| 1 |
3 |
xianfeng |
/*
|
| 2 |
|
|
* xfrm_policy.c
|
| 3 |
|
|
*
|
| 4 |
|
|
* Changes:
|
| 5 |
|
|
* Mitsuru KANDA @USAGI
|
| 6 |
|
|
* Kazunori MIYAZAWA @USAGI
|
| 7 |
|
|
* Kunihiro Ishiguro <kunihiro@ipinfusion.com>
|
| 8 |
|
|
* IPv6 support
|
| 9 |
|
|
* Kazunori MIYAZAWA @USAGI
|
| 10 |
|
|
* YOSHIFUJI Hideaki
|
| 11 |
|
|
* Split up af-specific portion
|
| 12 |
|
|
* Derek Atkins <derek@ihtfp.com> Add the post_input processor
|
| 13 |
|
|
*
|
| 14 |
|
|
*/
|
| 15 |
|
|
|
| 16 |
|
|
#include <linux/slab.h>
|
| 17 |
|
|
#include <linux/kmod.h>
|
| 18 |
|
|
#include <linux/list.h>
|
| 19 |
|
|
#include <linux/spinlock.h>
|
| 20 |
|
|
#include <linux/workqueue.h>
|
| 21 |
|
|
#include <linux/notifier.h>
|
| 22 |
|
|
#include <linux/netdevice.h>
|
| 23 |
|
|
#include <linux/netfilter.h>
|
| 24 |
|
|
#include <linux/module.h>
|
| 25 |
|
|
#include <linux/cache.h>
|
| 26 |
|
|
#include <net/xfrm.h>
|
| 27 |
|
|
#include <net/ip.h>
|
| 28 |
|
|
|
| 29 |
|
|
#include "xfrm_hash.h"
|
| 30 |
|
|
|
| 31 |
|
|
int sysctl_xfrm_larval_drop __read_mostly;
|
| 32 |
|
|
|
| 33 |
|
|
DEFINE_MUTEX(xfrm_cfg_mutex);
|
| 34 |
|
|
EXPORT_SYMBOL(xfrm_cfg_mutex);
|
| 35 |
|
|
|
| 36 |
|
|
static DEFINE_RWLOCK(xfrm_policy_lock);
|
| 37 |
|
|
|
| 38 |
|
|
unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
|
| 39 |
|
|
EXPORT_SYMBOL(xfrm_policy_count);
|
| 40 |
|
|
|
| 41 |
|
|
static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
|
| 42 |
|
|
static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
|
| 43 |
|
|
|
| 44 |
|
|
static struct kmem_cache *xfrm_dst_cache __read_mostly;
|
| 45 |
|
|
|
| 46 |
|
|
static struct work_struct xfrm_policy_gc_work;
|
| 47 |
|
|
static HLIST_HEAD(xfrm_policy_gc_list);
|
| 48 |
|
|
static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
|
| 49 |
|
|
|
| 50 |
|
|
static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
|
| 51 |
|
|
static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
|
| 52 |
|
|
|
| 53 |
|
|
static inline int
|
| 54 |
|
|
__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
|
| 55 |
|
|
{
|
| 56 |
|
|
return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
|
| 57 |
|
|
addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
|
| 58 |
|
|
!((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
|
| 59 |
|
|
!((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
|
| 60 |
|
|
(fl->proto == sel->proto || !sel->proto) &&
|
| 61 |
|
|
(fl->oif == sel->ifindex || !sel->ifindex);
|
| 62 |
|
|
}
|
| 63 |
|
|
|
| 64 |
|
|
static inline int
|
| 65 |
|
|
__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
|
| 66 |
|
|
{
|
| 67 |
|
|
return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
|
| 68 |
|
|
addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
|
| 69 |
|
|
!((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
|
| 70 |
|
|
!((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
|
| 71 |
|
|
(fl->proto == sel->proto || !sel->proto) &&
|
| 72 |
|
|
(fl->oif == sel->ifindex || !sel->ifindex);
|
| 73 |
|
|
}
|
| 74 |
|
|
|
| 75 |
|
|
int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
|
| 76 |
|
|
unsigned short family)
|
| 77 |
|
|
{
|
| 78 |
|
|
switch (family) {
|
| 79 |
|
|
case AF_INET:
|
| 80 |
|
|
return __xfrm4_selector_match(sel, fl);
|
| 81 |
|
|
case AF_INET6:
|
| 82 |
|
|
return __xfrm6_selector_match(sel, fl);
|
| 83 |
|
|
}
|
| 84 |
|
|
return 0;
|
| 85 |
|
|
}
|
| 86 |
|
|
|
| 87 |
|
|
int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
|
| 88 |
|
|
unsigned short family)
|
| 89 |
|
|
{
|
| 90 |
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
| 91 |
|
|
int err = 0;
|
| 92 |
|
|
|
| 93 |
|
|
if (unlikely(afinfo == NULL))
|
| 94 |
|
|
return -EAFNOSUPPORT;
|
| 95 |
|
|
|
| 96 |
|
|
if (likely(afinfo->dst_lookup != NULL))
|
| 97 |
|
|
err = afinfo->dst_lookup(dst, fl);
|
| 98 |
|
|
else
|
| 99 |
|
|
err = -EINVAL;
|
| 100 |
|
|
xfrm_policy_put_afinfo(afinfo);
|
| 101 |
|
|
return err;
|
| 102 |
|
|
}
|
| 103 |
|
|
EXPORT_SYMBOL(xfrm_dst_lookup);
|
| 104 |
|
|
|
| 105 |
|
|
static inline unsigned long make_jiffies(long secs)
|
| 106 |
|
|
{
|
| 107 |
|
|
if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
|
| 108 |
|
|
return MAX_SCHEDULE_TIMEOUT-1;
|
| 109 |
|
|
else
|
| 110 |
|
|
return secs*HZ;
|
| 111 |
|
|
}
|
| 112 |
|
|
|
| 113 |
|
|
static void xfrm_policy_timer(unsigned long data)
|
| 114 |
|
|
{
|
| 115 |
|
|
struct xfrm_policy *xp = (struct xfrm_policy*)data;
|
| 116 |
|
|
unsigned long now = get_seconds();
|
| 117 |
|
|
long next = LONG_MAX;
|
| 118 |
|
|
int warn = 0;
|
| 119 |
|
|
int dir;
|
| 120 |
|
|
|
| 121 |
|
|
read_lock(&xp->lock);
|
| 122 |
|
|
|
| 123 |
|
|
if (xp->dead)
|
| 124 |
|
|
goto out;
|
| 125 |
|
|
|
| 126 |
|
|
dir = xfrm_policy_id2dir(xp->index);
|
| 127 |
|
|
|
| 128 |
|
|
if (xp->lft.hard_add_expires_seconds) {
|
| 129 |
|
|
long tmo = xp->lft.hard_add_expires_seconds +
|
| 130 |
|
|
xp->curlft.add_time - now;
|
| 131 |
|
|
if (tmo <= 0)
|
| 132 |
|
|
goto expired;
|
| 133 |
|
|
if (tmo < next)
|
| 134 |
|
|
next = tmo;
|
| 135 |
|
|
}
|
| 136 |
|
|
if (xp->lft.hard_use_expires_seconds) {
|
| 137 |
|
|
long tmo = xp->lft.hard_use_expires_seconds +
|
| 138 |
|
|
(xp->curlft.use_time ? : xp->curlft.add_time) - now;
|
| 139 |
|
|
if (tmo <= 0)
|
| 140 |
|
|
goto expired;
|
| 141 |
|
|
if (tmo < next)
|
| 142 |
|
|
next = tmo;
|
| 143 |
|
|
}
|
| 144 |
|
|
if (xp->lft.soft_add_expires_seconds) {
|
| 145 |
|
|
long tmo = xp->lft.soft_add_expires_seconds +
|
| 146 |
|
|
xp->curlft.add_time - now;
|
| 147 |
|
|
if (tmo <= 0) {
|
| 148 |
|
|
warn = 1;
|
| 149 |
|
|
tmo = XFRM_KM_TIMEOUT;
|
| 150 |
|
|
}
|
| 151 |
|
|
if (tmo < next)
|
| 152 |
|
|
next = tmo;
|
| 153 |
|
|
}
|
| 154 |
|
|
if (xp->lft.soft_use_expires_seconds) {
|
| 155 |
|
|
long tmo = xp->lft.soft_use_expires_seconds +
|
| 156 |
|
|
(xp->curlft.use_time ? : xp->curlft.add_time) - now;
|
| 157 |
|
|
if (tmo <= 0) {
|
| 158 |
|
|
warn = 1;
|
| 159 |
|
|
tmo = XFRM_KM_TIMEOUT;
|
| 160 |
|
|
}
|
| 161 |
|
|
if (tmo < next)
|
| 162 |
|
|
next = tmo;
|
| 163 |
|
|
}
|
| 164 |
|
|
|
| 165 |
|
|
if (warn)
|
| 166 |
|
|
km_policy_expired(xp, dir, 0, 0);
|
| 167 |
|
|
if (next != LONG_MAX &&
|
| 168 |
|
|
!mod_timer(&xp->timer, jiffies + make_jiffies(next)))
|
| 169 |
|
|
xfrm_pol_hold(xp);
|
| 170 |
|
|
|
| 171 |
|
|
out:
|
| 172 |
|
|
read_unlock(&xp->lock);
|
| 173 |
|
|
xfrm_pol_put(xp);
|
| 174 |
|
|
return;
|
| 175 |
|
|
|
| 176 |
|
|
expired:
|
| 177 |
|
|
read_unlock(&xp->lock);
|
| 178 |
|
|
if (!xfrm_policy_delete(xp, dir))
|
| 179 |
|
|
km_policy_expired(xp, dir, 1, 0);
|
| 180 |
|
|
xfrm_pol_put(xp);
|
| 181 |
|
|
}
|
| 182 |
|
|
|
| 183 |
|
|
|
| 184 |
|
|
/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
|
| 185 |
|
|
* SPD calls.
|
| 186 |
|
|
*/
|
| 187 |
|
|
|
| 188 |
|
|
struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp)
|
| 189 |
|
|
{
|
| 190 |
|
|
struct xfrm_policy *policy;
|
| 191 |
|
|
|
| 192 |
|
|
policy = kzalloc(sizeof(struct xfrm_policy), gfp);
|
| 193 |
|
|
|
| 194 |
|
|
if (policy) {
|
| 195 |
|
|
INIT_HLIST_NODE(&policy->bydst);
|
| 196 |
|
|
INIT_HLIST_NODE(&policy->byidx);
|
| 197 |
|
|
rwlock_init(&policy->lock);
|
| 198 |
|
|
atomic_set(&policy->refcnt, 1);
|
| 199 |
|
|
init_timer(&policy->timer);
|
| 200 |
|
|
policy->timer.data = (unsigned long)policy;
|
| 201 |
|
|
policy->timer.function = xfrm_policy_timer;
|
| 202 |
|
|
}
|
| 203 |
|
|
return policy;
|
| 204 |
|
|
}
|
| 205 |
|
|
EXPORT_SYMBOL(xfrm_policy_alloc);
|
| 206 |
|
|
|
| 207 |
|
|
/* Destroy xfrm_policy: descendant resources must be released to this moment. */
|
| 208 |
|
|
|
| 209 |
|
|
void __xfrm_policy_destroy(struct xfrm_policy *policy)
|
| 210 |
|
|
{
|
| 211 |
|
|
BUG_ON(!policy->dead);
|
| 212 |
|
|
|
| 213 |
|
|
BUG_ON(policy->bundles);
|
| 214 |
|
|
|
| 215 |
|
|
if (del_timer(&policy->timer))
|
| 216 |
|
|
BUG();
|
| 217 |
|
|
|
| 218 |
|
|
security_xfrm_policy_free(policy);
|
| 219 |
|
|
kfree(policy);
|
| 220 |
|
|
}
|
| 221 |
|
|
EXPORT_SYMBOL(__xfrm_policy_destroy);
|
| 222 |
|
|
|
| 223 |
|
|
static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
|
| 224 |
|
|
{
|
| 225 |
|
|
struct dst_entry *dst;
|
| 226 |
|
|
|
| 227 |
|
|
while ((dst = policy->bundles) != NULL) {
|
| 228 |
|
|
policy->bundles = dst->next;
|
| 229 |
|
|
dst_free(dst);
|
| 230 |
|
|
}
|
| 231 |
|
|
|
| 232 |
|
|
if (del_timer(&policy->timer))
|
| 233 |
|
|
atomic_dec(&policy->refcnt);
|
| 234 |
|
|
|
| 235 |
|
|
if (atomic_read(&policy->refcnt) > 1)
|
| 236 |
|
|
flow_cache_flush();
|
| 237 |
|
|
|
| 238 |
|
|
xfrm_pol_put(policy);
|
| 239 |
|
|
}
|
| 240 |
|
|
|
| 241 |
|
|
static void xfrm_policy_gc_task(struct work_struct *work)
|
| 242 |
|
|
{
|
| 243 |
|
|
struct xfrm_policy *policy;
|
| 244 |
|
|
struct hlist_node *entry, *tmp;
|
| 245 |
|
|
struct hlist_head gc_list;
|
| 246 |
|
|
|
| 247 |
|
|
spin_lock_bh(&xfrm_policy_gc_lock);
|
| 248 |
|
|
gc_list.first = xfrm_policy_gc_list.first;
|
| 249 |
|
|
INIT_HLIST_HEAD(&xfrm_policy_gc_list);
|
| 250 |
|
|
spin_unlock_bh(&xfrm_policy_gc_lock);
|
| 251 |
|
|
|
| 252 |
|
|
hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
|
| 253 |
|
|
xfrm_policy_gc_kill(policy);
|
| 254 |
|
|
}
|
| 255 |
|
|
|
| 256 |
|
|
/* Rule must be locked. Release descentant resources, announce
|
| 257 |
|
|
* entry dead. The rule must be unlinked from lists to the moment.
|
| 258 |
|
|
*/
|
| 259 |
|
|
|
| 260 |
|
|
static void xfrm_policy_kill(struct xfrm_policy *policy)
|
| 261 |
|
|
{
|
| 262 |
|
|
int dead;
|
| 263 |
|
|
|
| 264 |
|
|
write_lock_bh(&policy->lock);
|
| 265 |
|
|
dead = policy->dead;
|
| 266 |
|
|
policy->dead = 1;
|
| 267 |
|
|
write_unlock_bh(&policy->lock);
|
| 268 |
|
|
|
| 269 |
|
|
if (unlikely(dead)) {
|
| 270 |
|
|
WARN_ON(1);
|
| 271 |
|
|
return;
|
| 272 |
|
|
}
|
| 273 |
|
|
|
| 274 |
|
|
spin_lock(&xfrm_policy_gc_lock);
|
| 275 |
|
|
hlist_add_head(&policy->bydst, &xfrm_policy_gc_list);
|
| 276 |
|
|
spin_unlock(&xfrm_policy_gc_lock);
|
| 277 |
|
|
|
| 278 |
|
|
schedule_work(&xfrm_policy_gc_work);
|
| 279 |
|
|
}
|
| 280 |
|
|
|
| 281 |
|
|
struct xfrm_policy_hash {
|
| 282 |
|
|
struct hlist_head *table;
|
| 283 |
|
|
unsigned int hmask;
|
| 284 |
|
|
};
|
| 285 |
|
|
|
| 286 |
|
|
static struct hlist_head xfrm_policy_inexact[XFRM_POLICY_MAX*2];
|
| 287 |
|
|
static struct xfrm_policy_hash xfrm_policy_bydst[XFRM_POLICY_MAX*2] __read_mostly;
|
| 288 |
|
|
static struct hlist_head *xfrm_policy_byidx __read_mostly;
|
| 289 |
|
|
static unsigned int xfrm_idx_hmask __read_mostly;
|
| 290 |
|
|
static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
|
| 291 |
|
|
|
| 292 |
|
|
static inline unsigned int idx_hash(u32 index)
|
| 293 |
|
|
{
|
| 294 |
|
|
return __idx_hash(index, xfrm_idx_hmask);
|
| 295 |
|
|
}
|
| 296 |
|
|
|
| 297 |
|
|
static struct hlist_head *policy_hash_bysel(struct xfrm_selector *sel, unsigned short family, int dir)
|
| 298 |
|
|
{
|
| 299 |
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
| 300 |
|
|
unsigned int hash = __sel_hash(sel, family, hmask);
|
| 301 |
|
|
|
| 302 |
|
|
return (hash == hmask + 1 ?
