_destroy,
|
||||||
.get_mtu = esp4_get_mtu,
|
|
||||||
.input = esp_input,
|
.input = esp_input,
|
||||||
.output = esp_output,
|
.output = esp_output,
|
||||||
};
|
};
|
||||||
|
@ -1066,8 +1041,7 @@ static void __exit esp4_fini(void)
|
||||||
{
|
{
|
||||||
if (xfrm4_protocol_deregister(&esp4_protocol, IPPROTO_ESP) < 0)
|
if (xfrm4_protocol_deregister(&esp4_protocol, IPPROTO_ESP) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
if (xfrm_unregister_type(&esp_type, AF_INET) < 0)
|
xfrm_unregister_type(&esp_type, AF_INET);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(esp4_init);
|
module_init(esp4_init);
|
||||||
|
|
|
@ -312,9 +312,7 @@ static int __init esp4_offload_init(void)
|
||||||
|
|
||||||
static void __exit esp4_offload_exit(void)
|
static void __exit esp4_offload_exit(void)
|
||||||
{
|
{
|
||||||
if (xfrm_unregister_type_offload(&esp_type_offload, AF_INET) < 0)
|
xfrm_unregister_type_offload(&esp_type_offload, AF_INET);
|
||||||
pr_info("%s: can't remove xfrm type offload\n", __func__);
|
|
||||||
|
|
||||||
inet_del_offload(&esp4_offload, IPPROTO_ESP);
|
inet_del_offload(&esp4_offload, IPPROTO_ESP);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -186,8 +186,7 @@ static void __exit ipcomp4_fini(void)
|
||||||
{
|
{
|
||||||
if (xfrm4_protocol_deregister(&ipcomp4_protocol, IPPROTO_COMP) < 0)
|
if (xfrm4_protocol_deregister(&ipcomp4_protocol, IPPROTO_COMP) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
if (xfrm_unregister_type(&ipcomp_type, AF_INET) < 0)
|
xfrm_unregister_type(&ipcomp_type, AF_INET);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ipcomp4_init);
|
module_init(ipcomp4_init);
|
||||||
|
|
|
@ -15,46 +15,6 @@
|
||||||
#include <linux/netfilter_ipv4.h>
|
#include <linux/netfilter_ipv4.h>
|
||||||
#include <linux/export.h>
|
#include <linux/export.h>
|
||||||
|
|
||||||
static int xfrm4_init_flags(struct xfrm_state *x)
|
|
||||||
{
|
|
||||||
if (xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)
|
|
||||||
x->props.flags |= XFRM_STATE_NOPMTUDISC;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
__xfrm4_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
|
|
||||||
{
|
|
||||||
const struct flowi4 *fl4 = &fl->u.ip4;
|
|
||||||
|
|
||||||
sel->daddr.a4 = fl4->daddr;
|
|
||||||
sel->saddr.a4 = fl4->saddr;
|
|
||||||
sel->dport = xfrm_flowi_dport(fl, &fl4->uli);
|
|
||||||
sel->dport_mask = htons(0xffff);
|
|
||||||
sel->sport = xfrm_flowi_sport(fl, &fl4->uli);
|
|
||||||
sel->sport_mask = htons(0xffff);
|
|
||||||
sel->family = AF_INET;
|
|
||||||
sel->prefixlen_d = 32;
|
|
||||||
sel->prefixlen_s = 32;
|
|
||||||
sel->proto = fl4->flowi4_proto;
|
|
||||||
sel->ifindex = fl4->flowi4_oif;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
xfrm4_init_temprop(struct xfrm_state *x, const struct xfrm_tmpl *tmpl,
|
|
||||||
const xfrm_address_t *daddr, const xfrm_address_t *saddr)
|
|
||||||
{
|
|
||||||
x->id = tmpl->id;
|
|
||||||
if (x->id.daddr.a4 == 0)
|
|
||||||
x->id.daddr.a4 = daddr->a4;
|
|
||||||
x->props.saddr = tmpl->saddr;
|
|
||||||
if (x->props.saddr.a4 == 0)
|
|
||||||
x->props.saddr.a4 = saddr->a4;
|
|
||||||
x->props.mode = tmpl->mode;
|
|
||||||
x->props.reqid = tmpl->reqid;
|
|
||||||
x->props.family = AF_INET;
|
|
||||||
}
|
|
||||||
|
|
||||||
int xfrm4_extract_header(struct sk_buff *skb)
|
int xfrm4_extract_header(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
const struct iphdr *iph = ip_hdr(skb);
|
const struct iphdr *iph = ip_hdr(skb);
|
||||||
|
@ -74,11 +34,6 @@ int xfrm4_extract_header(struct sk_buff *skb)
|
||||||
static struct xfrm_state_afinfo xfrm4_state_afinfo = {
|
static struct xfrm_state_afinfo xfrm4_state_afinfo = {
|
||||||
.family = AF_INET,
|
.family = AF_INET,
|
||||||
.proto = IPPROTO_IPIP,
|
.proto = IPPROTO_IPIP,
|
||||||
.eth_proto = htons(ETH_P_IP),
|
|
||||||
.owner = THIS_MODULE,
|
|
||||||
.init_flags = xfrm4_init_flags,
|
|
||||||
.init_tempsel = __xfrm4_init_tempsel,
|
|
||||||
.init_temprop = xfrm4_init_temprop,
|
|
||||||
.output = xfrm4_output,
|
.output = xfrm4_output,
|
||||||
.output_finish = xfrm4_output_finish,
|
.output_finish = xfrm4_output_finish,
|
||||||
.extract_input = xfrm4_extract_input,
|
.extract_input = xfrm4_extract_input,
|
||||||
|
|
|
@ -108,8 +108,7 @@ static void __exit ipip_fini(void)
|
||||||
if (xfrm4_tunnel_deregister(&xfrm_tunnel_handler, AF_INET))
|
if (xfrm4_tunnel_deregister(&xfrm_tunnel_handler, AF_INET))
|
||||||
pr_info("%s: can't remove xfrm handler for AF_INET\n",
|
pr_info("%s: can't remove xfrm handler for AF_INET\n",
|
||||||
__func__);
|
__func__);
|
||||||
if (xfrm_unregister_type(&ipip_type, AF_INET) < 0)
|
xfrm_unregister_type(&ipip_type, AF_INET);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ipip_init);
|
module_init(ipip_init);
|
||||||
|
|
|
@ -793,9 +793,7 @@ static void __exit ah6_fini(void)
|
||||||
if (xfrm6_protocol_deregister(&ah6_protocol, IPPROTO_AH) < 0)
|
if (xfrm6_protocol_deregister(&ah6_protocol, IPPROTO_AH) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
|
|
||||||
if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
|
xfrm_unregister_type(&ah6_type, AF_INET6);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ah6_init);
|
module_init(ah6_init);
|
||||||
|
|
|
@ -41,8 +41,6 @@ struct esp_skb_cb {
|
||||||
|
|
||||||
#define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
|
#define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
|
||||||
|
|
||||||
static u32 esp6_get_mtu(struct xfrm_state *x, int mtu);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allocate an AEAD request structure with extra space for SG and IV.