|
| 303 |
|
|
&xfrm_policy_inexact[dir] :
|
| 304 |
|
|
xfrm_policy_bydst[dir].table + hash);
|
| 305 |
|
|
}
|
| 306 |
|
|
|
| 307 |
|
|
static struct hlist_head *policy_hash_direct(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
|
| 308 |
|
|
{
|
| 309 |
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
| 310 |
|
|
unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
|
| 311 |
|
|
|
| 312 |
|
|
return xfrm_policy_bydst[dir].table + hash;
|
| 313 |
|
|
}
|
| 314 |
|
|
|
| 315 |
|
|
static void xfrm_dst_hash_transfer(struct hlist_head *list,
|
| 316 |
|
|
struct hlist_head *ndsttable,
|
| 317 |
|
|
unsigned int nhashmask)
|
| 318 |
|
|
{
|
| 319 |
|
|
struct hlist_node *entry, *tmp;
|
| 320 |
|
|
struct xfrm_policy *pol;
|
| 321 |
|
|
|
| 322 |
|
|
hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) {
|
| 323 |
|
|
unsigned int h;
|
| 324 |
|
|
|
| 325 |
|
|
h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
|
| 326 |
|
|
pol->family, nhashmask);
|
| 327 |
|
|
hlist_add_head(&pol->bydst, ndsttable+h);
|
| 328 |
|
|
}
|
| 329 |
|
|
}
|
| 330 |
|
|
|
| 331 |
|
|
static void xfrm_idx_hash_transfer(struct hlist_head *list,
|
| 332 |
|
|
struct hlist_head *nidxtable,
|
| 333 |
|
|
unsigned int nhashmask)
|
| 334 |
|
|
{
|
| 335 |
|
|
struct hlist_node *entry, *tmp;
|
| 336 |
|
|
struct xfrm_policy *pol;
|
| 337 |
|
|
|
| 338 |
|
|
hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) {
|
| 339 |
|
|
unsigned int h;
|
| 340 |
|
|
|
| 341 |
|
|
h = __idx_hash(pol->index, nhashmask);
|
| 342 |
|
|
hlist_add_head(&pol->byidx, nidxtable+h);
|
| 343 |
|
|
}
|
| 344 |
|
|
}
|
| 345 |
|
|
|
| 346 |
|
|
static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
|
| 347 |
|
|
{
|
| 348 |
|
|
return ((old_hmask + 1) << 1) - 1;
|
| 349 |
|
|
}
|
| 350 |
|
|
|
| 351 |
|
|
static void xfrm_bydst_resize(int dir)
|
| 352 |
|
|
{
|
| 353 |
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
| 354 |
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
| 355 |
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
| 356 |
|
|
struct hlist_head *odst = xfrm_policy_bydst[dir].table;
|
| 357 |
|
|
struct hlist_head *ndst = xfrm_hash_alloc(nsize);
|
| 358 |
|
|
int i;
|
| 359 |
|
|
|
| 360 |
|
|
if (!ndst)
|
| 361 |
|
|
return;
|
| 362 |
|
|
|
| 363 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 364 |
|
|
|
| 365 |
|
|
for (i = hmask; i >= 0; i--)
|
| 366 |
|
|
xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
|
| 367 |
|
|
|
| 368 |
|
|
xfrm_policy_bydst[dir].table = ndst;
|
| 369 |
|
|
xfrm_policy_bydst[dir].hmask = nhashmask;
|
| 370 |
|
|
|
| 371 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 372 |
|
|
|
| 373 |
|
|
xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
|
| 374 |
|
|
}
|
| 375 |
|
|
|
| 376 |
|
|
static void xfrm_byidx_resize(int total)
|
| 377 |
|
|
{
|
| 378 |
|
|
unsigned int hmask = xfrm_idx_hmask;
|
| 379 |
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
| 380 |
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
| 381 |
|
|
struct hlist_head *oidx = xfrm_policy_byidx;
|
| 382 |
|
|
struct hlist_head *nidx = xfrm_hash_alloc(nsize);
|
| 383 |
|
|
int i;
|
| 384 |
|
|
|
| 385 |
|
|
if (!nidx)
|
| 386 |
|
|
return;
|
| 387 |
|
|
|
| 388 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 389 |
|
|
|
| 390 |
|
|
for (i = hmask; i >= 0; i--)
|
| 391 |
|
|
xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
|
| 392 |
|
|
|
| 393 |
|
|
xfrm_policy_byidx = nidx;
|
| 394 |
|
|
xfrm_idx_hmask = nhashmask;
|
| 395 |
|
|
|
| 396 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 397 |
|
|
|
| 398 |
|
|
xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
|
| 399 |
|
|
}
|
| 400 |
|
|
|
| 401 |
|
|
static inline int xfrm_bydst_should_resize(int dir, int *total)
|
| 402 |
|
|
{
|
| 403 |
|
|
unsigned int cnt = xfrm_policy_count[dir];
|
| 404 |
|
|
unsigned int hmask = xfrm_policy_bydst[dir].hmask;
|
| 405 |
|
|
|
| 406 |
|
|
if (total)
|
| 407 |
|
|
*total += cnt;
|
| 408 |
|
|
|
| 409 |
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
| 410 |
|
|
cnt > hmask)
|
| 411 |
|
|
return 1;
|
| 412 |
|
|
|
| 413 |
|
|
return 0;
|
| 414 |
|
|
}
|
| 415 |
|
|
|
| 416 |
|
|
static inline int xfrm_byidx_should_resize(int total)
|
| 417 |
|
|
{
|
| 418 |
|
|
unsigned int hmask = xfrm_idx_hmask;
|
| 419 |
|
|
|
| 420 |
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
| 421 |
|
|
total > hmask)
|
| 422 |
|
|
return 1;
|
| 423 |
|
|
|
| 424 |
|
|
return 0;
|
| 425 |
|
|
}
|
| 426 |
|
|
|
| 427 |
|
|
void xfrm_spd_getinfo(struct xfrmk_spdinfo *si)
|
| 428 |
|
|
{
|
| 429 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 430 |
|
|
si->incnt = xfrm_policy_count[XFRM_POLICY_IN];
|
| 431 |
|
|
si->outcnt = xfrm_policy_count[XFRM_POLICY_OUT];
|
| 432 |
|
|
si->fwdcnt = xfrm_policy_count[XFRM_POLICY_FWD];
|
| 433 |
|
|
si->inscnt = xfrm_policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
|
| 434 |
|
|
si->outscnt = xfrm_policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
|
| 435 |
|
|
si->fwdscnt = xfrm_policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
|
| 436 |
|
|
si->spdhcnt = xfrm_idx_hmask;
|
| 437 |
|
|
si->spdhmcnt = xfrm_policy_hashmax;
|
| 438 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 439 |
|
|
}
|
| 440 |
|
|
EXPORT_SYMBOL(xfrm_spd_getinfo);
|
| 441 |
|
|
|
| 442 |
|
|
static DEFINE_MUTEX(hash_resize_mutex);
|
| 443 |
|
|
static void xfrm_hash_resize(struct work_struct *__unused)
|
| 444 |
|
|
{
|
| 445 |
|
|
int dir, total;
|
| 446 |
|
|
|
| 447 |
|
|
mutex_lock(&hash_resize_mutex);
|
| 448 |
|
|
|
| 449 |
|
|
total = 0;
|
| 450 |
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
| 451 |
|
|
if (xfrm_bydst_should_resize(dir, &total))
|
| 452 |
|
|
xfrm_bydst_resize(dir);
|
| 453 |
|
|
}
|
| 454 |
|
|
if (xfrm_byidx_should_resize(total))
|
| 455 |
|
|
xfrm_byidx_resize(total);
|
| 456 |
|
|
|
| 457 |
|
|
mutex_unlock(&hash_resize_mutex);
|
| 458 |
|
|
}
|
| 459 |
|
|
|
| 460 |
|
|
static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
|
| 461 |
|
|
|
| 462 |
|
|
/* Generate new index... KAME seems to generate them ordered by cost
|
| 463 |
|
|
* of an absolute inpredictability of ordering of rules. This will not pass. */
|
| 464 |
|
|
static u32 xfrm_gen_index(u8 type, int dir)
|
| 465 |
|
|
{
|
| 466 |
|
|
static u32 idx_generator;
|
| 467 |
|
|
|
| 468 |
|
|
for (;;) {
|
| 469 |
|
|
struct hlist_node *entry;
|
| 470 |
|
|
struct hlist_head *list;
|
| 471 |
|
|
struct xfrm_policy *p;
|
| 472 |
|
|
u32 idx;
|
| 473 |
|
|
int found;
|
| 474 |
|
|
|
| 475 |
|
|
idx = (idx_generator | dir);
|
| 476 |
|
|
idx_generator += 8;
|
| 477 |
|
|
if (idx == 0)
|
| 478 |
|
|
idx = 8;
|
| 479 |
|
|
list = xfrm_policy_byidx + idx_hash(idx);
|
| 480 |
|
|
found = 0;
|
| 481 |
|
|
hlist_for_each_entry(p, entry, list, byidx) {
|
| 482 |
|
|
if (p->index == idx) {
|
| 483 |
|
|
found = 1;
|
| 484 |
|
|
break;
|
| 485 |
|
|
}
|
| 486 |
|
|
}
|
| 487 |
|
|
if (!found)
|
| 488 |
|
|
return idx;
|
| 489 |
|
|
}
|
| 490 |
|
|
}
|
| 491 |
|
|
|
| 492 |
|
|
static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
|
| 493 |
|
|
{
|
| 494 |
|
|
u32 *p1 = (u32 *) s1;
|
| 495 |
|
|
u32 *p2 = (u32 *) s2;
|
| 496 |
|
|
int len = sizeof(struct xfrm_selector) / sizeof(u32);
|
| 497 |
|
|
int i;
|
| 498 |
|
|
|
| 499 |
|
|
for (i = 0; i < len; i++) {
|
| 500 |
|
|
if (p1[i] != p2[i])
|
| 501 |
|
|
return 1;
|
| 502 |
|
|
}
|
| 503 |
|
|
|
| 504 |
|
|
return 0;
|
| 505 |
|
|
}
|
| 506 |
|
|
|
| 507 |
|
|
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
| 508 |
|
|
{
|
| 509 |
|
|
struct xfrm_policy *pol;
|
| 510 |
|
|
struct xfrm_policy *delpol;
|
| 511 |
|
|
struct hlist_head *chain;
|
| 512 |
|
|
struct hlist_node *entry, *newpos;
|
| 513 |
|
|
struct dst_entry *gc_list;
|
| 514 |
|
|
|
| 515 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 516 |
|
|
chain = policy_hash_bysel(&policy->selector, policy->family, dir);
|
| 517 |
|
|
delpol = NULL;
|
| 518 |
|
|
newpos = NULL;
|
| 519 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 520 |
|
|
if (pol->type == policy->type &&
|
| 521 |
|
|
!selector_cmp(&pol->selector, &policy->selector) &&
|
| 522 |
|
|
xfrm_sec_ctx_match(pol->security, policy->security) &&
|
| 523 |
|
|
!WARN_ON(delpol)) {
|
| 524 |
|
|
if (excl) {
|
| 525 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 526 |
|
|
return -EEXIST;
|
| 527 |
|
|
}
|
| 528 |
|
|
delpol = pol;
|
| 529 |
|
|
if (policy->priority > pol->priority)
|
| 530 |
|
|
continue;
|
| 531 |
|
|
} else if (policy->priority >= pol->priority) {
|
| 532 |
|
|
newpos = &pol->bydst;
|
| 533 |
|
|
continue;
|
| 534 |
|
|
}
|
| 535 |
|
|
if (delpol)
|
| 536 |
|
|
break;
|
| 537 |
|
|
}
|
| 538 |
|
|
if (newpos)
|
| 539 |
|
|
hlist_add_after(newpos, &policy->bydst);
|
| 540 |
|
|
else
|
| 541 |
|
|
hlist_add_head(&policy->bydst, chain);
|
| 542 |
|
|
xfrm_pol_hold(policy);
|
| 543 |
|
|
xfrm_policy_count[dir]++;
|
| 544 |
|
|
atomic_inc(&flow_cache_genid);
|
| 545 |
|
|
if (delpol) {
|
| 546 |
|
|
hlist_del(&delpol->bydst);
|
| 547 |
|
|
hlist_del(&delpol->byidx);
|
| 548 |
|
|
xfrm_policy_count[dir]--;
|
| 549 |
|
|
}
|
| 550 |
|
|
policy->index = delpol ? delpol->index : xfrm_gen_index(policy->type, dir);
|
| 551 |
|
|
hlist_add_head(&policy->byidx, xfrm_policy_byidx+idx_hash(policy->index));
|
| 552 |
|
|
policy->curlft.add_time = get_seconds();
|
| 553 |
|
|
policy->curlft.use_time = 0;
|
| 554 |
|
|
if (!mod_timer(&policy->timer, jiffies + HZ))
|
| 555 |
|
|
xfrm_pol_hold(policy);
|
| 556 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 557 |
|
|
|
| 558 |
|
|
if (delpol)
|
| 559 |
|
|
xfrm_policy_kill(delpol);
|
| 560 |
|
|
else if (xfrm_bydst_should_resize(dir, NULL))
|
| 561 |
|
|