|
* Allocate an AEAD request structure with extra space for SG and IV.
|
||||||
*
|
*
|
||||||
|
@ -447,7 +445,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
|
struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
|
||||||
u32 padto;
|
u32 padto;
|
||||||
|
|
||||||
padto = min(x->tfcpad, esp6_get_mtu(x, dst->child_mtu_cached));
|
padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached));
|
||||||
if (skb->len < padto)
|
if (skb->len < padto)
|
||||||
esp.tfclen = padto - skb->len;
|
esp.tfclen = padto - skb->len;
|
||||||
}
|
}
|
||||||
|
@ -687,21 +685,6 @@ out:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
|
|
||||||
{
|
|
||||||
struct crypto_aead *aead = x->data;
|
|
||||||
u32 blksize = ALIGN(crypto_aead_blocksize(aead), 4);
|
|
||||||
unsigned int net_adj;
|
|
||||||
|
|
||||||
if (x->props.mode != XFRM_MODE_TUNNEL)
|
|
||||||
net_adj = sizeof(struct ipv6hdr);
|
|
||||||
else
|
|
||||||
net_adj = 0;
|
|
||||||
|
|
||||||
return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
|
|
||||||
net_adj) & ~(blksize - 1)) + net_adj - 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
static int esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
||||||
u8 type, u8 code, int offset, __be32 info)
|
u8 type, u8 code, int offset, __be32 info)
|
||||||
{
|
{
|
||||||
|
@ -919,7 +902,6 @@ static const struct xfrm_type esp6_type = {
|
||||||
.flags = XFRM_TYPE_REPLAY_PROT,
|
.flags = XFRM_TYPE_REPLAY_PROT,
|
||||||
.init_state = esp6_init_state,
|
.init_state = esp6_init_state,
|
||||||
.destructor = esp6_destroy,
|
.destructor = esp6_destroy,
|
||||||
.get_mtu = esp6_get_mtu,
|
|
||||||
.input = esp6_input,
|
.input = esp6_input,
|
||||||
.output = esp6_output,
|
.output = esp6_output,
|
||||||
.hdr_offset = xfrm6_find_1stfragopt,
|
.hdr_offset = xfrm6_find_1stfragopt,
|
||||||
|
@ -951,8 +933,7 @@ static void __exit esp6_fini(void)
|
||||||
{
|
{
|
||||||
if (xfrm6_protocol_deregister(&esp6_protocol, IPPROTO_ESP) < 0)
|
if (xfrm6_protocol_deregister(&esp6_protocol, IPPROTO_ESP) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
if (xfrm_unregister_type(&esp6_type, AF_INET6) < 0)
|
xfrm_unregister_type(&esp6_type, AF_INET6);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(esp6_init);
|
module_init(esp6_init);
|
||||||
|
|
|
@ -336,9 +336,7 @@ static int __init esp6_offload_init(void)
|
||||||
|
|
||||||
static void __exit esp6_offload_exit(void)
|
static void __exit esp6_offload_exit(void)
|
||||||
{
|
{
|
||||||
if (xfrm_unregister_type_offload(&esp6_type_offload, AF_INET6) < 0)
|
xfrm_unregister_type_offload(&esp6_type_offload, AF_INET6);
|
||||||
pr_info("%s: can't remove xfrm type offload\n", __func__);
|
|
||||||
|
|
||||||
inet6_del_offload(&esp6_offload, IPPROTO_ESP);
|
inet6_del_offload(&esp6_offload, IPPROTO_ESP);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -206,8 +206,7 @@ static void __exit ipcomp6_fini(void)
|
||||||
{
|
{
|
||||||
if (xfrm6_protocol_deregister(&ipcomp6_protocol, IPPROTO_COMP) < 0)
|
if (xfrm6_protocol_deregister(&ipcomp6_protocol, IPPROTO_COMP) < 0)
|
||||||
pr_info("%s: can't remove protocol\n", __func__);
|
pr_info("%s: can't remove protocol\n", __func__);
|
||||||
if (xfrm_unregister_type(&ipcomp6_type, AF_INET6) < 0)
|
xfrm_unregister_type(&ipcomp6_type, AF_INET6);
|
||||||
pr_info("%s: can't remove xfrm type\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(ipcomp6_init);
|
module_init(ipcomp6_init);
|
||||||
|
|
|
@ -499,10 +499,8 @@ static void __exit mip6_fini(void)
|
||||||
{
|
{
|
||||||
if (rawv6_mh_filter_unregister(mip6_mh_filter) < 0)
|
if (rawv6_mh_filter_unregister(mip6_mh_filter) < 0)
|
||||||
pr_info("%s: can't remove rawv6 mh filter\n", __func__);
|
pr_info("%s: can't remove rawv6 mh filter\n", __func__);
|
||||||
if (xfrm_unregister_type(&mip6_rthdr_type, AF_INET6) < 0)
|
xfrm_unregister_type(&mip6_rthdr_type, AF_INET6);
|
||||||
pr_info("%s: can't remove xfrm type(rthdr)\n", __func__);
|
xfrm_unregister_type(&mip6_destopt_type, AF_INET6);
|
||||||
if (xfrm_unregister_type(&mip6_destopt_type, AF_INET6) < 0)
|
|
||||||
pr_info("%s: can't remove xfrm type(destopt)\n", __func__);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(mip6_init);
|
module_init(mip6_init);
|
||||||
|
|
|
@ -21,137 +21,6 @@
|
||||||
#include <net/ipv6.h>
|
#include <net/ipv6.h>
|
||||||
#include <net/addrconf.h>
|
#include <net/addrconf.h>
|
||||||
|
|
||||||
static void
|
|
||||||
__xfrm6_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
|
|
||||||
{
|
|
||||||
const struct flowi6 *fl6 = &fl->u.ip6;
|
|
||||||
|
|
||||||
/* Initialize temporary selector matching only
|
|
||||||
* to current session. */
|
|
||||||
*(struct in6_addr *)&sel->daddr = fl6->daddr;
|
|
||||||
*(struct in6_addr *)&sel->saddr = fl6->saddr;