schedule_work(&xfrm_hash_work);
|
| 562 |
|
|
|
| 563 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 564 |
|
|
gc_list = NULL;
|
| 565 |
|
|
entry = &policy->bydst;
|
| 566 |
|
|
hlist_for_each_entry_continue(policy, entry, bydst) {
|
| 567 |
|
|
struct dst_entry *dst;
|
| 568 |
|
|
|
| 569 |
|
|
write_lock(&policy->lock);
|
| 570 |
|
|
dst = policy->bundles;
|
| 571 |
|
|
if (dst) {
|
| 572 |
|
|
struct dst_entry *tail = dst;
|
| 573 |
|
|
while (tail->next)
|
| 574 |
|
|
tail = tail->next;
|
| 575 |
|
|
tail->next = gc_list;
|
| 576 |
|
|
gc_list = dst;
|
| 577 |
|
|
|
| 578 |
|
|
policy->bundles = NULL;
|
| 579 |
|
|
}
|
| 580 |
|
|
write_unlock(&policy->lock);
|
| 581 |
|
|
}
|
| 582 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 583 |
|
|
|
| 584 |
|
|
while (gc_list) {
|
| 585 |
|
|
struct dst_entry *dst = gc_list;
|
| 586 |
|
|
|
| 587 |
|
|
gc_list = dst->next;
|
| 588 |
|
|
dst_free(dst);
|
| 589 |
|
|
}
|
| 590 |
|
|
|
| 591 |
|
|
return 0;
|
| 592 |
|
|
}
|
| 593 |
|
|
EXPORT_SYMBOL(xfrm_policy_insert);
|
| 594 |
|
|
|
| 595 |
|
|
struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
|
| 596 |
|
|
struct xfrm_selector *sel,
|
| 597 |
|
|
struct xfrm_sec_ctx *ctx, int delete,
|
| 598 |
|
|
int *err)
|
| 599 |
|
|
{
|
| 600 |
|
|
struct xfrm_policy *pol, *ret;
|
| 601 |
|
|
struct hlist_head *chain;
|
| 602 |
|
|
struct hlist_node *entry;
|
| 603 |
|
|
|
| 604 |
|
|
*err = 0;
|
| 605 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 606 |
|
|
chain = policy_hash_bysel(sel, sel->family, dir);
|
| 607 |
|
|
ret = NULL;
|
| 608 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 609 |
|
|
if (pol->type == type &&
|
| 610 |
|
|
!selector_cmp(sel, &pol->selector) &&
|
| 611 |
|
|
xfrm_sec_ctx_match(ctx, pol->security)) {
|
| 612 |
|
|
xfrm_pol_hold(pol);
|
| 613 |
|
|
if (delete) {
|
| 614 |
|
|
*err = security_xfrm_policy_delete(pol);
|
| 615 |
|
|
if (*err) {
|
| 616 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 617 |
|
|
return pol;
|
| 618 |
|
|
}
|
| 619 |
|
|
hlist_del(&pol->bydst);
|
| 620 |
|
|
hlist_del(&pol->byidx);
|
| 621 |
|
|
xfrm_policy_count[dir]--;
|
| 622 |
|
|
}
|
| 623 |
|
|
ret = pol;
|
| 624 |
|
|
break;
|
| 625 |
|
|
}
|
| 626 |
|
|
}
|
| 627 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 628 |
|
|
|
| 629 |
|
|
if (ret && delete) {
|
| 630 |
|
|
atomic_inc(&flow_cache_genid);
|
| 631 |
|
|
xfrm_policy_kill(ret);
|
| 632 |
|
|
}
|
| 633 |
|
|
return ret;
|
| 634 |
|
|
}
|
| 635 |
|
|
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
|
| 636 |
|
|
|
| 637 |
|
|
struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete,
|
| 638 |
|
|
int *err)
|
| 639 |
|
|
{
|
| 640 |
|
|
struct xfrm_policy *pol, *ret;
|
| 641 |
|
|
struct hlist_head *chain;
|
| 642 |
|
|
struct hlist_node *entry;
|
| 643 |
|
|
|
| 644 |
|
|
*err = -ENOENT;
|
| 645 |
|
|
if (xfrm_policy_id2dir(id) != dir)
|
| 646 |
|
|
return NULL;
|
| 647 |
|
|
|
| 648 |
|
|
*err = 0;
|
| 649 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 650 |
|
|
chain = xfrm_policy_byidx + idx_hash(id);
|
| 651 |
|
|
ret = NULL;
|
| 652 |
|
|
hlist_for_each_entry(pol, entry, chain, byidx) {
|
| 653 |
|
|
if (pol->type == type && pol->index == id) {
|
| 654 |
|
|
xfrm_pol_hold(pol);
|
| 655 |
|
|
if (delete) {
|
| 656 |
|
|
*err = security_xfrm_policy_delete(pol);
|
| 657 |
|
|
if (*err) {
|
| 658 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 659 |
|
|
return pol;
|
| 660 |
|
|
}
|
| 661 |
|
|
hlist_del(&pol->bydst);
|
| 662 |
|
|
hlist_del(&pol->byidx);
|
| 663 |
|
|
xfrm_policy_count[dir]--;
|
| 664 |
|
|
}
|
| 665 |
|
|
ret = pol;
|
| 666 |
|
|
break;
|
| 667 |
|
|
}
|
| 668 |
|
|
}
|
| 669 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 670 |
|
|
|
| 671 |
|
|
if (ret && delete) {
|
| 672 |
|
|
atomic_inc(&flow_cache_genid);
|
| 673 |
|
|
xfrm_policy_kill(ret);
|
| 674 |
|
|
}
|
| 675 |
|
|
return ret;
|
| 676 |
|
|
}
|
| 677 |
|
|
EXPORT_SYMBOL(xfrm_policy_byid);
|
| 678 |
|
|
|
| 679 |
|
|
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
| 680 |
|
|
static inline int
|
| 681 |
|
|
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
| 682 |
|
|
{
|
| 683 |
|
|
int dir, err = 0;
|
| 684 |
|
|
|
| 685 |
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
| 686 |
|
|
struct xfrm_policy *pol;
|
| 687 |
|
|
struct hlist_node *entry;
|
| 688 |
|
|
int i;
|
| 689 |
|
|
|
| 690 |
|
|
hlist_for_each_entry(pol, entry,
|
| 691 |
|
|
&xfrm_policy_inexact[dir], bydst) {
|
| 692 |
|
|
if (pol->type != type)
|
| 693 |
|
|
continue;
|
| 694 |
|
|
err = security_xfrm_policy_delete(pol);
|
| 695 |
|
|
if (err) {
|
| 696 |
|
|
xfrm_audit_policy_delete(pol, 0,
|
| 697 |
|
|
audit_info->loginuid,
|
| 698 |
|
|
audit_info->secid);
|
| 699 |
|
|
return err;
|
| 700 |
|
|
}
|
| 701 |
|
|
}
|
| 702 |
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
| 703 |
|
|
hlist_for_each_entry(pol, entry,
|
| 704 |
|
|
xfrm_policy_bydst[dir].table + i,
|
| 705 |
|
|
bydst) {
|
| 706 |
|
|
if (pol->type != type)
|
| 707 |
|
|
continue;
|
| 708 |
|
|
err = security_xfrm_policy_delete(pol);
|
| 709 |
|
|
if (err) {
|
| 710 |
|
|
xfrm_audit_policy_delete(pol, 0,
|
| 711 |
|
|
audit_info->loginuid,
|
| 712 |
|
|
audit_info->secid);
|
| 713 |
|
|
return err;
|
| 714 |
|
|
}
|
| 715 |
|
|
}
|
| 716 |
|
|
}
|
| 717 |
|
|
}
|
| 718 |
|
|
return err;
|
| 719 |
|
|
}
|
| 720 |
|
|
#else
|
| 721 |
|
|
static inline int
|
| 722 |
|
|
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
| 723 |
|
|
{
|
| 724 |
|
|
return 0;
|
| 725 |
|
|
}
|
| 726 |
|
|
#endif
|
| 727 |
|
|
|
| 728 |
|
|
int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
|
| 729 |
|
|
{
|
| 730 |
|
|
int dir, err = 0;
|
| 731 |
|
|
|
| 732 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 733 |
|
|
|
| 734 |
|
|
err = xfrm_policy_flush_secctx_check(type, audit_info);
|
| 735 |
|
|
if (err)
|
| 736 |
|
|
goto out;
|
| 737 |
|
|
|
| 738 |
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
| 739 |
|
|
struct xfrm_policy *pol;
|
| 740 |
|
|
struct hlist_node *entry;
|
| 741 |
|
|
int i, killed;
|
| 742 |
|
|
|
| 743 |
|
|
killed = 0;
|
| 744 |
|
|
again1:
|
| 745 |
|
|
hlist_for_each_entry(pol, entry,
|
| 746 |
|
|
&xfrm_policy_inexact[dir], bydst) {
|
| 747 |
|
|
if (pol->type != type)
|
| 748 |
|
|
continue;
|
| 749 |
|
|
hlist_del(&pol->bydst);
|
| 750 |
|
|
hlist_del(&pol->byidx);
|
| 751 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 752 |
|
|
|
| 753 |
|
|
xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
|
| 754 |
|
|
audit_info->secid);
|
| 755 |
|
|
|
| 756 |
|
|
xfrm_policy_kill(pol);
|
| 757 |
|
|
killed++;
|
| 758 |
|
|
|
| 759 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 760 |
|
|
goto again1;
|
| 761 |
|
|
}
|
| 762 |
|
|
|
| 763 |
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
| 764 |
|
|
again2:
|
| 765 |
|
|
hlist_for_each_entry(pol, entry,
|
| 766 |
|
|
xfrm_policy_bydst[dir].table + i,
|
| 767 |
|
|
bydst) {
|
| 768 |
|
|
if (pol->type != type)
|
| 769 |
|
|
continue;
|
| 770 |
|
|
hlist_del(&pol->bydst);
|
| 771 |
|
|
hlist_del(&pol->byidx);
|
| 772 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 773 |
|
|
|
| 774 |
|
|
xfrm_audit_policy_delete(pol, 1,
|
| 775 |
|
|
audit_info->loginuid,
|
| 776 |
|
|
audit_info->secid);
|
| 777 |
|
|
xfrm_policy_kill(pol);
|
| 778 |
|
|
killed++;
|
| 779 |
|
|
|
| 780 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 781 |
|
|
goto again2;
|
| 782 |
|
|
}
|
| 783 |
|
|
}
|
| 784 |
|
|
|
| 785 |
|
|
xfrm_policy_count[dir] -= killed;
|
| 786 |
|
|
}
|
| 787 |
|
|
atomic_inc(&flow_cache_genid);
|
| 788 |
|
|
out:
|
| 789 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 790 |
|
|
return err;
|
| 791 |
|
|
}
|
| 792 |
|
|
EXPORT_SYMBOL(xfrm_policy_flush);
|
| 793 |
|
|
|
| 794 |
|
|
int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*),
|
| 795 |
|
|
void *data)
|
| 796 |
|
|
{
|
| 797 |
|
|
struct xfrm_policy *pol, *last = NULL;
|
| 798 |
|
|
struct hlist_node *entry;
|
| 799 |
|
|
int dir, last_dir = 0, count, error;
|
| 800 |
|
|
|
| 801 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 802 |
|
|
count = 0;
|
| 803 |
|
|
|
| 804 |
|
|
for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
|
| 805 |
|
|
struct hlist_head *table = xfrm_policy_bydst[dir].table;
|
| 806 |
|
|
int i;
|
| 807 |
|
|
|
| 808 |
|
|
hlist_for_each_entry(pol, entry,
|
| 809 |
|
|
&xfrm_policy_inexact[dir], bydst) {
|
| 810 |
|
|
if (pol->type != type)
|
| 811 |
|
|
continue;
|
| 812 |
|
|
if (last) {
|
| 813 |
|
|
error = func(last, last_dir % XFRM_POLICY_MAX,
|
| 814 |
|
|
count, data);
|
| 815 |
|
|
if (error)
|
| 816 |
|
|
goto out;
|
| 817 |
|
|
}
|
| 818 |
|
|
last = pol;
|
| 819 |
|
|
last_dir = dir;
|
| 820 |
|
|
count++;
|
| 821 |
|
|
}
|
| 822 |
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
| 823 |
|
|
hlist_for_each_entry(pol, entry, table + i, bydst) {
|
| 824 |
|
|
if (pol->type != type)
|
| 825 |
|
|
continue;
|
| 826 |
|
|
if (last) {
|
| 827 |
|
|
error = func(last, last_dir % XFRM_POLICY_MAX,
|
| 828 |
|
|
count, data);
|
| 829 |
|
|
if (error)
|
| 830 |
|
|
goto out;
|
| 831 |
|
|
}
|
| 832 |
|
|
last = pol;
|
| 833 |
|
|
last_dir = dir;
|
| 834 |
|
|
count++;
|
| 835 |
|
|
}
|
| 836 |
|
|
}
|
| 837 |
|
|
}
|
| 838 |
|
|
if (count == 0) {
|
| 839 |
|
|
error = -ENOENT;
|
| 840 |
|
|
goto out;
|
| 841 |
|
|
}
|
| 842 |
|
|
error = func(last, last_dir % XFRM_POLICY_MAX, 0, data);
|
| 843 |
|
|
out:
|
| 844 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 845 |
|
|
return error;
|
| 846 |
|
|
}
|
| 847 |
|
|
EXPORT_SYMBOL(xfrm_policy_walk);
|
| 848 |
|
|
|
| 849 |
|
|
/*
|
| 850 |
|
|
* Find policy to apply to this flow.
|
| 851 |
|
|
*
|
| 852 |
|
|
* Returns 0 if policy found, else an -errno.
|
| 853 |
|
|
*/
|
| 854 |
|
|
static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
|
| 855 |
|
|
u8 type, u16 family, int dir)
|
| 856 |
|
|
{
|
| 857 |
|
|
struct xfrm_selector *sel = &pol->selector;
|
| 858 |
|
|
int match, ret = -ESRCH;
|
| 859 |
|
|
|
| 860 |
|
|
if (pol->family != family ||
|
| 861 |
|
|
pol->type != type)
|
| 862 |
|
|
return ret;
|
| 863 |
|
|
|
| 864 |
|
|
match = xfrm_selector_match(sel, fl, family);
|
| 865 |
|
|
if (match)
|
| 866 |
|
|
ret = security_xfrm_policy_lookup(pol, fl->secid, dir);
|
| 867 |
|
|
|
| 868 |
|
|
return ret;
|
| 869 |
|
|
}
|
| 870 |
|
|
|
| 871 |
|
|
static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl,
|
| 872 |
|
|
u16 family, u8 dir)
|
| 873 |
|
|
{
|
| 874 |
|
|
int err;
|
| 875 |
|
|
struct xfrm_policy *pol, *ret;
|
| 876 |
|
|
xfrm_address_t *daddr, *saddr;
|
| 877 |
|
|
struct hlist_node *entry;
|
| 878 |
|
|
struct hlist_head *chain;
|
| 879 |
|
|
u32 priority = ~0U;
|
| 880 |
|
|
|
| 881 |
|
|
daddr = xfrm_flowi_daddr(fl, family);
|
| 882 |
|
|
saddr = xfrm_flowi_saddr(fl, family);
|
| 883 |
|
|
if (unlikely(!daddr || !saddr))
|
| 884 |
|
|
return NULL;
|
| 885 |
|
|
|
| 886 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 887 |
|
|
chain = policy_hash_direct(daddr, saddr, family, dir);
|
| 888 |
|
|
ret = NULL;
|
| 889 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 890 |
|
|
err = xfrm_policy_match(pol, fl, type, family, dir);
|
| 891 |
|
|
if (err) {
|
| 892 |
|
|
if (err == -ESRCH)
|
| 893 |
|
|
continue;
|
| 894 |
|
|
else {
|
| 895 |
|
|
ret = ERR_PTR(err);
|
| 896 |
|
|
goto fail;
|
| 897 |
|
|
}
|
| 898 |
|
|
} else {
|
| 899 |
|
|
ret = pol;
|
| 900 |
|
|
priority = ret->priority;
|
| 901 |
|
|
break;
|
| 902 |
|
|
}
|
| 903 |
|
|
}
|
| 904 |
|
|
chain = &xfrm_policy_inexact[dir];
|
| 905 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 906 |
|
|
err = xfrm_policy_match(pol, fl, type, family, dir);
|
| 907 |
|
|
if (err) {
|
| 908 |
|
|
if (err == -ESRCH)
|
| 909 |
|
|
continue;
|
| 910 |
|
|
else {
|
| 911 |
|
|
ret = ERR_PTR(err);
|
| 912 |
|
|
goto fail;
|
| 913 |
|
|
}
|
| 914 |
|
|
} else if (pol->priority < priority) {
|
| 915 |
|
|
ret = pol;
|
| 916 |
|
|
break;
|
| 917 |
|
|
}
|
| 918 |
|
|
}
|
| 919 |
|
|
if (ret)
|
| 920 |
|
|
xfrm_pol_hold(ret);
|
| 921 |
|
|
fail:
|
| 922 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 923 |
|
|
|
| 924 |
|
|
return ret;
|
| 925 |
|
|
}
|
| 926 |
|
|
|
| 927 |
|
|
static int xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
|
| 928 |
|
|
void **objp, atomic_t **obj_refp)
|
| 929 |
|
|
{
|
| 930 |
|
|
struct xfrm_policy *pol;
|
| 931 |
|
|
int err = 0;
|
| 932 |
|
|
|
| 933 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 934 |
|
|
pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir);
|
| 935 |
|
|
if (IS_ERR(pol)) {
|
| 936 |
|
|
err = PTR_ERR(pol);
|
| 937 |
|
|
pol = NULL;
|
| 938 |
|
|
}
|
| 939 |
|
|
if (pol || err)
|
| 940 |
|
|
goto end;
|
| 941 |
|
|
#endif
|
| 942 |
|
|
pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, fl, family, dir);
|
| 943 |
|
|
if (IS_ERR(pol)) {
|
| 944 |
|
|
err = PTR_ERR(pol);
|
| 945 |
|
|
pol = NULL;
|
| 946 |
|
|
}
|
| 947 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 948 |
|
|
end:
|
| 949 |
|
|
#endif
|
| 950 |
|
|
if ((*objp = (void *) pol) != NULL)
|
| 951 |
|
|
*obj_refp = &pol->refcnt;
|
| 952 |
|
|
return err;
|
| 953 |
|
|
}
|
| 954 |
|
|
|
| 955 |
|
|
static inline int policy_to_flow_dir(int dir)
|
| 956 |
|
|
{
|
| 957 |
|
|
if (XFRM_POLICY_IN == FLOW_DIR_IN &&
|
| 958 |
|
|
XFRM_POLICY_OUT == FLOW_DIR_OUT &&
|
| 959 |
|
|
XFRM_POLICY_FWD == FLOW_DIR_FWD)
|
| 960 |
|
|
return dir;
|
| 961 |
|
|
switch (dir) {
|
| 962 |
|
|
default:
|
| 963 |
|
|
case XFRM_POLICY_IN:
|
| 964 |
|
|
return FLOW_DIR_IN;
|
| 965 |
|
|
case XFRM_POLICY_OUT:
|
| 966 |
|
|
return FLOW_DIR_OUT;
|
| 967 |
|
|
case XFRM_POLICY_FWD:
|
| 968 |
|
|
return FLOW_DIR_FWD;
|
| 969 |
|
|
}
|
| 970 |
|
|
}
|
| 971 |
|
|
|
| 972 |
|
|
static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
|
| 973 |
|
|
{
|
| 974 |
|
|
struct xfrm_policy *pol;
|
| 975 |
|
|
|
| 976 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 977 |
|
|
if ((pol = sk->sk_policy[dir]) != NULL) {
|
| 978 |
|
|
int match = xfrm_selector_match(&pol->selector, fl,
|
| 979 |
|
|
sk->sk_family);
|
| 980 |
|
|
int err = 0;
|
| 981 |
|
|
|
| 982 |
|
|
if (match) {
|
| 983 |
|
|
err = security_xfrm_policy_lookup(pol, fl->secid,
|
| 984 |
|
|
policy_to_flow_dir(dir));
|
| 985 |
|
|
if (!err)
|
| 986 |
|
|
xfrm_pol_hold(pol);
|
| 987 |
|
|
else if (err == -ESRCH)
|
| 988 |
|
|
pol = NULL;
|
| 989 |
|
|
else
|
| 990 |
|
|
pol = ERR_PTR(err);
|
| 991 |
|
|
} else
|
| 992 |
|
|
pol = NULL;
|
| 993 |
|
|
}
|
| 994 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 995 |
|
|
return pol;
|
| 996 |
|
|
}
|
| 997 |
|
|
|
| 998 |
|
|
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
|
| 999 |
|
|
{
|
| 1000 |
|
|
struct hlist_head *chain = policy_hash_bysel(&pol->selector,
|
| 1001 |
|
|
pol->family, dir);
|
| 1002 |
|
|
|
| 1003 |
|
|
hlist_add_head(&pol->bydst, chain);
|
| 1004 |
|
|
hlist_add_head(&pol->byidx, xfrm_policy_byidx+idx_hash(pol->index));
|
| 1005 |
|
|
xfrm_policy_count[dir]++;
|
| 1006 |
|
|
xfrm_pol_hold(pol);
|
| 1007 |
|
|
|
| 1008 |
|
|
if (xfrm_bydst_should_resize(dir, NULL))
|
| 1009 |
|
|
schedule_work(&xfrm_hash_work);
|
| 1010 |
|
|
}
|
| 1011 |
|
|
|
| 1012 |
|
|
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
|
| 1013 |
|
|
int dir)
|
| 1014 |
|
|
{
|
| 1015 |
|
|
if (hlist_unhashed(&pol->bydst))
|
| 1016 |
|
|
return NULL;
|
| 1017 |
|
|
|
| 1018 |
|
|
hlist_del(&pol->bydst);
|
| 1019 |
|
|
hlist_del(&pol->byidx);
|
| 1020 |
|
|
xfrm_policy_count[dir]--;
|
| 1021 |
|
|
|
| 1022 |
|
|
return pol;
|
| 1023 |
|
|
}
|
| 1024 |
|
|
|
| 1025 |
|
|
int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
|
| 1026 |
|
|
{
|
| 1027 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 1028 |
|
|
pol = __xfrm_policy_unlink(pol, dir);
|
| 1029 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 1030 |
|
|
if (pol) {
|
| 1031 |
|
|
if (dir < XFRM_POLICY_MAX)
|
| 1032 |
|
|
atomic_inc(&flow_cache_genid);
|
| 1033 |
|
|
xfrm_policy_kill(pol);
|
| 1034 |
|
|
return 0;
|
| 1035 |
|
|
}
|
| 1036 |
|
|
return -ENOENT;
|
| 1037 |
|
|
}
|
| 1038 |
|
|
EXPORT_SYMBOL(xfrm_policy_delete);
|
| 1039 |
|
|
|
| 1040 |
|
|
int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
|
| 1041 |
|
|
{
|
| 1042 |
|
|
struct xfrm_policy *old_pol;
|
| 1043 |
|
|
|
| 1044 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1045 |
|
|
if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
|
| 1046 |
|
|
return -EINVAL;
|
| 1047 |
|
|
#endif
|
| 1048 |
|
|
|
| 1049 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 1050 |
|
|
old_pol = sk->sk_policy[dir];
|
| 1051 |
|
|
sk->sk_policy[dir] = pol;
|
| 1052 |
|
|
if (pol) {
|
| 1053 |
|
|
pol->curlft.add_time = get_seconds();
|
| 1054 |
|
|
pol->index = xfrm_gen_index(pol->type, XFRM_POLICY_MAX+dir);
|
| 1055 |
|
|
__xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
|
| 1056 |
|
|
}
|
| 1057 |
|
|
if (old_pol)
|
| 1058 |
|
|
__xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
|
| 1059 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 1060 |
|
|
|
| 1061 |
|
|
if (old_pol) {
|
| 1062 |
|
|
xfrm_policy_kill(old_pol);
|
| 1063 |
|
|
}
|
| 1064 |
|
|
return 0;
|
| 1065 |
|
|
}
|
| 1066 |
|
|
|
| 1067 |
|
|
static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
|
| 1068 |
|
|
{
|
| 1069 |
|
|
struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
|
| 1070 |
|
|
|
| 1071 |
|
|
if (newp) {
|
| 1072 |
|
|
newp->selector = old->selector;
|
| 1073 |
|
|
if (security_xfrm_policy_clone(old, newp)) {
|
| 1074 |
|
|
kfree(newp);
|
| 1075 |
|
|
return NULL; /* ENOMEM */
|
| 1076 |
|
|
}
|
| 1077 |
|
|
newp->lft = old->lft;
|
| 1078 |
|
|
newp->curlft = old->curlft;
|
| 1079 |
|
|
newp->action = old->action;
|
| 1080 |
|
|
newp->flags = old->flags;
|
| 1081 |
|
|
newp->xfrm_nr = old->xfrm_nr;
|
| 1082 |
|
|
newp->index = old->index;
|
| 1083 |
|
|
newp->type = old->type;
|
| 1084 |
|
|
memcpy(newp->xfrm_vec, old->xfrm_vec,
|
| 1085 |
|
|
newp->xfrm_nr*sizeof(struct xfrm_tmpl));
|
| 1086 |
|
|
write_lock_bh(&xfrm_policy_lock);
|
| 1087 |
|
|
__xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
|
| 1088 |
|
|
write_unlock_bh(&xfrm_policy_lock);
|
| 1089 |
|
|
xfrm_pol_put(newp);
|
| 1090 |
|
|
}
|
| 1091 |
|
|
return newp;
|
| 1092 |
|
|
}
|
| 1093 |
|
|
|
| 1094 |
|
|
int __xfrm_sk_clone_policy(struct sock *sk)
|
| 1095 |
|
|
{
|
| 1096 |
|
|
struct xfrm_policy *p0 = sk->sk_policy[0],
|
| 1097 |
|
|
*p1 = sk->sk_policy[1];
|
| 1098 |
|
|
|
| 1099 |
|
|
sk->sk_policy[0] = sk->sk_policy[1] = NULL;
|
| 1100 |
|
|
if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
|
| 1101 |
|
|
return -ENOMEM;
|
| 1102 |
|
|
if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
|
| 1103 |
|
|
return -ENOMEM;
|
| 1104 |
|
|
return 0;
|
| 1105 |
|
|
}
|
| 1106 |
|
|
|
| 1107 |
|
|
static int
|
| 1108 |
|
|
xfrm_get_saddr(xfrm_address_t *local, xfrm_address_t *remote,
|
| 1109 |
|
|
unsigned short family)
|
| 1110 |
|
|
{
|
| 1111 |
|
|
int err;
|
| 1112 |
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
| 1113 |
|
|
|
| 1114 |
|
|
if (unlikely(afinfo == NULL))
|
| 1115 |
|
|
return -EINVAL;
|
| 1116 |
|
|
err = afinfo->get_saddr(local, remote);
|
| 1117 |
|
|
xfrm_policy_put_afinfo(afinfo);
|
| 1118 |
|
|
return err;
|
| 1119 |
|
|
}
|
| 1120 |
|
|
|
| 1121 |
|
|
/* Resolve list of templates for the flow, given policy. */
|
| 1122 |
|
|
|
| 1123 |
|
|
static int
|
| 1124 |
|
|
xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
|
| 1125 |
|
|
struct xfrm_state **xfrm,
|
| 1126 |
|
|
unsigned short family)
|
| 1127 |
|
|
{
|
| 1128 |
|
|
int nx;
|
| 1129 |
|
|
int i, error;
|
| 1130 |
|
|
xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
|
| 1131 |
|
|
xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
|
| 1132 |
|
|
xfrm_address_t tmp;
|
| 1133 |
|
|
|
| 1134 |
|
|
for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
|
| 1135 |
|
|
struct xfrm_state *x;
|
| 1136 |
|
|
xfrm_address_t *remote = daddr;
|
| 1137 |
|
|
xfrm_address_t *local = saddr;
|
| 1138 |
|
|
struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
|
| 1139 |
|
|
|
| 1140 |
|
|
if (tmpl->mode == XFRM_MODE_TUNNEL ||
|
| 1141 |
|
|
tmpl->mode == XFRM_MODE_BEET) {
|
| 1142 |
|
|
remote = &tmpl->id.daddr;
|
| 1143 |
|
|
local = &tmpl->saddr;
|
| 1144 |
|
|
family = tmpl->encap_family;
|
| 1145 |
|
|
if (xfrm_addr_any(local, family)) {
|
| 1146 |
|
|
error = xfrm_get_saddr(&tmp, remote, family);
|
| 1147 |
|
|
if (error)
|
| 1148 |
|
|
goto fail;
|
| 1149 |
|
|
local = &tmp;
|
| 1150 |
|
|
}
|
| 1151 |
|
|
}
|
| 1152 |
|
|
|
| 1153 |
|
|
x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
|
| 1154 |
|
|
|
| 1155 |
|
|
if (x && x->km.state == XFRM_STATE_VALID) {
|
| 1156 |
|
|
xfrm[nx++] = x;
|
| 1157 |
|
|
daddr = remote;
|
| 1158 |
|
|
saddr = local;
|
| 1159 |
|
|
continue;
|
| 1160 |
|
|
}
|
| 1161 |
|
|
if (x) {
|
| 1162 |
|
|
error = (x->km.state == XFRM_STATE_ERROR ?
|
| 1163 |
|
|
-EINVAL : -EAGAIN);
|
| 1164 |
|
|
xfrm_state_put(x);
|
| 1165 |
|
|
}
|
| 1166 |
|
|
|
| 1167 |
|
|
if (!tmpl->optional)
|
| 1168 |
|
|
goto fail;
|
| 1169 |
|
|
}
|
| 1170 |
|
|
return nx;
|
| 1171 |
|
|
|
| 1172 |
|
|
fail:
|
| 1173 |
|
|
for (nx--; nx>=0; nx--)
|
| 1174 |
|
|
xfrm_state_put(xfrm[nx]);
|
| 1175 |
|
|
return error;
|
| 1176 |
|
|
}
|
| 1177 |
|
|
|
| 1178 |
|
|
static int
|
| 1179 |
|
|
xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
|
| 1180 |
|
|
struct xfrm_state **xfrm,
|
| 1181 |
|
|
unsigned short family)
|
| 1182 |
|
|
{
|
| 1183 |
|
|
struct xfrm_state *tp[XFRM_MAX_DEPTH];
|
| 1184 |
|
|
struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
|
| 1185 |
|
|
int cnx = 0;
|
| 1186 |
|
|
int error;
|
| 1187 |
|
|
int ret;
|
| 1188 |
|
|
int i;
|
| 1189 |
|
|
|
| 1190 |
|
|
for (i = 0; i < npols; i++) {
|
| 1191 |
|
|
if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
|
| 1192 |
|
|
error = -ENOBUFS;
|
| 1193 |
|
|
goto fail;
|
| 1194 |
|
|
}
|
| 1195 |
|
|
|
| 1196 |
|
|
ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
|
| 1197 |
|
|
if (ret < 0) {
|
| 1198 |
|
|
error = ret;
|
| 1199 |
|
|
goto fail;
|
| 1200 |
|
|
} else
|
| 1201 |
|
|
cnx += ret;
|
| 1202 |
|
|
}
|
| 1203 |
|
|
|
| 1204 |
|
|
/* found states are sorted for outbound processing */
|
| 1205 |
|
|
if (npols > 1)
|
| 1206 |
|
|
xfrm_state_sort(xfrm, tpp, cnx, family);
|
| 1207 |
|
|
|
| 1208 |
|
|
return cnx;
|
| 1209 |
|
|
|
| 1210 |
|
|
fail:
|
| 1211 |
|
|
for (cnx--; cnx>=0; cnx--)
|
| 1212 |
|
|
xfrm_state_put(tpp[cnx]);
|
| 1213 |
|
|
return error;
|
| 1214 |
|
|
|
| 1215 |
|
|
}
|
| 1216 |
|
|
|
| 1217 |
|
|
/* Check that the bundle accepts the flow and its components are
|
| 1218 |
|
|
* still valid.
|
| 1219 |
|
|
*/
|
| 1220 |
|
|
|
| 1221 |
|
|
static struct dst_entry *
|
| 1222 |
|
|
xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
|
| 1223 |
|
|
{
|
| 1224 |
|
|
struct dst_entry *x;
|
| 1225 |
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
| 1226 |
|
|
if (unlikely(afinfo == NULL))
|
| 1227 |
|
|
return ERR_PTR(-EINVAL);
|
| 1228 |
|
|
x = afinfo->find_bundle(fl, policy);
|
| 1229 |
|
|
xfrm_policy_put_afinfo(afinfo);
|
| 1230 |
|
|
return x;
|
| 1231 |
|
|
}
|
| 1232 |
|
|
|
| 1233 |
|
|
/* Allocate chain of dst_entry's, attach known xfrm's, calculate
|
| 1234 |
|
|
* all the metrics... Shortly, bundle a bundle.