|
|
||||||
sel->dport = xfrm_flowi_dport(fl, &fl6->uli);
|
|
||||||
sel->dport_mask = htons(0xffff);
|
|
||||||
sel->sport = xfrm_flowi_sport(fl, &fl6->uli);
|
|
||||||
sel->sport_mask = htons(0xffff);
|
|
||||||
sel->family = AF_INET6;
|
|
||||||
sel->prefixlen_d = 128;
|
|
||||||
sel->prefixlen_s = 128;
|
|
||||||
sel->proto = fl6->flowi6_proto;
|
|
||||||
sel->ifindex = fl6->flowi6_oif;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
xfrm6_init_temprop(struct xfrm_state *x, const struct xfrm_tmpl *tmpl,
|
|
||||||
const xfrm_address_t *daddr, const xfrm_address_t *saddr)
|
|
||||||
{
|
|
||||||
x->id = tmpl->id;
|
|
||||||
if (ipv6_addr_any((struct in6_addr *)&x->id.daddr))
|
|
||||||
memcpy(&x->id.daddr, daddr, sizeof(x->sel.daddr));
|
|
||||||
memcpy(&x->props.saddr, &tmpl->saddr, sizeof(x->props.saddr));
|
|
||||||
if (ipv6_addr_any((struct in6_addr *)&x->props.saddr))
|
|
||||||
memcpy(&x->props.saddr, saddr, sizeof(x->props.saddr));
|
|
||||||
x->props.mode = tmpl->mode;
|
|
||||||
x->props.reqid = tmpl->reqid;
|
|
||||||
x->props.family = AF_INET6;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* distribution counting sort function for xfrm_state and xfrm_tmpl */
|
|
||||||
static int
|
|
||||||
__xfrm6_sort(void **dst, void **src, int n, int (*cmp)(void *p), int maxclass)
|
|
||||||
{
|
|
||||||
int count[XFRM_MAX_DEPTH] = { };
|
|
||||||
int class[XFRM_MAX_DEPTH];
|
|
||||||
int i;
|
|
||||||
|
|
||||||
for (i = 0; i < n; i++) {
|
|
||||||
int c;
|
|
||||||
class[i] = c = cmp(src[i]);
|
|
||||||
count[c]++;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 2; i < maxclass; i++)
|
|
||||||
count[i] += count[i - 1];
|
|
||||||
|
|
||||||
for (i = 0; i < n; i++) {
|
|
||||||
dst[count[class[i] - 1]++] = src[i];
|
|
||||||
src[i] = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Rule for xfrm_state:
|
|
||||||
*
|
|
||||||
* rule 1: select IPsec transport except AH
|
|
||||||
* rule 2: select MIPv6 RO or inbound trigger
|
|
||||||
* rule 3: select IPsec transport AH
|
|
||||||
* rule 4: select IPsec tunnel
|
|
||||||
* rule 5: others
|
|
||||||
*/
|
|
||||||
static int __xfrm6_state_sort_cmp(void *p)
|
|
||||||
{
|
|
||||||
struct xfrm_state *v = p;
|
|
||||||
|
|
||||||
switch (v->props.mode) {
|
|
||||||
case XFRM_MODE_TRANSPORT:
|
|
||||||
if (v->id.proto != IPPROTO_AH)
|
|
||||||
return 1;
|
|
||||||
else
|
|
||||||
return 3;
|
|
||||||
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
|
||||||
case XFRM_MODE_ROUTEOPTIMIZATION:
|
|
||||||
case XFRM_MODE_IN_TRIGGER:
|
|
||||||
return 2;
|
|
||||||
#endif
|
|
||||||
case XFRM_MODE_TUNNEL:
|
|
||||||
case XFRM_MODE_BEET:
|
|
||||||
return 4;
|
|
||||||
}
|
|
||||||
return 5;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
__xfrm6_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n)
|
|
||||||
{
|
|
||||||
return __xfrm6_sort((void **)dst, (void **)src, n,
|
|
||||||
__xfrm6_state_sort_cmp, 6);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Rule for xfrm_tmpl:
|
|
||||||
*
|
|
||||||
* rule 1: select IPsec transport
|
|
||||||
* rule 2: select MIPv6 RO or inbound trigger
|
|
||||||
* rule 3: select IPsec tunnel
|
|
||||||
* rule 4: others
|
|
||||||
*/
|
|
||||||
static int __xfrm6_tmpl_sort_cmp(void *p)
|
|
||||||
{
|
|
||||||
struct xfrm_tmpl *v = p;
|
|
||||||
switch (v->mode) {
|
|
||||||
case XFRM_MODE_TRANSPORT:
|
|
||||||
return 1;
|
|
||||||
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
|
||||||
case XFRM_MODE_ROUTEOPTIMIZATION:
|
|
||||||
case XFRM_MODE_IN_TRIGGER:
|
|
||||||
return 2;
|
|
||||||
#endif
|
|
||||||
case XFRM_MODE_TUNNEL:
|
|
||||||
case XFRM_MODE_BEET:
|
|
||||||
return 3;
|
|
||||||
}
|
|
||||||
return 4;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
__xfrm6_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n)
|
|
||||||
{
|
|
||||||
return __xfrm6_sort((void **)dst, (void **)src, n,
|
|
||||||
__xfrm6_tmpl_sort_cmp, 5);
|
|
||||||
}
|
|
||||||
|
|
||||||
int xfrm6_extract_header(struct sk_buff *skb)
|
int xfrm6_extract_header(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
struct ipv6hdr *iph = ipv6_hdr(skb);
|
struct ipv6hdr *iph = ipv6_hdr(skb);
|
||||||
|
@ -171,12 +40,6 @@ int xfrm6_extract_header(struct sk_buff *skb)
|
||||||
static struct xfrm_state_afinfo xfrm6_state_afinfo = {
|
static struct xfrm_state_afinfo xfrm6_state_afinfo = {
|
||||||
.family = AF_INET6,
|
.family = AF_INET6,
|
||||||
.proto = IPPROTO_IPV6,
|
.proto = IPPROTO_IPV6,
|
||||||
.eth_proto = htons(ETH_P_IPV6),
|
|
||||||
.owner = THIS_MODULE,
|
|
||||||
.init_tempsel = __xfrm6_init_tempsel,
|
|
||||||
.init_temprop = xfrm6_init_temprop,
|
|
||||||
.tmpl_sort = __xfrm6_tmpl_sort,
|
|
||||||
.state_sort = __xfrm6_state_sort,
|
|
||||||
.output = xfrm6_output,
|