|
| 1235 |
|
|
*/
|
| 1236 |
|
|
|
| 1237 |
|
|
static int
|
| 1238 |
|
|
xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
|
| 1239 |
|
|
struct flowi *fl, struct dst_entry **dst_p,
|
| 1240 |
|
|
unsigned short family)
|
| 1241 |
|
|
{
|
| 1242 |
|
|
int err;
|
| 1243 |
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
| 1244 |
|
|
if (unlikely(afinfo == NULL))
|
| 1245 |
|
|
return -EINVAL;
|
| 1246 |
|
|
err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
|
| 1247 |
|
|
xfrm_policy_put_afinfo(afinfo);
|
| 1248 |
|
|
return err;
|
| 1249 |
|
|
}
|
| 1250 |
|
|
|
| 1251 |
|
|
static int inline
|
| 1252 |
|
|
xfrm_dst_alloc_copy(void **target, void *src, int size)
|
| 1253 |
|
|
{
|
| 1254 |
|
|
if (!*target) {
|
| 1255 |
|
|
*target = kmalloc(size, GFP_ATOMIC);
|
| 1256 |
|
|
if (!*target)
|
| 1257 |
|
|
return -ENOMEM;
|
| 1258 |
|
|
}
|
| 1259 |
|
|
memcpy(*target, src, size);
|
| 1260 |
|
|
return 0;
|
| 1261 |
|
|
}
|
| 1262 |
|
|
|
| 1263 |
|
|
static int inline
|
| 1264 |
|
|
xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
|
| 1265 |
|
|
{
|
| 1266 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1267 |
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
| 1268 |
|
|
return xfrm_dst_alloc_copy((void **)&(xdst->partner),
|
| 1269 |
|
|
sel, sizeof(*sel));
|
| 1270 |
|
|
#else
|
| 1271 |
|
|
return 0;
|
| 1272 |
|
|
#endif
|
| 1273 |
|
|
}
|
| 1274 |
|
|
|
| 1275 |
|
|
static int inline
|
| 1276 |
|
|
xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
|
| 1277 |
|
|
{
|
| 1278 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1279 |
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
| 1280 |
|
|
return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
|
| 1281 |
|
|
#else
|
| 1282 |
|
|
return 0;
|
| 1283 |
|
|
#endif
|
| 1284 |
|
|
}
|
| 1285 |
|
|
|
| 1286 |
|
|
static int stale_bundle(struct dst_entry *dst);
|
| 1287 |
|
|
|
| 1288 |
|
|
/* Main function: finds/creates a bundle for given flow.
|
| 1289 |
|
|
*
|
| 1290 |
|
|
* At the moment we eat a raw IP route. Mostly to speed up lookups
|
| 1291 |
|
|
* on interfaces with disabled IPsec.
|
| 1292 |
|
|
*/
|
| 1293 |
|
|
int __xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
|
| 1294 |
|
|
struct sock *sk, int flags)
|
| 1295 |
|
|
{
|
| 1296 |
|
|
struct xfrm_policy *policy;
|
| 1297 |
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
| 1298 |
|
|
int npols;
|
| 1299 |
|
|
int pol_dead;
|
| 1300 |
|
|
int xfrm_nr;
|
| 1301 |
|
|
int pi;
|
| 1302 |
|
|
struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
|
| 1303 |
|
|
struct dst_entry *dst, *dst_orig = *dst_p;
|
| 1304 |
|
|
int nx = 0;
|
| 1305 |
|
|
int err;
|
| 1306 |
|
|
u32 genid;
|
| 1307 |
|
|
u16 family;
|
| 1308 |
|
|
u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
|
| 1309 |
|
|
|
| 1310 |
|
|
restart:
|
| 1311 |
|
|
genid = atomic_read(&flow_cache_genid);
|
| 1312 |
|
|
policy = NULL;
|
| 1313 |
|
|
for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
|
| 1314 |
|
|
pols[pi] = NULL;
|
| 1315 |
|
|
npols = 0;
|
| 1316 |
|
|
pol_dead = 0;
|
| 1317 |
|
|
xfrm_nr = 0;
|
| 1318 |
|
|
|
| 1319 |
|
|
if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
|
| 1320 |
|
|
policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
|
| 1321 |
|
|
err = PTR_ERR(policy);
|
| 1322 |
|
|
if (IS_ERR(policy))
|
| 1323 |
|
|
goto dropdst;
|
| 1324 |
|
|
}
|
| 1325 |
|
|
|
| 1326 |
|
|
if (!policy) {
|
| 1327 |
|
|
/* To accelerate a bit... */
|
| 1328 |
|
|
if ((dst_orig->flags & DST_NOXFRM) ||
|
| 1329 |
|
|
!xfrm_policy_count[XFRM_POLICY_OUT])
|
| 1330 |
|
|
return 0;
|
| 1331 |
|
|
|
| 1332 |
|
|
policy = flow_cache_lookup(fl, dst_orig->ops->family,
|
| 1333 |
|
|
dir, xfrm_policy_lookup);
|
| 1334 |
|
|
err = PTR_ERR(policy);
|
| 1335 |
|
|
if (IS_ERR(policy))
|
| 1336 |
|
|
goto dropdst;
|
| 1337 |
|
|
}
|
| 1338 |
|
|
|
| 1339 |
|
|
if (!policy)
|
| 1340 |
|
|
return 0;
|
| 1341 |
|
|
|
| 1342 |
|
|
family = dst_orig->ops->family;
|
| 1343 |
|
|
policy->curlft.use_time = get_seconds();
|
| 1344 |
|
|
pols[0] = policy;
|
| 1345 |
|
|
npols ++;
|
| 1346 |
|
|
xfrm_nr += pols[0]->xfrm_nr;
|
| 1347 |
|
|
|
| 1348 |
|
|
switch (policy->action) {
|
| 1349 |
|
|
default:
|
| 1350 |
|
|
case XFRM_POLICY_BLOCK:
|
| 1351 |
|
|
/* Prohibit the flow */
|
| 1352 |
|
|
err = -EPERM;
|
| 1353 |
|
|
goto error;
|
| 1354 |
|
|
|
| 1355 |
|
|
case XFRM_POLICY_ALLOW:
|
| 1356 |
|
|
#ifndef CONFIG_XFRM_SUB_POLICY
|
| 1357 |
|
|
if (policy->xfrm_nr == 0) {
|
| 1358 |
|
|
/* Flow passes not transformed. */
|
| 1359 |
|
|
xfrm_pol_put(policy);
|
| 1360 |
|
|
return 0;
|
| 1361 |
|
|
}
|
| 1362 |
|
|
#endif
|
| 1363 |
|
|
|
| 1364 |
|
|
/* Try to find matching bundle.
|
| 1365 |
|
|
*
|
| 1366 |
|
|
* LATER: help from flow cache. It is optional, this
|
| 1367 |
|
|
* is required only for output policy.
|
| 1368 |
|
|
*/
|
| 1369 |
|
|
dst = xfrm_find_bundle(fl, policy, family);
|
| 1370 |
|
|
if (IS_ERR(dst)) {
|
| 1371 |
|
|
err = PTR_ERR(dst);
|
| 1372 |
|
|
goto error;
|
| 1373 |
|
|
}
|
| 1374 |
|
|
|
| 1375 |
|
|
if (dst)
|
| 1376 |
|
|
break;
|
| 1377 |
|
|
|
| 1378 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1379 |
|
|
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
| 1380 |
|
|
pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
|
| 1381 |
|
|
fl, family,
|
| 1382 |
|
|
XFRM_POLICY_OUT);
|
| 1383 |
|
|
if (pols[1]) {
|
| 1384 |
|
|
if (IS_ERR(pols[1])) {
|
| 1385 |
|
|
err = PTR_ERR(pols[1]);
|
| 1386 |
|
|
goto error;
|
| 1387 |
|
|
}
|
| 1388 |
|
|
if (pols[1]->action == XFRM_POLICY_BLOCK) {
|
| 1389 |
|
|
err = -EPERM;
|
| 1390 |
|
|
goto error;
|
| 1391 |
|
|
}
|
| 1392 |
|
|
npols ++;
|
| 1393 |
|
|
xfrm_nr += pols[1]->xfrm_nr;
|
| 1394 |
|
|
}
|
| 1395 |
|
|
}
|
| 1396 |
|
|
|
| 1397 |
|
|
/*
|
| 1398 |
|
|
* Because neither flowi nor bundle information knows about
|
| 1399 |
|
|
* transformation template size. On more than one policy usage
|
| 1400 |
|
|
* we can realize whether all of them is bypass or not after
|
| 1401 |
|
|
* they are searched. See above not-transformed bypass
|
| 1402 |
|
|
* is surrounded by non-sub policy configuration, too.
|
| 1403 |
|
|
*/
|
| 1404 |
|
|
if (xfrm_nr == 0) {
|
| 1405 |
|
|
/* Flow passes not transformed. */
|
| 1406 |
|
|
xfrm_pols_put(pols, npols);
|
| 1407 |
|
|
return 0;
|
| 1408 |
|
|
}
|
| 1409 |
|
|
|
| 1410 |
|
|
#endif
|
| 1411 |
|
|
nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
|
| 1412 |
|
|
|
| 1413 |
|
|
if (unlikely(nx<0)) {
|
| 1414 |
|
|
err = nx;
|
| 1415 |
|
|
if (err == -EAGAIN && sysctl_xfrm_larval_drop) {
|
| 1416 |
|
|
/* EREMOTE tells the caller to generate
|
| 1417 |
|
|
* a one-shot blackhole route.
|
| 1418 |
|
|
*/
|
| 1419 |
|
|
xfrm_pol_put(policy);
|
| 1420 |
|
|
return -EREMOTE;
|
| 1421 |
|
|
}
|
| 1422 |
|
|
if (err == -EAGAIN && flags) {
|
| 1423 |
|
|
DECLARE_WAITQUEUE(wait, current);
|
| 1424 |
|
|
|
| 1425 |
|
|
add_wait_queue(&km_waitq, &wait);
|
| 1426 |
|
|
set_current_state(TASK_INTERRUPTIBLE);
|
| 1427 |
|
|
schedule();
|
| 1428 |
|
|
set_current_state(TASK_RUNNING);
|
| 1429 |
|
|
remove_wait_queue(&km_waitq, &wait);
|
| 1430 |
|
|
|
| 1431 |
|
|
nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
|
| 1432 |
|
|
|
| 1433 |
|
|
if (nx == -EAGAIN && signal_pending(current)) {
|
| 1434 |
|
|
err = -ERESTART;
|
| 1435 |
|
|
goto error;
|
| 1436 |
|
|
}
|
| 1437 |
|
|
if (nx == -EAGAIN ||
|
| 1438 |
|
|
genid != atomic_read(&flow_cache_genid)) {
|
| 1439 |
|
|
xfrm_pols_put(pols, npols);
|
| 1440 |
|
|
goto restart;
|
| 1441 |
|
|
}
|
| 1442 |
|
|
err = nx;
|
| 1443 |
|
|
}
|
| 1444 |
|
|
if (err < 0)
|
| 1445 |
|
|
goto error;
|
| 1446 |
|
|
}
|
| 1447 |
|
|
if (nx == 0) {
|
| 1448 |
|
|
/* Flow passes not transformed. */
|
| 1449 |
|
|
xfrm_pols_put(pols, npols);
|
| 1450 |
|
|
return 0;
|
| 1451 |
|
|
}
|
| 1452 |
|
|
|
| 1453 |
|
|
dst = dst_orig;
|
| 1454 |
|
|
err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
|
| 1455 |
|
|
|
| 1456 |
|
|
if (unlikely(err)) {
|
| 1457 |
|
|
int i;
|
| 1458 |
|
|
for (i=0; i<nx; i++)
|
| 1459 |
|
|
xfrm_state_put(xfrm[i]);
|
| 1460 |
|
|
goto error;
|
| 1461 |
|
|
}
|
| 1462 |
|
|
|
| 1463 |
|
|
for (pi = 0; pi < npols; pi++) {
|
| 1464 |
|
|
read_lock_bh(&pols[pi]->lock);
|
| 1465 |
|
|
pol_dead |= pols[pi]->dead;
|
| 1466 |
|
|
read_unlock_bh(&pols[pi]->lock);
|
| 1467 |
|
|
}
|
| 1468 |
|
|
|
| 1469 |
|
|
write_lock_bh(&policy->lock);
|
| 1470 |
|
|
if (unlikely(pol_dead || stale_bundle(dst))) {
|
| 1471 |
|
|
/* Wow! While we worked on resolving, this
|
| 1472 |
|
|
* policy has gone. Retry. It is not paranoia,
|
| 1473 |
|
|
* we just cannot enlist new bundle to dead object.
|
| 1474 |
|
|
* We can't enlist stable bundles either.
|
| 1475 |
|
|
*/
|
| 1476 |
|
|
write_unlock_bh(&policy->lock);
|
| 1477 |
|
|
if (dst)
|
| 1478 |
|
|
dst_free(dst);
|
| 1479 |
|
|
|
| 1480 |
|
|
err = -EHOSTUNREACH;
|
| 1481 |
|
|
goto error;
|
| 1482 |
|
|
}
|
| 1483 |
|
|
|
| 1484 |
|
|
if (npols > 1)
|
| 1485 |
|
|
err = xfrm_dst_update_parent(dst, &pols[1]->selector);
|
| 1486 |
|
|
else
|
| 1487 |
|
|
err = xfrm_dst_update_origin(dst, fl);
|
| 1488 |
|
|
if (unlikely(err)) {
|
| 1489 |
|
|
write_unlock_bh(&policy->lock);
|
| 1490 |
|
|
if (dst)
|
| 1491 |
|
|
dst_free(dst);
|
| 1492 |
|
|
goto error;
|
| 1493 |
|
|
}
|
| 1494 |
|
|
|
| 1495 |
|
|
dst->next = policy->bundles;
|
| 1496 |
|
|
policy->bundles = dst;
|
| 1497 |
|
|
dst_hold(dst);
|
| 1498 |
|
|
write_unlock_bh(&policy->lock);
|
| 1499 |
|
|
}
|
| 1500 |
|
|
*dst_p = dst;
|
| 1501 |
|
|
dst_release(dst_orig);
|
| 1502 |
|
|
xfrm_pols_put(pols, npols);
|
| 1503 |
|
|
return 0;
|
| 1504 |
|
|
|
| 1505 |
|
|
error:
|
| 1506 |
|
|
xfrm_pols_put(pols, npols);
|
| 1507 |
|
|
dropdst:
|
| 1508 |
|
|
dst_release(dst_orig);
|
| 1509 |
|
|
*dst_p = NULL;
|
| 1510 |
|
|
return err;
|
| 1511 |
|
|
}
|
| 1512 |
|
|
EXPORT_SYMBOL(__xfrm_lookup);
|
| 1513 |
|
|
|
| 1514 |
|
|
int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
|
| 1515 |
|
|
struct sock *sk, int flags)
|
| 1516 |
|
|
{
|
| 1517 |
|
|
int err = __xfrm_lookup(dst_p, fl, sk, flags);
|
| 1518 |
|
|
|
| 1519 |
|
|
if (err == -EREMOTE) {
|
| 1520 |
|
|
dst_release(*dst_p);
|
| 1521 |
|
|
*dst_p = NULL;
|
| 1522 |
|
|
err = -EAGAIN;
|
| 1523 |
|
|
}
|
| 1524 |
|
|
|
| 1525 |
|
|
return err;
|
| 1526 |
|
|
}
|
| 1527 |
|
|
EXPORT_SYMBOL(xfrm_lookup);
|
| 1528 |
|
|
|
| 1529 |
|
|
static inline int
|
| 1530 |
|
|
xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
|
| 1531 |
|
|
{
|
| 1532 |
|
|
struct xfrm_state *x;
|
| 1533 |
|
|
|
| 1534 |
|
|
if (!skb->sp || idx < 0 || idx >= skb->sp->len)
|
| 1535 |
|
|
return 0;
|
| 1536 |
|
|
x = skb->sp->xvec[idx];
|
| 1537 |
|
|
if (!x->type->reject)
|
| 1538 |
|
|
return 0;
|
| 1539 |
|
|
return x->type->reject(x, skb, fl);
|
| 1540 |
|
|
}
|
| 1541 |
|
|
|
| 1542 |
|
|
/* When skb is transformed back to its "native" form, we have to
|
| 1543 |
|
|
* check policy restrictions. At the moment we make this in maximally
|
| 1544 |
|
|
* stupid way. Shame on me. :-) Of course, connected sockets must
|
| 1545 |
|
|
* have policy cached at them.