.output = xfrm6_output,
|
||||||
.output_finish = xfrm6_output_finish,
|
.output_finish = xfrm6_output_finish,
|
||||||
.extract_input = xfrm6_extract_input,
|
.extract_input = xfrm6_extract_input,
|
||||||
|
|
|
@ -271,9 +271,8 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if ((!dev || (dev == xfrm_dst_path(dst)->dev)) &&
|
if ((!dev || (dev == xfrm_dst_path(dst)->dev)) &&
|
||||||
(!xdst->child->xfrm && x->type->get_mtu)) {
|
(!xdst->child->xfrm)) {
|
||||||
mtu = x->type->get_mtu(x, xdst->child_mtu_cached);
|
mtu = xfrm_state_mtu(x, xdst->child_mtu_cached);
|
||||||
|
|
||||||
if (skb->len <= mtu)
|
if (skb->len <= mtu)
|
||||||
goto ok;
|
goto ok;
|
||||||
|
|
||||||
|
|
|
@ -359,28 +359,29 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
afinfo = xfrm_state_afinfo_get_rcu(x->outer_mode.family);
|
afinfo = xfrm_state_afinfo_get_rcu(x->outer_mode.family);
|
||||||
if (likely(afinfo))
|
if (likely(afinfo))
|
||||||
err = afinfo->extract_input(x, skb);
|
err = afinfo->extract_input(x, skb);
|
||||||
|
rcu_read_unlock();
|
||||||
|
|
||||||
if (err) {
|
if (err)
|
||||||
rcu_read_unlock();
|
|
||||||
return err;
|
return err;
|
||||||
}
|
|
||||||
|
|
||||||
if (x->sel.family == AF_UNSPEC) {
|
if (x->sel.family == AF_UNSPEC) {
|
||||||
inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
|
inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
|
||||||
if (!inner_mode) {
|
if (!inner_mode)
|
||||||
rcu_read_unlock();
|
|
||||||
return -EAFNOSUPPORT;
|
return -EAFNOSUPPORT;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
afinfo = xfrm_state_afinfo_get_rcu(inner_mode->family);
|
switch (inner_mode->family) {
|
||||||
if (unlikely(!afinfo)) {
|
case AF_INET:
|
||||||
rcu_read_unlock();
|
skb->protocol = htons(ETH_P_IP);
|
||||||
return -EAFNOSUPPORT;
|
break;
|
||||||
|
case AF_INET6:
|
||||||
|
skb->protocol = htons(ETH_P_IPV6);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON_ONCE(1);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
skb->protocol = afinfo->eth_proto;
|
|
||||||
rcu_read_unlock();
|
|
||||||
return xfrm_inner_mode_encap_remove(x, inner_mode, skb);
|
return xfrm_inner_mode_encap_remove(x, inner_mode, skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -793,11 +793,6 @@ static void __net_exit xfrmi_destroy_interfaces(struct xfrmi_net *xfrmn)
|
||||||
unregister_netdevice_many(&list);
|
unregister_netdevice_many(&list);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int __net_init xfrmi_init_net(struct net *net)
|
|
||||||
{
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void __net_exit xfrmi_exit_net(struct net *net)
|
static void __net_exit xfrmi_exit_net(struct net *net)
|
||||||
{
|
{
|
||||||
struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
|
struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
|
||||||
|
@ -808,7 +803,6 @@ static void __net_exit xfrmi_exit_net(struct net *net)
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct pernet_operations xfrmi_net_ops = {
|
static struct pernet_operations xfrmi_net_ops = {
|
||||||
.init = xfrmi_init_net,
|
|
||||||
.exit = xfrmi_exit_net,
|
.exit = xfrmi_exit_net,
|
||||||
.id = &xfrmi_net_id,
|
.id = &xfrmi_net_id,
|
||||||
.size = sizeof(struct xfrmi_net),
|
.size = sizeof(struct xfrmi_net),
|
||||||
|
|
|
@ -3628,7 +3628,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
}
|
}
|
||||||
xfrm_nr = ti;
|
xfrm_nr = ti;
|
||||||
if (npols > 1) {
|
if (npols > 1) {
|
||||||
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family, net);
|
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
|
||||||
tpp = stp;
|
tpp = stp;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,8 @@
|
||||||
#include <linux/interrupt.h>
|
#include <linux/interrupt.h>
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
|
|
||||||
|
#include <crypto/aead.h>
|
||||||
|
|
||||||
#include "xfrm_hash.h"
|
#include "xfrm_hash.h"
|
||||||
|
|
||||||
#define xfrm_state_deref_prot(table, net) \
|
#define xfrm_state_deref_prot(table, net) \
|
||||||
|
@ -177,63 +179,132 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
|
||||||
static bool km_is_alive(const struct km_event *c);
|
static bool km_is_alive(const struct km_event *c);
|
||||||
void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
|
void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
|
||||||
|
|
||||||
static DEFINE_SPINLOCK(xfrm_type_lock);
|
|
||||||
int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
|
int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
||||||
const struct xfrm_type **typemap;
|
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
|
||||||
if (unlikely(afinfo == NULL))
|
if (!afinfo)
|
||||||
return -EAFNOSUPPORT;
|
return -EAFNOSUPPORT;
|
||||||
typemap = afinfo->type_map;
|
|
||||||
spin_lock_bh(&xfrm_type_lock);
|
|
||||||
|
|
||||||
if (likely(typemap[type->proto] == NULL))
|
#define X(afi, T, name) do { \
|
||||||
typemap[type->proto] = type;
|
WARN_ON((afi)->type_ ## name); \
|
||||||
else
|
(afi)->type_ ## name = (T); \
|
||||||
err = -EEXIST;
|
} while (0)
|
||||||
spin_unlock_bh(&xfrm_type_lock);
|
|
||||||
|
switch (type->proto) {
|
||||||
|
case IPPROTO_COMP:
|
||||||
|
X(afinfo, type, comp);
|
||||||
|
break;
|
||||||
|
case IPPROTO_AH:
|
||||||
|
X(afinfo, type, ah);
|
||||||
|
break;
|
||||||
|
case IPPROTO_ESP:
|
||||||
|
X(afinfo, type, esp);
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPIP:
|
||||||
|
X(afinfo, type, ipip);
|
||||||
|
break;
|
||||||
|
case IPPROTO_DSTOPTS:
|
||||||
|
X(afinfo, type, dstopts);
|
||||||
|
break;
|
||||||
|
case IPPROTO_ROUTING:
|
||||||
|
X(afinfo, type, routing);
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPV6:
|
||||||
|
X(afinfo, type, ipip6);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON(1);
|
||||||
|
err = -EPROTONOSUPPORT;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
#undef X
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_register_type);
|
EXPORT_SYMBOL(xfrm_register_type);
|
||||||
|
|
||||||
int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
|
void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
||||||
const struct xfrm_type **typemap;
|
|
||||||
int err = 0;
|
|
||||||
|
|
||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return -EAFNOSUPPORT;
|
return;
|
||||||
typemap = afinfo->type_map;
|
|
||||||
spin_lock_bh(&xfrm_type_lock);
|
|
||||||
|
|
||||||
if (unlikely(typemap[type->proto] != type))
|
#define X(afi, T, name) do { \
|
||||||
err = -ENOENT;
|
WARN_ON((afi)->type_ ## name != (T)); \
|
||||||
else
|
(afi)->type_ ## name = NULL; \
|
||||||
typemap[type->proto] = NULL;
|
} while (0)
|
||||||
spin_unlock_bh(&xfrm_type_lock);
|
|
||||||
|
switch (type->proto) {
|
||||||
|
case IPPROTO_COMP:
|
||||||
|
X(afinfo, type, comp);
|
||||||
|
break;
|
||||||
|
case IPPROTO_AH:
|
||||||
|
X(afinfo, type, ah);
|
||||||
|
break;
|
||||||
|
case IPPROTO_ESP:
|
||||||
|
X(afinfo, type, esp);
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPIP:
|
||||||
|
X(afinfo, type, ipip);
|
||||||
|
break;
|
||||||
|
case IPPROTO_DSTOPTS:
|
||||||
|
X(afinfo, type, dstopts);
|
||||||
|
break;
|
||||||
|
case IPPROTO_ROUTING:
|
||||||
|
X(afinfo, type, routing);
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPV6:
|
||||||
|
X(afinfo, type, ipip6);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON(1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
#undef X
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return err;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_unregister_type);
|
EXPORT_SYMBOL(xfrm_unregister_type);
|
||||||
|
|
||||||
static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
|
static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
|
||||||
{
|
{
|
||||||
|
const struct xfrm_type *type = NULL;
|
||||||
struct xfrm_state_afinfo *afinfo;
|
struct xfrm_state_afinfo *afinfo;
|
||||||
const struct xfrm_type **typemap;
|
|
||||||
const struct xfrm_type *type;
|
|
||||||
int modload_attempted = 0;
|
int modload_attempted = 0;
|
||||||
|
|
||||||
retry:
|
retry:
|
||||||
afinfo = xfrm_state_get_afinfo(family);
|
afinfo = xfrm_state_get_afinfo(family);
|
||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return NULL;
|
return NULL;
|
||||||
typemap = afinfo->type_map;
|
|
||||||
|
|
||||||
type = READ_ONCE(typemap[proto]);
|
switch (proto) {
|
||||||
|
case IPPROTO_COMP:
|
||||||
|
type = afinfo->type_comp;
|
||||||
|
break;
|
||||||
|
case IPPROTO_AH:
|
||||||
|
type = afinfo->type_ah;
|
||||||
|
break;
|
||||||
|
case IPPROTO_ESP:
|
||||||
|
type = afinfo->type_esp;
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPIP:
|
||||||
|
type = afinfo->type_ipip;
|
||||||
|
break;
|
||||||
|
case IPPROTO_DSTOPTS:
|
||||||
|
type = afinfo->type_dstopts;
|
||||||
|
break;
|
||||||
|
case IPPROTO_ROUTING:
|
||||||
|
type = afinfo->type_routing;
|
||||||
|
break;
|
||||||
|
case IPPROTO_IPV6:
|
||||||
|
type = afinfo->type_ipip6;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (unlikely(type && !try_module_get(type->owner)))
|
if (unlikely(type && !try_module_get(type->owner)))
|
||||||
type = NULL;
|
type = NULL;
|
||||||
|
|
||||||
|
@ -253,65 +324,71 @@ static void xfrm_put_type(const struct xfrm_type *type)
|
||||||
module_put(type->owner);
|
module_put(type->owner);
|
||||||
}
|
}
|
||||||
|
|
||||||
static DEFINE_SPINLOCK(xfrm_type_offload_lock);
|
|
||||||
int xfrm_register_type_offload(const struct xfrm_type_offload *type,
|
int xfrm_register_type_offload(const struct xfrm_type_offload *type,
|
||||||
unsigned short family)
|