|
| 1546 |
|
|
*/
|
| 1547 |
|
|
|
| 1548 |
|
|
static inline int
|
| 1549 |
|
|
xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
|
| 1550 |
|
|
unsigned short family)
|
| 1551 |
|
|
{
|
| 1552 |
|
|
if (xfrm_state_kern(x))
|
| 1553 |
|
|
return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
|
| 1554 |
|
|
return x->id.proto == tmpl->id.proto &&
|
| 1555 |
|
|
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
|
| 1556 |
|
|
(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
|
| 1557 |
|
|
x->props.mode == tmpl->mode &&
|
| 1558 |
|
|
((tmpl->aalgos & (1<<x->props.aalgo)) ||
|
| 1559 |
|
|
!(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
|
| 1560 |
|
|
!(x->props.mode != XFRM_MODE_TRANSPORT &&
|
| 1561 |
|
|
xfrm_state_addr_cmp(tmpl, x, family));
|
| 1562 |
|
|
}
|
| 1563 |
|
|
|
| 1564 |
|
|
/*
|
| 1565 |
|
|
* 0 or more than 0 is returned when validation is succeeded (either bypass
|
| 1566 |
|
|
* because of optional transport mode, or next index of the mathced secpath
|
| 1567 |
|
|
* state with the template.
|
| 1568 |
|
|
* -1 is returned when no matching template is found.
|
| 1569 |
|
|
* Otherwise "-2 - errored_index" is returned.
|
| 1570 |
|
|
*/
|
| 1571 |
|
|
static inline int
|
| 1572 |
|
|
xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
|
| 1573 |
|
|
unsigned short family)
|
| 1574 |
|
|
{
|
| 1575 |
|
|
int idx = start;
|
| 1576 |
|
|
|
| 1577 |
|
|
if (tmpl->optional) {
|
| 1578 |
|
|
if (tmpl->mode == XFRM_MODE_TRANSPORT)
|
| 1579 |
|
|
return start;
|
| 1580 |
|
|
} else
|
| 1581 |
|
|
start = -1;
|
| 1582 |
|
|
for (; idx < sp->len; idx++) {
|
| 1583 |
|
|
if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
|
| 1584 |
|
|
return ++idx;
|
| 1585 |
|
|
if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
|
| 1586 |
|
|
if (start == -1)
|
| 1587 |
|
|
start = -2-idx;
|
| 1588 |
|
|
break;
|
| 1589 |
|
|
}
|
| 1590 |
|
|
}
|
| 1591 |
|
|
return start;
|
| 1592 |
|
|
}
|
| 1593 |
|
|
|
| 1594 |
|
|
int
|
| 1595 |
|
|
xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
|
| 1596 |
|
|
{
|
| 1597 |
|
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
| 1598 |
|
|
int err;
|
| 1599 |
|
|
|
| 1600 |
|
|
if (unlikely(afinfo == NULL))
|
| 1601 |
|
|
return -EAFNOSUPPORT;
|
| 1602 |
|
|
|
| 1603 |
|
|
afinfo->decode_session(skb, fl);
|
| 1604 |
|
|
err = security_xfrm_decode_session(skb, &fl->secid);
|
| 1605 |
|
|
xfrm_policy_put_afinfo(afinfo);
|
| 1606 |
|
|
return err;
|
| 1607 |
|
|
}
|
| 1608 |
|
|
EXPORT_SYMBOL(xfrm_decode_session);
|
| 1609 |
|
|
|
| 1610 |
|
|
static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
|
| 1611 |
|
|
{
|
| 1612 |
|
|
for (; k < sp->len; k++) {
|
| 1613 |
|
|
if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
|
| 1614 |
|
|
*idxp = k;
|
| 1615 |
|
|
return 1;
|
| 1616 |
|
|
}
|
| 1617 |
|
|
}
|
| 1618 |
|
|
|
| 1619 |
|
|
return 0;
|
| 1620 |
|
|
}
|
| 1621 |
|
|
|
| 1622 |
|
|
int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
| 1623 |
|
|
unsigned short family)
|
| 1624 |
|
|
{
|
| 1625 |
|
|
struct xfrm_policy *pol;
|
| 1626 |
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
| 1627 |
|
|
int npols = 0;
|
| 1628 |
|
|
int xfrm_nr;
|
| 1629 |
|
|
int pi;
|
| 1630 |
|
|
struct flowi fl;
|
| 1631 |
|
|
u8 fl_dir = policy_to_flow_dir(dir);
|
| 1632 |
|
|
int xerr_idx = -1;
|
| 1633 |
|
|
|
| 1634 |
|
|
if (xfrm_decode_session(skb, &fl, family) < 0)
|
| 1635 |
|
|
return 0;
|
| 1636 |
|
|
nf_nat_decode_session(skb, &fl, family);
|
| 1637 |
|
|
|
| 1638 |
|
|
/* First, check used SA against their selectors. */
|
| 1639 |
|
|
if (skb->sp) {
|
| 1640 |
|
|
int i;
|
| 1641 |
|
|
|
| 1642 |
|
|
for (i=skb->sp->len-1; i>=0; i--) {
|
| 1643 |
|
|
struct xfrm_state *x = skb->sp->xvec[i];
|
| 1644 |
|
|
if (!xfrm_selector_match(&x->sel, &fl, family))
|
| 1645 |
|
|
return 0;
|
| 1646 |
|
|
}
|
| 1647 |
|
|
}
|
| 1648 |
|
|
|
| 1649 |
|
|
pol = NULL;
|
| 1650 |
|
|
if (sk && sk->sk_policy[dir]) {
|
| 1651 |
|
|
pol = xfrm_sk_policy_lookup(sk, dir, &fl);
|
| 1652 |
|
|
if (IS_ERR(pol))
|
| 1653 |
|
|
return 0;
|
| 1654 |
|
|
}
|
| 1655 |
|
|
|
| 1656 |
|
|
if (!pol)
|
| 1657 |
|
|
pol = flow_cache_lookup(&fl, family, fl_dir,
|
| 1658 |
|
|
xfrm_policy_lookup);
|
| 1659 |
|
|
|
| 1660 |
|
|
if (IS_ERR(pol))
|
| 1661 |
|
|
return 0;
|
| 1662 |
|
|
|
| 1663 |
|
|
if (!pol) {
|
| 1664 |
|
|
if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
|
| 1665 |
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
| 1666 |
|
|
return 0;
|
| 1667 |
|
|
}
|
| 1668 |
|
|
return 1;
|
| 1669 |
|
|
}
|
| 1670 |
|
|
|
| 1671 |
|
|
pol->curlft.use_time = get_seconds();
|
| 1672 |
|
|
|
| 1673 |
|
|
pols[0] = pol;
|
| 1674 |
|
|
npols ++;
|
| 1675 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1676 |
|
|
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
| 1677 |
|
|
pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN,
|
| 1678 |
|
|
&fl, family,
|
| 1679 |
|
|
XFRM_POLICY_IN);
|
| 1680 |
|
|
if (pols[1]) {
|
| 1681 |
|
|
if (IS_ERR(pols[1]))
|
| 1682 |
|
|
return 0;
|
| 1683 |
|
|
pols[1]->curlft.use_time = get_seconds();
|
| 1684 |
|
|
npols ++;
|
| 1685 |
|
|
}
|
| 1686 |
|
|
}
|
| 1687 |
|
|
#endif
|
| 1688 |
|
|
|
| 1689 |
|
|
if (pol->action == XFRM_POLICY_ALLOW) {
|
| 1690 |
|
|
struct sec_path *sp;
|
| 1691 |
|
|
static struct sec_path dummy;
|
| 1692 |
|
|
struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
|
| 1693 |
|
|
struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
|
| 1694 |
|
|
struct xfrm_tmpl **tpp = tp;
|
| 1695 |
|
|
int ti = 0;
|
| 1696 |
|
|
int i, k;
|
| 1697 |
|
|
|
| 1698 |
|
|
if ((sp = skb->sp) == NULL)
|
| 1699 |
|
|
sp = &dummy;
|
| 1700 |
|
|
|
| 1701 |
|
|
for (pi = 0; pi < npols; pi++) {
|
| 1702 |
|
|
if (pols[pi] != pol &&
|
| 1703 |
|
|
pols[pi]->action != XFRM_POLICY_ALLOW)
|
| 1704 |
|
|
goto reject;
|
| 1705 |
|
|
if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH)
|
| 1706 |
|
|
goto reject_error;
|
| 1707 |
|
|
for (i = 0; i < pols[pi]->xfrm_nr; i++)
|
| 1708 |
|
|
tpp[ti++] = &pols[pi]->xfrm_vec[i];
|
| 1709 |
|
|
}
|
| 1710 |
|
|
xfrm_nr = ti;
|
| 1711 |
|
|
if (npols > 1) {
|
| 1712 |
|
|
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
|
| 1713 |
|
|
tpp = stp;
|
| 1714 |
|
|
}
|
| 1715 |
|
|
|
| 1716 |
|
|
/* For each tunnel xfrm, find the first matching tmpl.
|
| 1717 |
|
|
* For each tmpl before that, find corresponding xfrm.
|
| 1718 |
|
|
* Order is _important_. Later we will implement
|
| 1719 |
|
|
* some barriers, but at the moment barriers
|
| 1720 |
|
|
* are implied between each two transformations.
|
| 1721 |
|
|
*/
|
| 1722 |
|
|
for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
|
| 1723 |
|
|
k = xfrm_policy_ok(tpp[i], sp, k, family);
|
| 1724 |
|
|
if (k < 0) {
|
| 1725 |
|
|
if (k < -1)
|
| 1726 |
|
|
/* "-2 - errored_index" returned */
|
| 1727 |
|
|
xerr_idx = -(2+k);
|
| 1728 |
|
|
goto reject;
|
| 1729 |
|
|
}
|
| 1730 |
|
|
}
|
| 1731 |
|
|
|
| 1732 |
|
|
if (secpath_has_nontransport(sp, k, &xerr_idx))
|
| 1733 |
|
|
goto reject;
|
| 1734 |
|
|
|
| 1735 |
|
|
xfrm_pols_put(pols, npols);
|
| 1736 |
|
|
return 1;
|
| 1737 |
|
|
}
|
| 1738 |
|
|
|
| 1739 |
|
|
reject:
|
| 1740 |
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
| 1741 |
|
|
reject_error:
|
| 1742 |
|
|
xfrm_pols_put(pols, npols);
|
| 1743 |
|
|
return 0;
|
| 1744 |
|
|
}
|
| 1745 |
|
|
EXPORT_SYMBOL(__xfrm_policy_check);
|
| 1746 |
|
|
|
| 1747 |
|
|
int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
| 1748 |
|
|
{
|
| 1749 |
|
|
struct flowi fl;
|
| 1750 |
|
|
|
| 1751 |
|
|
if (xfrm_decode_session(skb, &fl, family) < 0)
|
| 1752 |
|
|
return 0;
|
| 1753 |
|
|
|
| 1754 |
|
|
return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
|
| 1755 |
|
|
}
|
| 1756 |
|
|
EXPORT_SYMBOL(__xfrm_route_forward);
|
| 1757 |
|
|
|
| 1758 |
|
|
/* Optimize later using cookies and generation ids. */
|
| 1759 |
|
|
|
| 1760 |
|
|
static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
|
| 1761 |
|
|
{
|
| 1762 |
|
|
/* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
|
| 1763 |
|
|
* to "-1" to force all XFRM destinations to get validated by
|
| 1764 |
|
|
* dst_ops->check on every use. We do this because when a
|
| 1765 |
|
|
* normal route referenced by an XFRM dst is obsoleted we do
|
| 1766 |
|
|
* not go looking around for all parent referencing XFRM dsts
|
| 1767 |
|
|
* so that we can invalidate them. It is just too much work.
|
| 1768 |
|
|
* Instead we make the checks here on every use. For example:
|
| 1769 |
|
|
*
|
| 1770 |
|
|
* XFRM dst A --> IPv4 dst X
|
| 1771 |
|
|
*
|
| 1772 |
|
|
* X is the "xdst->route" of A (X is also the "dst->path" of A
|
| 1773 |
|
|
* in this example). If X is marked obsolete, "A" will not
|
| 1774 |
|
|
* notice. That's what we are validating here via the
|
| 1775 |
|
|
* stale_bundle() check.
|
| 1776 |
|
|
*
|
| 1777 |
|
|
* When a policy's bundle is pruned, we dst_free() the XFRM
|
| 1778 |
|
|
* dst which causes it's ->obsolete field to be set to a
|
| 1779 |
|
|
* positive non-zero integer. If an XFRM dst has been pruned
|
| 1780 |
|
|
* like this, we want to force a new route lookup.
|
| 1781 |
|
|
*/
|
| 1782 |
|
|
if (dst->obsolete < 0 && !stale_bundle(dst))
|
| 1783 |
|
|
return dst;
|
| 1784 |
|
|
|
| 1785 |
|
|
return NULL;
|
| 1786 |
|
|
}
|
| 1787 |
|
|
|
| 1788 |
|
|
static int stale_bundle(struct dst_entry *dst)
|
| 1789 |
|
|
{
|
| 1790 |
|
|
return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
|
| 1791 |
|
|
}
|
| 1792 |
|
|
|
| 1793 |
|
|
void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
|
| 1794 |
|
|
{
|
| 1795 |
|
|
while ((dst = dst->child) && dst->xfrm && dst->dev == dev) {
|
| 1796 |
|
|
dst->dev = init_net.loopback_dev;
|
| 1797 |
|
|
dev_hold(dst->dev);
|
| 1798 |
|
|
dev_put(dev);
|
| 1799 |
|
|
}
|
| 1800 |
|
|
}
|
| 1801 |
|
|
EXPORT_SYMBOL(xfrm_dst_ifdown);
|
| 1802 |
|
|
|
| 1803 |
|
|
static void xfrm_link_failure(struct sk_buff *skb)
|
| 1804 |
|
|
{
|
| 1805 |
|
|
/* Impossible. Such dst must be popped before reaches point of failure. */
|
| 1806 |
|
|
return;
|
| 1807 |
|
|
}
|
| 1808 |
|
|
|
| 1809 |
|
|
static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
|
| 1810 |
|
|
{
|
| 1811 |
|
|
if (dst) {
|
| 1812 |
|
|
if (dst->obsolete) {
|
| 1813 |
|
|
dst_release(dst);
|
| 1814 |
|
|
dst = NULL;
|
| 1815 |
|
|
}
|
| 1816 |
|
|
}
|
| 1817 |
|
|
return dst;
|
| 1818 |
|
|
}
|
| 1819 |
|
|
|
| 1820 |
|
|
static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p)
|
| 1821 |
|
|
{
|
| 1822 |
|
|
struct dst_entry *dst, **dstp;
|
| 1823 |
|
|
|
| 1824 |
|
|
write_lock(&pol->lock);
|
| 1825 |
|
|
dstp = &pol->bundles;
|
| 1826 |
|
|
while ((dst=*dstp) != NULL) {
|
| 1827 |
|
|
if (func(dst)) {
|
| 1828 |
|
|
*dstp = dst->next;
|
| 1829 |
|
|
dst->next = *gc_list_p;
|
| 1830 |
|
|
*gc_list_p = dst;
|
| 1831 |
|
|
} else {
|
| 1832 |
|
|
dstp = &dst->next;
|
| 1833 |
|
|
}
|
| 1834 |
|
|
}
|
| 1835 |
|
|
write_unlock(&pol->lock);
|
| 1836 |
|
|
}
|
| 1837 |
|
|
|
| 1838 |
|
|
static void xfrm_prune_bundles(int (*func)(struct dst_entry *))
|
| 1839 |
|
|
{
|
| 1840 |
|
|
struct dst_entry *gc_list = NULL;
|
| 1841 |
|
|
int dir;
|
| 1842 |
|
|
|
| 1843 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 1844 |
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
| 1845 |
|
|
struct xfrm_policy *pol;
|
| 1846 |
|
|
struct hlist_node *entry;
|
| 1847 |
|
|
struct hlist_head *table;
|
| 1848 |
|
|
int i;
|
| 1849 |
|
|
|
| 1850 |
|
|
hlist_for_each_entry(pol, entry,
|
| 1851 |
|
|
&xfrm_policy_inexact[dir], bydst)
|
| 1852 |
|
|
prune_one_bundle(pol, func, &gc_list);
|
| 1853 |
|
|
|
| 1854 |
|
|
table = xfrm_policy_bydst[dir].table;
|
| 1855 |
|
|
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
|
| 1856 |
|
|
hlist_for_each_entry(pol, entry, table + i, bydst)
|
| 1857 |
|
|
prune_one_bundle(pol, func, &gc_list);
|
| 1858 |
|
|
}
|
| 1859 |
|
|
}
|
| 1860 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 1861 |
|
|
|
| 1862 |
|
|
while (gc_list) {
|
| 1863 |
|
|
struct dst_entry *dst = gc_list;
|
| 1864 |
|
|
gc_list = dst->next;
|
| 1865 |
|
|
dst_free(dst);
|
| 1866 |
|
|
}
|
| 1867 |
|
|
}
|
| 1868 |
|
|
|
| 1869 |
|
|
static int unused_bundle(struct dst_entry *dst)
|
| 1870 |
|
|
{
|
| 1871 |
|
|
return !atomic_read(&dst->__refcnt);
|
| 1872 |
|
|
}
|
| 1873 |
|
|
|
| 1874 |
|
|
static void __xfrm_garbage_collect(void)
|
| 1875 |
|
|
{
|
| 1876 |
|
|
xfrm_prune_bundles(unused_bundle);
|
| 1877 |
|
|
}
|
| 1878 |
|
|
|
| 1879 |
|
|
static int xfrm_flush_bundles(void)
|
| 1880 |
|
|
{
|
| 1881 |
|
|
xfrm_prune_bundles(stale_bundle);
|
| 1882 |
|
|
return 0;
|
| 1883 |
|
|
}
|
| 1884 |
|
|
|
| 1885 |
|
|
void xfrm_init_pmtu(struct dst_entry *dst)
|
| 1886 |
|
|
{
|
| 1887 |
|
|
do {
|
| 1888 |
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
| 1889 |
|
|
u32 pmtu, route_mtu_cached;
|
| 1890 |
|
|
|
| 1891 |
|
|
pmtu = dst_mtu(dst->child);
|
| 1892 |
|
|
xdst->child_mtu_cached = pmtu;
|
| 1893 |
|
|
|
| 1894 |
|
|
pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
|
| 1895 |
|
|
|
| 1896 |
|
|
route_mtu_cached = dst_mtu(xdst->route);
|
| 1897 |
|
|
xdst->route_mtu_cached = route_mtu_cached;
|
| 1898 |
|
|
|
| 1899 |
|
|
if (pmtu > route_mtu_cached)
|
| 1900 |
|
|
pmtu = route_mtu_cached;
|
| 1901 |
|
|
|
| 1902 |
|
|
dst->metrics[RTAX_MTU-1] = pmtu;
|
| 1903 |
|
|
} while ((dst = dst->next));
|
| 1904 |
|
|
}
|
| 1905 |
|
|
|
| 1906 |
|
|
EXPORT_SYMBOL(xfrm_init_pmtu);
|
| 1907 |
|
|
|
| 1908 |
|
|
/* Check that the bundle accepts the flow and its components are
|
| 1909 |
|
|
* still valid.
|
| 1910 |
|
|
*/
|
| 1911 |
|
|
|
| 1912 |
|
|
int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
|
| 1913 |
|
|
struct flowi *fl, int family, int strict)
|
| 1914 |
|
|
{
|
| 1915 |
|
|
struct dst_entry *dst = &first->u.dst;
|
| 1916 |
|
|
struct xfrm_dst *last;
|
| 1917 |
|
|
u32 mtu;
|
| 1918 |
|
|
|
| 1919 |
|
|
if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
|
| 1920 |
|
|
(dst->dev && !netif_running(dst->dev)))
|
| 1921 |
|
|
return 0;
|
| 1922 |
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
| 1923 |
|
|
if (fl) {
|
| 1924 |
|
|
if (first->origin && !flow_cache_uli_match(first->origin, fl))
|
| 1925 |
|
|
return 0;
|
| 1926 |
|
|
if (first->partner &&
|
| 1927 |
|
|
!xfrm_selector_match(first->partner, fl, family))
|
| 1928 |
|
|
return 0;
|
| 1929 |
|
|
}
|
| 1930 |
|
|
#endif
|
| 1931 |
|
|
|
| 1932 |
|
|
last = NULL;
|
| 1933 |
|
|
|
| 1934 |
|
|
do {
|
| 1935 |
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
| 1936 |
|
|
|
| 1937 |
|
|
if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
|
| 1938 |
|
|
return 0;
|
| 1939 |
|
|
if (fl && pol &&
|
| 1940 |
|
|
!security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
|
| 1941 |
|
|
return 0;
|
| 1942 |
|
|
if (dst->xfrm->km.state != XFRM_STATE_VALID)
|
| 1943 |
|
|
return 0;
|
| 1944 |
|
|
if (xdst->genid != dst->xfrm->genid)
|
| 1945 |
|
|
return 0;
|
| 1946 |
|
|
|
| 1947 |
|
|
if (strict && fl &&
|
| 1948 |
|
|
!(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
|
| 1949 |
|
|
!xfrm_state_addr_flow_check(dst->xfrm, fl, family))
|
| 1950 |
|
|
return 0;
|
| 1951 |
|
|
|
| 1952 |
|
|
mtu = dst_mtu(dst->child);
|
| 1953 |
|
|
if (xdst->child_mtu_cached != mtu) {
|
| 1954 |
|
|
last = xdst;
|
| 1955 |
|
|
xdst->child_mtu_cached = mtu;
|
| 1956 |
|
|
}
|
| 1957 |
|
|
|
| 1958 |
|
|
if (!dst_check(xdst->route, xdst->route_cookie))
|
| 1959 |
|
|
return 0;
|
| 1960 |
|
|
mtu = dst_mtu(xdst->route);
|
| 1961 |
|
|
if (xdst->route_mtu_cached != mtu) {
|
| 1962 |
|
|
last = xdst;
|
| 1963 |
|
|
xdst->route_mtu_cached = mtu;
|
| 1964 |
|
|
}
|
| 1965 |
|
|
|
| 1966 |
|
|
dst = dst->child;
|
| 1967 |
|
|
} while (dst->xfrm);
|
| 1968 |
|
|
|
| 1969 |
|
|
if (likely(!last))
|
| 1970 |
|
|
return 1;
|
| 1971 |
|
|
|
| 1972 |
|
|
mtu = last->child_mtu_cached;
|
| 1973 |
|
|
for (;;) {
|
| 1974 |
|
|
dst = &last->u.dst;
|
| 1975 |
|
|
|
| 1976 |
|
|
mtu = xfrm_state_mtu(dst->xfrm, mtu);
|
| 1977 |
|
|
if (mtu > last->route_mtu_cached)
|
| 1978 |
|
|
mtu = last->route_mtu_cached;
|
| 1979 |
|
|
dst->metrics[RTAX_MTU-1] = mtu;
|
| 1980 |
|
|
|
| 1981 |
|
|
if (last == first)
|
| 1982 |
|
|
break;
|
| 1983 |
|
|
|
| 1984 |
|
|
last = (struct xfrm_dst *)last->u.dst.next;
|
| 1985 |
|
|
last->child_mtu_cached = mtu;
|
| 1986 |
|
|
}
|
| 1987 |
|
|
|
| 1988 |
|
|
return 1;
|
| 1989 |
|
|
}
|
| 1990 |
|
|
|
| 1991 |
|
|
EXPORT_SYMBOL(xfrm_bundle_ok);
|
| 1992 |
|
|
|
| 1993 |
|
|
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
|
| 1994 |
|
|
{
|
| 1995 |
|
|
int err = 0;
|
| 1996 |
|
|
if (unlikely(afinfo == NULL))
|
| 1997 |
|
|
return -EINVAL;
|
| 1998 |
|
|
if (unlikely(afinfo->family >= NPROTO))
|
| 1999 |
|
|
return -EAFNOSUPPORT;
|
| 2000 |
|
|
write_lock_bh(&xfrm_policy_afinfo_lock);
|
| 2001 |
|
|
if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
|
| 2002 |
|
|
err = -ENOBUFS;
|
| 2003 |
|
|
else {
|
| 2004 |
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
| 2005 |
|
|
if (likely(dst_ops->kmem_cachep == NULL))
|
| 2006 |
|
|
dst_ops->kmem_cachep = xfrm_dst_cache;
|
| 2007 |
|
|
if (likely(dst_ops->check == NULL))
|
| 2008 |
|
|
dst_ops->check = xfrm_dst_check;
|
| 2009 |
|
|
if (likely(dst_ops->negative_advice == NULL))
|
| 2010 |
|
|
dst_ops->negative_advice = xfrm_negative_advice;
|
| 2011 |
|
|
if (likely(dst_ops->link_failure == NULL))
|
| 2012 |
|
|
dst_ops->link_failure = xfrm_link_failure;
|
| 2013 |
|
|
if (likely(afinfo->garbage_collect == NULL))
|
| 2014 |
|
|
afinfo->garbage_collect = __xfrm_garbage_collect;
|
| 2015 |
|
|
xfrm_policy_afinfo[afinfo->family] = afinfo;
|
| 2016 |
|
|
}
|
| 2017 |
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
| 2018 |
|
|
return err;
|
| 2019 |
|
|
}
|
| 2020 |
|
|
EXPORT_SYMBOL(xfrm_policy_register_afinfo);
|
| 2021 |
|
|
|
| 2022 |
|
|
int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
|
| 2023 |
|
|
{
|
| 2024 |
|
|
int err = 0;
|
| 2025 |
|
|
if (unlikely(afinfo == NULL))
|
| 2026 |
|
|
return -EINVAL;
|
| 2027 |
|
|
if (unlikely(afinfo->family >= NPROTO))
|
| 2028 |
|
|
return -EAFNOSUPPORT;
|
| 2029 |
|
|
write_lock_bh(&xfrm_policy_afinfo_lock);
|
| 2030 |
|
|
if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
|
| 2031 |
|
|
if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
|
| 2032 |
|
|
err = -EINVAL;
|
| 2033 |
|
|
else {
|
| 2034 |
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
| 2035 |
|
|
xfrm_policy_afinfo[afinfo->family] = NULL;
|
| 2036 |
|
|
dst_ops->kmem_cachep = NULL;
|
| 2037 |
|
|
dst_ops->check = NULL;
|
| 2038 |
|
|
dst_ops->negative_advice = NULL;
|
| 2039 |
|
|
dst_ops->link_failure = NULL;
|
| 2040 |
|
|
afinfo->garbage_collect = NULL;
|
| 2041 |
|
|
}
|
| 2042 |
|
|
}
|
| 2043 |
|
|
write_unlock_bh(&xfrm_policy_afinfo_lock);
|
| 2044 |
|
|
return err;
|
| 2045 |
|
|
}
|
| 2046 |
|
|
EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
|
| 2047 |
|
|
|
| 2048 |
|
|
static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
|
| 2049 |
|
|
{
|
| 2050 |
|
|
struct xfrm_policy_afinfo *afinfo;
|
| 2051 |
|
|
if (unlikely(family >= NPROTO))
|
| 2052 |
|
|
return NULL;
|
| 2053 |
|
|
read_lock(&xfrm_policy_afinfo_lock);
|
| 2054 |
|
|
afinfo = xfrm_policy_afinfo[family];
|
| 2055 |
|
|
if (unlikely(!afinfo))
|
| 2056 |
|
|
read_unlock(&xfrm_policy_afinfo_lock);
|
| 2057 |
|
|
return afinfo;
|
| 2058 |
|
|
}
|
| 2059 |
|
|
|
| 2060 |
|
|
static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
|
| 2061 |
|
|
{
|
| 2062 |
|
|
read_unlock(&xfrm_policy_afinfo_lock);
|
| 2063 |
|
|
}
|
| 2064 |
|
|
|
| 2065 |
|
|
static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
|
| 2066 |
|
|
{
|
| 2067 |
|
|
struct net_device *dev = ptr;
|
| 2068 |
|
|
|
| 2069 |
|
|
if (dev->nd_net != &init_net)
|
| 2070 |
|
|
return NOTIFY_DONE;
|
| 2071 |
|
|
|
| 2072 |
|
|
switch (event) {
|
| 2073 |
|
|
case NETDEV_DOWN:
|
| 2074 |
|
|
xfrm_flush_bundles();
|
| 2075 |
|
|
}
|
| 2076 |
|
|
return NOTIFY_DONE;
|
| 2077 |
|
|
}
|
| 2078 |
|
|
|
| 2079 |
|
|
static struct notifier_block xfrm_dev_notifier = {
|
| 2080 |
|
|
xfrm_dev_event,
|
| 2081 |
|
|
NULL,
|
| 2082 |
|
|
|
| 2083 |
|
|
};
|
| 2084 |
|
|
|
| 2085 |
|
|
static void __init xfrm_policy_init(void)
|
| 2086 |
|
|
{
|
| 2087 |
|
|
unsigned int hmask, sz;
|
| 2088 |
|
|
int dir;
|
| 2089 |
|
|
|
| 2090 |
|
|
xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
|
| 2091 |
|
|
sizeof(struct xfrm_dst),
|
| 2092 |
|
|
0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
|
| 2093 |
|
|
NULL);
|
| 2094 |
|
|
|
| 2095 |
|
|
hmask = 8 - 1;
|
| 2096 |
|
|
sz = (hmask+1) * sizeof(struct hlist_head);
|
| 2097 |
|
|
|
| 2098 |
|
|
xfrm_policy_byidx = xfrm_hash_alloc(sz);
|
| 2099 |
|
|
xfrm_idx_hmask = hmask;
|
| 2100 |
|
|
if (!xfrm_policy_byidx)
|
| 2101 |
|
|
panic("XFRM: failed to allocate byidx hash\n");
|
| 2102 |
|
|
|
| 2103 |
|
|
for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
|
| 2104 |
|
|
struct xfrm_policy_hash *htab;
|
| 2105 |
|
|
|
| 2106 |