unsigned short family)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
||||||
const struct xfrm_type_offload **typemap;
|
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
|
||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return -EAFNOSUPPORT;
|
return -EAFNOSUPPORT;
|
||||||
typemap = afinfo->type_offload_map;
|
|
||||||
spin_lock_bh(&xfrm_type_offload_lock);
|
|
||||||
|
|
||||||
if (likely(typemap[type->proto] == NULL))
|
switch (type->proto) {
|
||||||
typemap[type->proto] = type;
|
case IPPROTO_ESP:
|
||||||
else
|
WARN_ON(afinfo->type_offload_esp);
|
||||||
err = -EEXIST;
|
afinfo->type_offload_esp = type;
|
||||||
spin_unlock_bh(&xfrm_type_offload_lock);
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON(1);
|
||||||
|
err = -EPROTONOSUPPORT;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_register_type_offload);
|
EXPORT_SYMBOL(xfrm_register_type_offload);
|
||||||
|
|
||||||
int xfrm_unregister_type_offload(const struct xfrm_type_offload *type,
|
void xfrm_unregister_type_offload(const struct xfrm_type_offload *type,
|
||||||
unsigned short family)
|
unsigned short family)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
||||||
const struct xfrm_type_offload **typemap;
|
|
||||||
int err = 0;
|
|
||||||
|
|
||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return -EAFNOSUPPORT;
|
return;
|
||||||
typemap = afinfo->type_offload_map;
|
|
||||||
spin_lock_bh(&xfrm_type_offload_lock);
|
|
||||||
|
|
||||||
if (unlikely(typemap[type->proto] != type))
|
switch (type->proto) {
|
||||||
err = -ENOENT;
|
case IPPROTO_ESP:
|
||||||
else
|
WARN_ON(afinfo->type_offload_esp != type);
|
||||||
typemap[type->proto] = NULL;
|
afinfo->type_offload_esp = NULL;
|
||||||
spin_unlock_bh(&xfrm_type_offload_lock);
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON(1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return err;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_unregister_type_offload);
|
EXPORT_SYMBOL(xfrm_unregister_type_offload);
|
||||||
|
|
||||||
static const struct xfrm_type_offload *
|
static const struct xfrm_type_offload *
|
||||||
xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
|
xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
|
||||||
{
|
{
|
||||||
|
const struct xfrm_type_offload *type = NULL;
|
||||||
struct xfrm_state_afinfo *afinfo;
|
struct xfrm_state_afinfo *afinfo;
|
||||||
const struct xfrm_type_offload **typemap;
|
|
||||||
const struct xfrm_type_offload *type;
|
|
||||||
|
|
||||||
retry:
|
retry:
|
||||||
afinfo = xfrm_state_get_afinfo(family);
|
afinfo = xfrm_state_get_afinfo(family);
|
||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return NULL;
|
return NULL;
|
||||||
typemap = afinfo->type_offload_map;
|
|
||||||
|
|
||||||
type = typemap[proto];
|
switch (proto) {
|
||||||
|
case IPPROTO_ESP:
|
||||||
|
type = afinfo->type_offload_esp;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if ((type && !try_module_get(type->owner)))
|
if ((type && !try_module_get(type->owner)))
|
||||||
type = NULL;
|
type = NULL;
|
||||||
|
|
||||||
|
@ -769,25 +846,80 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_sad_getinfo);
|
EXPORT_SYMBOL(xfrm_sad_getinfo);
|
||||||
|
|
||||||
|
static void
|
||||||
|
__xfrm4_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
|
||||||
|
{
|
||||||
|
const struct flowi4 *fl4 = &fl->u.ip4;
|
||||||
|
|
||||||
|
sel->daddr.a4 = fl4->daddr;
|
||||||
|
sel->saddr.a4 = fl4->saddr;
|
||||||
|
sel->dport = xfrm_flowi_dport(fl, &fl4->uli);
|
||||||
|
sel->dport_mask = htons(0xffff);
|
||||||
|
sel->sport = xfrm_flowi_sport(fl, &fl4->uli);
|
||||||
|
sel->sport_mask = htons(0xffff);
|
||||||
|
sel->family = AF_INET;
|
||||||
|
sel->prefixlen_d = 32;
|
||||||
|
sel->prefixlen_s = 32;
|
||||||
|
sel->proto = fl4->flowi4_proto;
|
||||||
|
sel->ifindex = fl4->flowi4_oif;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
__xfrm6_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
|
||||||
|
{
|
||||||
|
const struct flowi6 *fl6 = &fl->u.ip6;
|
||||||
|
|
||||||
|
/* Initialize temporary selector matching only to current session. */
|
||||||
|
*(struct in6_addr *)&sel->daddr = fl6->daddr;
|
||||||
|
*(struct in6_addr *)&sel->saddr = fl6->saddr;
|
||||||
|
sel->dport = xfrm_flowi_dport(fl, &fl6->uli);
|
||||||
|
sel->dport_mask = htons(0xffff);
|
||||||
|
sel->sport = xfrm_flowi_sport(fl, &fl6->uli);
|
||||||
|
sel->sport_mask = htons(0xffff);
|
||||||
|
sel->family = AF_INET6;
|
||||||
|
sel->prefixlen_d = 128;
|
||||||
|
sel->prefixlen_s = 128;
|
||||||
|
sel->proto = fl6->flowi6_proto;
|
||||||
|
sel->ifindex = fl6->flowi6_oif;
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
|
xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
|
||||||
const struct xfrm_tmpl *tmpl,