|
|
INIT_HLIST_HEAD(&xfrm_policy_inexact[dir]);
|
| 2107 |
|
|
|
| 2108 |
|
|
htab = &xfrm_policy_bydst[dir];
|
| 2109 |
|
|
htab->table = xfrm_hash_alloc(sz);
|
| 2110 |
|
|
htab->hmask = hmask;
|
| 2111 |
|
|
if (!htab->table)
|
| 2112 |
|
|
panic("XFRM: failed to allocate bydst hash\n");
|
| 2113 |
|
|
}
|
| 2114 |
|
|
|
| 2115 |
|
|
INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task);
|
| 2116 |
|
|
register_netdevice_notifier(&xfrm_dev_notifier);
|
| 2117 |
|
|
}
|
| 2118 |
|
|
|
| 2119 |
|
|
void __init xfrm_init(void)
|
| 2120 |
|
|
{
|
| 2121 |
|
|
xfrm_state_init();
|
| 2122 |
|
|
xfrm_policy_init();
|
| 2123 |
|
|
xfrm_input_init();
|
| 2124 |
|
|
}
|
| 2125 |
|
|
|
| 2126 |
|
|
#ifdef CONFIG_AUDITSYSCALL
|
| 2127 |
|
|
static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
|
| 2128 |
|
|
struct audit_buffer *audit_buf)
|
| 2129 |
|
|
{
|
| 2130 |
|
|
if (xp->security)
|
| 2131 |
|
|
audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
|
| 2132 |
|
|
xp->security->ctx_alg, xp->security->ctx_doi,
|
| 2133 |
|
|
xp->security->ctx_str);
|
| 2134 |
|
|
|
| 2135 |
|
|
switch(xp->selector.family) {
|
| 2136 |
|
|
case AF_INET:
|
| 2137 |
|
|
audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
|
| 2138 |
|
|
NIPQUAD(xp->selector.saddr.a4),
|
| 2139 |
|
|
NIPQUAD(xp->selector.daddr.a4));
|
| 2140 |
|
|
break;
|
| 2141 |
|
|
case AF_INET6:
|
| 2142 |
|
|
{
|
| 2143 |
|
|
struct in6_addr saddr6, daddr6;
|
| 2144 |
|
|
|
| 2145 |
|
|
memcpy(&saddr6, xp->selector.saddr.a6,
|
| 2146 |
|
|
sizeof(struct in6_addr));
|
| 2147 |
|
|
memcpy(&daddr6, xp->selector.daddr.a6,
|
| 2148 |
|
|
sizeof(struct in6_addr));
|
| 2149 |
|
|
audit_log_format(audit_buf,
|
| 2150 |
|
|
" src=" NIP6_FMT " dst=" NIP6_FMT,
|
| 2151 |
|
|
NIP6(saddr6), NIP6(daddr6));
|
| 2152 |
|
|
}
|
| 2153 |
|
|
break;
|
| 2154 |
|
|
}
|
| 2155 |
|
|
}
|
| 2156 |
|
|
|
| 2157 |
|
|
void
|
| 2158 |
|
|
xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
|
| 2159 |
|
|
{
|
| 2160 |
|
|
struct audit_buffer *audit_buf;
|
| 2161 |
|
|
extern int audit_enabled;
|
| 2162 |
|
|
|
| 2163 |
|
|
if (audit_enabled == 0)
|
| 2164 |
|
|
return;
|
| 2165 |
|
|
audit_buf = xfrm_audit_start(auid, sid);
|
| 2166 |
|
|
if (audit_buf == NULL)
|
| 2167 |
|
|
return;
|
| 2168 |
|
|
audit_log_format(audit_buf, " op=SPD-add res=%u", result);
|
| 2169 |
|
|
xfrm_audit_common_policyinfo(xp, audit_buf);
|
| 2170 |
|
|
audit_log_end(audit_buf);
|
| 2171 |
|
|
}
|
| 2172 |
|
|
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
|
| 2173 |
|
|
|
| 2174 |
|
|
void
|
| 2175 |
|
|
xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
|
| 2176 |
|
|
{
|
| 2177 |
|
|
struct audit_buffer *audit_buf;
|
| 2178 |
|
|
extern int audit_enabled;
|
| 2179 |
|
|
|
| 2180 |
|
|
if (audit_enabled == 0)
|
| 2181 |
|
|
return;
|
| 2182 |
|
|
audit_buf = xfrm_audit_start(auid, sid);
|
| 2183 |
|
|
if (audit_buf == NULL)
|
| 2184 |
|
|
return;
|
| 2185 |
|
|
audit_log_format(audit_buf, " op=SPD-delete res=%u", result);
|
| 2186 |
|
|
xfrm_audit_common_policyinfo(xp, audit_buf);
|
| 2187 |
|
|
audit_log_end(audit_buf);
|
| 2188 |
|
|
}
|
| 2189 |
|
|
EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
|
| 2190 |
|
|
#endif
|
| 2191 |
|
|
|
| 2192 |
|
|
#ifdef CONFIG_XFRM_MIGRATE
|
| 2193 |
|
|
static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
|
| 2194 |
|
|
struct xfrm_selector *sel_tgt)
|
| 2195 |
|
|
{
|
| 2196 |
|
|
if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
|
| 2197 |
|
|
if (sel_tgt->family == sel_cmp->family &&
|
| 2198 |
|
|
xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr,
|
| 2199 |
|
|
sel_cmp->family) == 0 &&
|
| 2200 |
|
|
xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr,
|
| 2201 |
|
|
sel_cmp->family) == 0 &&
|
| 2202 |
|
|
sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
|
| 2203 |
|
|
sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
|
| 2204 |
|
|
return 1;
|
| 2205 |
|
|
}
|
| 2206 |
|
|
} else {
|
| 2207 |
|
|
if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
|
| 2208 |
|
|
return 1;
|
| 2209 |
|
|
}
|
| 2210 |
|
|
}
|
| 2211 |
|
|
return 0;
|
| 2212 |
|
|
}
|
| 2213 |
|
|
|
| 2214 |
|
|
static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
|
| 2215 |
|
|
u8 dir, u8 type)
|
| 2216 |
|
|
{
|
| 2217 |
|
|
struct xfrm_policy *pol, *ret = NULL;
|
| 2218 |
|
|
struct hlist_node *entry;
|
| 2219 |
|
|
struct hlist_head *chain;
|
| 2220 |
|
|
u32 priority = ~0U;
|
| 2221 |
|
|
|
| 2222 |
|
|
read_lock_bh(&xfrm_policy_lock);
|
| 2223 |
|
|
chain = policy_hash_direct(&sel->daddr, &sel->saddr, sel->family, dir);
|
| 2224 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 2225 |
|
|
if (xfrm_migrate_selector_match(sel, &pol->selector) &&
|
| 2226 |
|
|
pol->type == type) {
|
| 2227 |
|
|
ret = pol;
|
| 2228 |
|
|
priority = ret->priority;
|
| 2229 |
|
|
break;
|
| 2230 |
|
|
}
|
| 2231 |
|
|
}
|
| 2232 |
|
|
chain = &xfrm_policy_inexact[dir];
|
| 2233 |
|
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
| 2234 |
|
|
if (xfrm_migrate_selector_match(sel, &pol->selector) &&
|
| 2235 |
|
|
pol->type == type &&
|
| 2236 |
|
|
pol->priority < priority) {
|
| 2237 |
|
|
ret = pol;
|
| 2238 |
|
|
break;
|
| 2239 |
|
|
}
|
| 2240 |
|
|
}
|
| 2241 |
|
|
|
| 2242 |
|
|
if (ret)
|
| 2243 |
|
|
xfrm_pol_hold(ret);
|
| 2244 |
|
|
|
| 2245 |
|
|
read_unlock_bh(&xfrm_policy_lock);
|
| 2246 |
|
|
|
| 2247 |
|
|
return ret;
|
| 2248 |
|
|
}
|
| 2249 |
|
|
|
| 2250 |
|
|
static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t)
|
| 2251 |
|
|
{
|
| 2252 |
|
|
int match = 0;
|
| 2253 |
|
|
|
| 2254 |
|
|
if (t->mode == m->mode && t->id.proto == m->proto &&
|
| 2255 |
|
|
(m->reqid == 0 || t->reqid == m->reqid)) {
|
| 2256 |
|
|
switch (t->mode) {
|
| 2257 |
|
|
case XFRM_MODE_TUNNEL:
|
| 2258 |
|
|
case XFRM_MODE_BEET:
|
| 2259 |
|
|
if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr,
|
| 2260 |
|
|
m->old_family) == 0 &&
|
| 2261 |
|
|
xfrm_addr_cmp(&t->saddr, &m->old_saddr,
|
| 2262 |
|
|
m->old_family) == 0) {
|
| 2263 |
|
|
match = 1;
|
| 2264 |
|
|
}
|
| 2265 |
|
|
break;
|
| 2266 |
|
|
case XFRM_MODE_TRANSPORT:
|
| 2267 |
|
|
/* in case of transport mode, template does not store
|
| 2268 |
|
|
any IP addresses, hence we just compare mode and
|
| 2269 |
|
|
protocol */
|
| 2270 |
|
|
match = 1;
|
| 2271 |
|
|
break;
|
| 2272 |
|
|
default:
|
| 2273 |
|
|
break;
|
| 2274 |
|
|
}
|
| 2275 |
|
|
}
|
| 2276 |
|
|
return match;
|
| 2277 |
|
|
}
|
| 2278 |
|
|
|
| 2279 |
|
|
/* update endpoint address(es) of template(s) */
|
| 2280 |
|
|
static int xfrm_policy_migrate(struct xfrm_policy *pol,
|
| 2281 |
|
|
struct xfrm_migrate *m, int num_migrate)
|
| 2282 |
|
|
{
|
| 2283 |
|
|
struct xfrm_migrate *mp;
|
| 2284 |
|
|
struct dst_entry *dst;
|
| 2285 |
|
|
int i, j, n = 0;
|
| 2286 |
|
|
|
| 2287 |
|
|
write_lock_bh(&pol->lock);
|
| 2288 |
|
|
if (unlikely(pol->dead)) {
|
| 2289 |
|
|
/* target policy has been deleted */
|
| 2290 |
|
|
write_unlock_bh(&pol->lock);
|
| 2291 |
|
|
return -ENOENT;
|
| 2292 |
|
|
}
|
| 2293 |
|
|
|
| 2294 |
|
|
for (i = 0; i < pol->xfrm_nr; i++) {
|
| 2295 |
|
|
for (j = 0, mp = m; j < num_migrate; j++, mp++) {
|
| 2296 |
|
|
if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
|
| 2297 |
|
|
continue;
|
| 2298 |
|
|
n++;
|
| 2299 |
|
|
if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
|
| 2300 |
|
|
pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
|
| 2301 |
|
|
continue;
|
| 2302 |
|
|
/* update endpoints */
|
| 2303 |
|
|
memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
|
| 2304 |
|
|
sizeof(pol->xfrm_vec[i].id.daddr));
|
| 2305 |
|
|
memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
|
| 2306 |
|
|
sizeof(pol->xfrm_vec[i].saddr));
|
| 2307 |
|
|
pol->xfrm_vec[i].encap_family = mp->new_family;
|
| 2308 |
|
|
/* flush bundles */
|
| 2309 |
|
|
while ((dst = pol->bundles) != NULL) {
|
| 2310 |
|
|
pol->bundles = dst->next;
|
| 2311 |
|
|
dst_free(dst);
|
| 2312 |
|
|
}
|
| 2313 |
|
|
}
|
| 2314 |
|
|
}
|
| 2315 |
|
|
|
| 2316 |
|
|
write_unlock_bh(&pol->lock);
|
| 2317 |
|
|
|
| 2318 |
|
|
if (!n)
|
| 2319 |
|
|
return -ENODATA;
|
| 2320 |
|
|
|
| 2321 |
|
|
return 0;
|
| 2322 |
|
|
}
|
| 2323 |
|
|
|
| 2324 |
|
|
static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
|
| 2325 |
|
|
{
|
| 2326 |
|
|
int i, j;
|
| 2327 |
|
|
|
| 2328 |
|
|
if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
|
| 2329 |
|
|
return -EINVAL;
|
| 2330 |
|
|
|
| 2331 |
|
|
for (i = 0; i < num_migrate; i++) {
|
| 2332 |
|
|
if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr,
|
| 2333 |
|
|
m[i].old_family) == 0) &&
|
| 2334 |
|
|
(xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr,
|
| 2335 |
|
|
m[i].old_family) == 0))
|
| 2336 |
|
|
return -EINVAL;
|
| 2337 |
|
|
if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
|
| 2338 |
|
|
xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
|
| 2339 |
|
|
return -EINVAL;
|
| 2340 |
|
|
|
| 2341 |
|
|
/* check if there is any duplicated entry */
|
| 2342 |
|
|
for (j = i + 1; j < num_migrate; j++) {
|
| 2343 |
|
|
if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
|
| 2344 |
|
|
sizeof(m[i].old_daddr)) &&
|
| 2345 |
|
|
!memcmp(&m[i].old_saddr, &m[j].old_saddr,
|
| 2346 |
|
|
sizeof(m[i].old_saddr)) &&
|
| 2347 |
|
|
m[i].proto == m[j].proto &&
|
| 2348 |
|
|
m[i].mode == m[j].mode &&
|
| 2349 |
|
|
m[i].reqid == m[j].reqid &&
|
| 2350 |
|
|
m[i].old_family == m[j].old_family)
|
| 2351 |
|
|
return -EINVAL;
|
| 2352 |
|
|
}
|
| 2353 |
|
|
}
|
| 2354 |
|
|
|
| 2355 |
|
|
return 0;
|
| 2356 |
|
|
}
|
| 2357 |
|
|
|
| 2358 |
|
|
int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
|
| 2359 |
|
|
struct xfrm_migrate *m, int num_migrate)
|
| 2360 |
|
|
{
|
| 2361 |
|
|
int i, err, nx_cur = 0, nx_new = 0;
|
| 2362 |
|
|
struct xfrm_policy *pol = NULL;
|
| 2363 |
|
|
struct xfrm_state *x, *xc;
|
| 2364 |
|
|
struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
|
| 2365 |
|
|
struct xfrm_state *x_new[XFRM_MAX_DEPTH];
|
| 2366 |
|
|
struct xfrm_migrate *mp;
|
| 2367 |
|
|
|
| 2368 |
|
|
if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
|
| 2369 |
|
|
goto out;
|
| 2370 |
|
|
|
| 2371 |
|
|
/* Stage 1 - find policy */
|
| 2372 |
|
|
if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) {
|
| 2373 |
|
|
err = -ENOENT;
|
| 2374 |
|
|
goto out;
|
| 2375 |
|
|
}
|
| 2376 |
|
|
|
| 2377 |
|
|
/* Stage 2 - find and update state(s) */
|
| 2378 |
|
|
for (i = 0, mp = m; i < num_migrate; i++, mp++) {
|
| 2379 |
|
|
if ((x = xfrm_migrate_state_find(mp))) {
|
| 2380 |
|
|
x_cur[nx_cur] = x;
|
| 2381 |
|
|
nx_cur++;
|
| 2382 |
|
|
if ((xc = xfrm_state_migrate(x, mp))) {
|
| 2383 |
|
|
x_new[nx_new] = xc;
|
| 2384 |
|
|
nx_new++;
|
| 2385 |
|
|
} else {
|
| 2386 |
|
|
err = -ENODATA;
|
| 2387 |
|
|
goto restore_state;
|
| 2388 |
|
|
}
|
| 2389 |
|
|
}
|
| 2390 |
|
|
}
|
| 2391 |
|
|
|
| 2392 |
|
|
/* Stage 3 - update policy */
|
| 2393 |
|
|
if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
|
| 2394 |
|
|
goto restore_state;
|
| 2395 |
|
|
|
| 2396 |
|
|
/* Stage 4 - delete old state(s) */
|
| 2397 |
|
|
if (nx_cur) {
|
| 2398 |
|
|
xfrm_states_put(x_cur, nx_cur);
|
| 2399 |
|
|
xfrm_states_delete(x_cur, nx_cur);
|
| 2400 |
|
|
}
|
| 2401 |
|
|
|
| 2402 |
|
|
/* Stage 5 - announce */
|
| 2403 |
|
|
km_migrate(sel, dir, type, m, num_migrate);
|
| 2404 |
|
|
|
| 2405 |
|
|
xfrm_pol_put(pol);
|
| 2406 |
|
|
|
| 2407 |
|
|
return 0;
|
| 2408 |
|
|
out:
|
| 2409 |
|
|
return err;
|
| 2410 |
|
|
|
| 2411 |
|
|
restore_state:
|
| 2412 |
|
|
if (pol)
|
| 2413 |
|
|
xfrm_pol_put(pol);
|
| 2414 |
|
|
if (nx_cur)
|
| 2415 |
|
|
xfrm_states_put(x_cur, nx_cur);
|
| 2416 |
|
|
if (nx_new)
|
| 2417 |
|
|
xfrm_states_delete(x_new, nx_new);
|
| 2418 |
|
|
|
| 2419 |
|
|
return err;
|
| 2420 |
|
|
}
|
| 2421 |
|
|
EXPORT_SYMBOL(xfrm_migrate);
|
| 2422 |
|
|
#endif
|