|
const struct xfrm_tmpl *tmpl,
|
||||||
const xfrm_address_t *daddr, const xfrm_address_t *saddr,
|
const xfrm_address_t *daddr, const xfrm_address_t *saddr,
|
||||||
unsigned short family)
|
unsigned short family)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
|
switch (family) {
|
||||||
|
case AF_INET:
|
||||||
if (!afinfo)
|
__xfrm4_init_tempsel(&x->sel, fl);
|
||||||
return;
|
break;
|
||||||
|
case AF_INET6:
|
||||||
afinfo->init_tempsel(&x->sel, fl);
|
__xfrm6_init_tempsel(&x->sel, fl);
|
||||||
|
break;
|
||||||
if (family != tmpl->encap_family) {
|
|
||||||
afinfo = xfrm_state_afinfo_get_rcu(tmpl->encap_family);
|
|
||||||
if (!afinfo)
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
afinfo->init_temprop(x, tmpl, daddr, saddr);
|
|
||||||
|
x->id = tmpl->id;
|
||||||
|
|
||||||
|
switch (tmpl->encap_family) {
|
||||||
|
case AF_INET:
|
||||||
|
if (x->id.daddr.a4 == 0)
|
||||||
|
x->id.daddr.a4 = daddr->a4;
|
||||||
|
x->props.saddr = tmpl->saddr;
|
||||||
|
if (x->props.saddr.a4 == 0)
|
||||||
|
x->props.saddr.a4 = saddr->a4;
|
||||||
|
break;
|
||||||
|
case AF_INET6:
|
||||||
|
if (ipv6_addr_any((struct in6_addr *)&x->id.daddr))
|
||||||
|
memcpy(&x->id.daddr, daddr, sizeof(x->sel.daddr));
|
||||||
|
memcpy(&x->props.saddr, &tmpl->saddr, sizeof(x->props.saddr));
|
||||||
|
if (ipv6_addr_any((struct in6_addr *)&x->props.saddr))
|
||||||
|
memcpy(&x->props.saddr, saddr, sizeof(x->props.saddr));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
x->props.mode = tmpl->mode;
|
||||||
|
x->props.reqid = tmpl->reqid;
|
||||||
|
x->props.family = tmpl->encap_family;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
|
static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
|
||||||
|
@ -1633,51 +1765,129 @@ xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, u8 mode, u32 reqid,
|
||||||
EXPORT_SYMBOL(xfrm_find_acq);
|
EXPORT_SYMBOL(xfrm_find_acq);
|
||||||
|
|
||||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||||
int
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
|
/* distribution counting sort function for xfrm_state and xfrm_tmpl */
|
||||||
unsigned short family, struct net *net)
|
static void
|
||||||
|
__xfrm6_sort(void **dst, void **src, int n,
|
||||||
|
int (*cmp)(const void *p), int maxclass)
|
||||||
|
{
|
||||||
|
int count[XFRM_MAX_DEPTH] = { };
|
||||||
|
int class[XFRM_MAX_DEPTH];
|
||||||
|
int i;
|
||||||
|
|
||||||
|
for (i = 0; i < n; i++) {
|
||||||
|
int c = cmp(src[i]);
|
||||||
|
|
||||||
|
class[i] = c;
|
||||||
|
count[c]++;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 2; i < maxclass; i++)
|
||||||
|
count[i] += count[i - 1];
|
||||||
|
|
||||||
|
for (i = 0; i < n; i++) {
|
||||||
|
dst[count[class[i] - 1]++] = src[i];
|
||||||
|
src[i] = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Rule for xfrm_state:
|
||||||
|
*
|
||||||
|
* rule 1: select IPsec transport except AH
|
||||||
|
* rule 2: select MIPv6 RO or inbound trigger
|
||||||
|
* rule 3: select IPsec transport AH
|
||||||
|
* rule 4: select IPsec tunnel
|
||||||
|
* rule 5: others
|
||||||
|
*/
|
||||||
|
static int __xfrm6_state_sort_cmp(const void *p)
|
||||||
|
{
|
||||||
|
const struct xfrm_state *v = p;
|
||||||
|
|
||||||
|
switch (v->props.mode) {
|
||||||
|
case XFRM_MODE_TRANSPORT:
|
||||||
|
if (v->id.proto != IPPROTO_AH)
|
||||||
|
return 1;
|
||||||
|
else
|
||||||
|
return 3;
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
||||||
|
case XFRM_MODE_ROUTEOPTIMIZATION:
|
||||||
|
case XFRM_MODE_IN_TRIGGER:
|
||||||
|
return 2;
|
||||||
|
#endif
|
||||||
|
case XFRM_MODE_TUNNEL:
|
||||||
|
case XFRM_MODE_BEET:
|
||||||
|
return 4;
|
||||||
|
}
|
||||||
|
return 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Rule for xfrm_tmpl:
|
||||||
|
*
|
||||||
|
* rule 1: select IPsec transport
|
||||||
|
* rule 2: select MIPv6 RO or inbound trigger
|
||||||
|
* rule 3: select IPsec tunnel
|
||||||
|
* rule 4: others
|
||||||
|
*/
|
||||||
|
static int __xfrm6_tmpl_sort_cmp(const void *p)
|
||||||
|
{
|
||||||
|
const struct xfrm_tmpl *v = p;
|
||||||
|
|
||||||
|
switch (v->mode) {
|
||||||
|
case XFRM_MODE_TRANSPORT:
|
||||||
|
return 1;
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
||||||
|
case XFRM_MODE_ROUTEOPTIMIZATION:
|
||||||
|
case XFRM_MODE_IN_TRIGGER:
|
||||||
|
return 2;
|
||||||
|
#endif
|
||||||
|
case XFRM_MODE_TUNNEL:
|
||||||
|
case XFRM_MODE_BEET:
|
||||||
|
return 3;
|
||||||
|
}
|
||||||
|
return 4;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
static inline int __xfrm6_state_sort_cmp(const void *p) { return 5; }
|
||||||
|
static inline int __xfrm6_tmpl_sort_cmp(const void *p) { return 4; }
|
||||||
|
|
||||||
|
static inline void
|
||||||
|
__xfrm6_sort(void **dst, void **src, int n,
|
||||||
|
int (*cmp)(const void *p), int maxclass)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
int err = 0;
|
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
|
||||||
if (!afinfo)
|
|
||||||
return -EAFNOSUPPORT;
|
|
||||||
|
|
||||||
spin_lock_bh(&net->xfrm.xfrm_state_lock); /*FIXME*/
|
for (i = 0; i < n; i++)
|
||||||
if (afinfo->tmpl_sort)
|
dst[i] = src[i];
|
||||||
err = afinfo->tmpl_sort(dst, src, n);
|
}
|
||||||
|
#endif /* CONFIG_IPV6 */
|
||||||
|
|
||||||
|
void
|
||||||
|
xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
|
||||||
|
unsigned short family)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
|
||||||
|
if (family == AF_INET6)
|
||||||
|
__xfrm6_sort((void **)dst, (void **)src, n,
|
||||||
|
__xfrm6_tmpl_sort_cmp, 5);
|
||||||
else
|
else
|
||||||
for (i = 0; i < n; i++)
|
for (i = 0; i < n; i++)
|
||||||
dst[i] = src[i];
|
dst[i] = src[i];
|
||||||
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
|
|
||||||
rcu_read_unlock();
|
|
||||||
return err;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_tmpl_sort);
|
|
||||||
|
|
||||||
int
|
void
|
||||||
xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
|
xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
|
||||||
unsigned short family)
|
unsigned short family)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
int err = 0;
|
|
||||||
struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
|
|
||||||
struct net *net = xs_net(*src);
|
|
||||||
|
|
||||||
if (!afinfo)
|
if (family == AF_INET6)
|
||||||
return -EAFNOSUPPORT;
|
__xfrm6_sort((void **)dst, (void **)src, n,
|
||||||
|
__xfrm6_state_sort_cmp, 6);
|
||||||
spin_lock_bh(&net->xfrm.xfrm_state_lock);
|
|
||||||
if (afinfo->state_sort)
|
|
||||||
err = afinfo->state_sort(dst, src, n);
|
|
||||||
else
|
else
|
||||||
for (i = 0; i < n; i++)
|
for (i = 0; i < n; i++)
|
||||||
dst[i] = src[i];
|
dst[i] = src[i];
|
||||||
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
|
|
||||||
rcu_read_unlock();
|
|
||||||
return err;
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_state_sort);
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Silly enough, but I'm lazy to build resolution list */
|
/* Silly enough, but I'm lazy to build resolution list */
|
||||||
|
@ -2195,38 +2405,49 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_state_delete_tunnel);
|
EXPORT_SYMBOL(xfrm_state_delete_tunnel);
|
||||||
|
|
||||||
int xfrm_state_mtu(struct xfrm_state *x, int mtu)
|
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
|
||||||
{
|
{
|
||||||
const struct xfrm_type *type = READ_ONCE(x->type);
|
const struct xfrm_type *type = READ_ONCE(x->type);
|
||||||
|
struct crypto_aead *aead;
|
||||||
|
u32 blksize, net_adj = 0;
|
||||||
|
|
||||||
if (x->km.state == XFRM_STATE_VALID &&
|
if (x->km.state != XFRM_STATE_VALID ||
|
||||||
type && type->get_mtu)
|
!type || type->proto != IPPROTO_ESP)
|
||||||
return type->get_mtu(x, mtu);
|
return mtu - x->props.header_len;
|
||||||
|
|
||||||
return mtu - x->props.header_len;
|
aead = x->data;
|
||||||
|
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
|
||||||
|
|
||||||
|
switch (x->props.mode) {
|
||||||
|
case XFRM_MODE_TRANSPORT:
|
||||||
|
case XFRM_MODE_BEET:
|
||||||
|
if (x->props.family == AF_INET)
|
||||||
|
net_adj = sizeof(struct iphdr);
|
||||||
|
else if (x->props.family == AF_INET6)
|
||||||
|
net_adj = sizeof(struct ipv6hdr);
|
||||||
|
break;
|
||||||
|
case XFRM_MODE_TUNNEL:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
WARN_ON_ONCE(1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
|
||||||
|
net_adj) & ~(blksize - 1)) + net_adj - 2;
|
||||||
}
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(xfrm_state_mtu);
|
||||||
|
|
||||||
int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
|
int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
|
||||||
{
|
{
|
||||||
const struct xfrm_state_afinfo *afinfo;
|
|
||||||
const struct xfrm_mode *inner_mode;
|
const struct xfrm_mode *inner_mode;
|
||||||
const struct xfrm_mode *outer_mode;
|
const struct xfrm_mode *outer_mode;
|
||||||
int family = x->props.family;
|
int family = x->props.family;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
err = -EAFNOSUPPORT;
|
if (family == AF_INET &&
|
||||||
afinfo = xfrm_state_get_afinfo(family);
|
xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)
|
||||||
if (!afinfo)
|
x->props.flags |= XFRM_STATE_NOPMTUDISC;
|
||||||
goto error;
|
|
||||||
|
|
||||||
err = 0;
|
|
||||||
if (afinfo->init_flags)
|
|
||||||
err = afinfo->init_flags(x);
|
|
||||||
|
|
||||||
rcu_read_unlock();
|
|
||||||
|
|
||||||
if (err)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
err = -EPROTONOSUPPORT;
|
err = -EPROTONOSUPPORT;
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue