Lines Matching +full:ports +full:- +full:block +full:- +full:pack +full:- +full:mode
1 /* SPDX-License-Identifier: GPL-2.0 */
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
60 ------------------------------------
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
75 If "action" is "block", then we prohibit the flow, otherwise:
79 to a complete xfrm_state (see below) and we pack bundle of transformations
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
85 |---. child .-> NULL
87 Bundles are cached at xrfm_policy struct (field ->bundles).
91 -----------------------
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
106 with appropriate mode/proto/algo, permitted by selector.
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
203 u8 mode; member
232 /* Data for care-of address */
249 /* replay detection mode */
271 /* used to fix curlft->add_time when changing date */
298 return read_pnet(&x->xs_net); in xs_net()
301 /* xflags - make enum if more show up */
465 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || in xfrm_ip2inner_mode()
466 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) in xfrm_ip2inner_mode()
467 return &x->inner_mode; in xfrm_ip2inner_mode()
469 return &x->inner_mode_iaf; in xfrm_ip2inner_mode()
474 * daddr - destination of tunnel, may be zero for transport mode.
475 * spi - zero to acquire spi. Not zero if spi is static, then
477 * proto - AH/ESP/IPCOMP
488 /* Mode: transport, tunnel etc. */
489 u8 mode; member
491 /* Sharing mode: unique, this session only, this user only etc. */
563 return read_pnet(&xp->xp_net); in xp_net()
579 u8 mode; member
630 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
653 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
657 * to transmit header information to the mode input/output functions.
685 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
699 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
794 refcount_inc(&policy->refcnt); in xfrm_pol_hold()
801 if (refcount_dec_and_test(&policy->refcnt)) in xfrm_pol_put()
808 for (i = npols - 1; i >= 0; --i) in xfrm_pols_put()
816 refcount_dec(&x->refcnt); in __xfrm_state_put()
821 if (refcount_dec_and_test(&x->refcnt)) in xfrm_state_put()
827 if (refcount_dec_and_test(&x->refcnt)) in xfrm_state_put_sync()
833 refcount_inc(&x->refcnt); in xfrm_state_hold()
854 mask = htonl((0xffffffff) << (32 - pbi)); in addr_match()
868 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen))); in addr4_match()
875 switch(fl->flowi_proto) { in xfrm_flowi_sport()
880 port = uli->ports.sport; in xfrm_flowi_sport()
884 port = htons(uli->icmpt.type); in xfrm_flowi_sport()
887 port = htons(uli->mht.type); in xfrm_flowi_sport()
890 port = htons(ntohl(uli->gre_key) >> 16); in xfrm_flowi_sport()
902 switch(fl->flowi_proto) { in xfrm_flowi_dport()
907 port = uli->ports.dport; in xfrm_flowi_dport()
911 port = htons(uli->icmpt.code); in xfrm_flowi_dport()
914 port = htons(ntohl(uli->gre_key) & 0xffff); in xfrm_flowi_dport()
926 /* If neither has a context --> match
933 (s1->ctx_sid == s2->ctx_sid) && in xfrm_sec_ctx_match()
934 (s1->ctx_doi == s2->ctx_doi) && in xfrm_sec_ctx_match()
935 (s1->ctx_alg == s2->ctx_alg))); in xfrm_sec_ctx_match()
946 * xdst->child points to the next element of bundle.
947 * dst->xfrm points to an instanse of transformer.
977 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { in xfrm_dst_path()
980 return xdst->path; in xfrm_dst_path()
989 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { in xfrm_dst_child()
991 return xdst->child; in xfrm_dst_child()
1000 xdst->child = child; in xfrm_dst_set_child()
1005 xfrm_pols_put(xdst->pols, xdst->num_pols); in xfrm_dst_destroy()
1006 dst_release(xdst->route); in xfrm_dst_destroy()
1007 if (likely(xdst->u.dst.xfrm)) in xfrm_dst_destroy()
1008 xfrm_state_put(xdst->u.dst.xfrm); in xfrm_dst_destroy()
1057 /* Used to keep whole l2 header for transport mode GRO */
1088 return addr->a4 == 0; in xfrm_addr_any()
1090 return ipv6_addr_any(&addr->in6); in xfrm_addr_any()
1098 return (tmpl->saddr.a4 && in __xfrm4_state_addr_cmp()
1099 tmpl->saddr.a4 != x->props.saddr.a4); in __xfrm4_state_addr_cmp()
1105 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && in __xfrm6_state_addr_cmp()
1106 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); in __xfrm6_state_addr_cmp()
1126 return sp->xvec[sp->len - 1]; in xfrm_input_state()
1135 if (!sp || !sp->olen || sp->len != sp->olen) in xfrm_offload()
1138 return &sp->ovec[sp->olen - 1]; in xfrm_offload()
1151 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) in __xfrm_check_nopolicy()
1152 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; in __xfrm_check_nopolicy()
1164 return IPCB(skb)->flags & IPSKB_NOPOLICY; in __xfrm_check_dev_nopolicy()
1166 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); in __xfrm_check_dev_nopolicy()
1173 struct net *net = dev_net(skb->dev); in __xfrm_policy_check2()
1178 if (sk && sk->sk_policy[XFRM_POLICY_IN]) in __xfrm_policy_check2()
1183 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) { in __xfrm_policy_check2()
1184 bool check = (xo->flags & CRYPTO_DONE) && in __xfrm_policy_check2()
1185 (xo->status & CRYPTO_SUCCESS); in __xfrm_policy_check2()
1250 struct net *net = dev_net(skb->dev); in xfrm_route_forward()
1252 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && in xfrm_route_forward()
1253 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) in xfrm_route_forward()
1256 return (skb_dst(skb)->flags & DST_NOXFRM) || in xfrm_route_forward()
1276 sk->sk_policy[0] = NULL; in xfrm_sk_clone_policy()
1277 sk->sk_policy[1] = NULL; in xfrm_sk_clone_policy()
1278 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) in xfrm_sk_clone_policy()
1289 pol = rcu_dereference_protected(sk->sk_policy[0], 1); in xfrm_sk_free_policy()
1292 sk->sk_policy[0] = NULL; in xfrm_sk_free_policy()
1294 pol = rcu_dereference_protected(sk->sk_policy[1], 1); in xfrm_sk_free_policy()
1297 sk->sk_policy[1] = NULL; in xfrm_sk_free_policy()
1323 return -ENOSYS; in xfrm_decode_session_reverse()
1342 return (xfrm_address_t *)&fl->u.ip4.daddr; in xfrm_flowi_daddr()
1344 return (xfrm_address_t *)&fl->u.ip6.daddr; in xfrm_flowi_daddr()
1354 return (xfrm_address_t *)&fl->u.ip4.saddr; in xfrm_flowi_saddr()
1356 return (xfrm_address_t *)&fl->u.ip6.saddr; in xfrm_flowi_saddr()
1368 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); in xfrm_flowi_addr_get()
1369 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); in xfrm_flowi_addr_get()
1372 saddr->in6 = fl->u.ip6.saddr; in xfrm_flowi_addr_get()
1373 daddr->in6 = fl->u.ip6.daddr; in xfrm_flowi_addr_get()
1382 if (daddr->a4 == x->id.daddr.a4 && in __xfrm4_state_addr_check()
1383 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) in __xfrm4_state_addr_check()
1392 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && in __xfrm6_state_addr_check()
1393 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || in __xfrm6_state_addr_check()
1395 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) in __xfrm6_state_addr_check()
1421 (const xfrm_address_t *)&fl->u.ip4.daddr, in xfrm_state_addr_flow_check()
1422 (const xfrm_address_t *)&fl->u.ip4.saddr); in xfrm_state_addr_flow_check()
1425 (const xfrm_address_t *)&fl->u.ip6.daddr, in xfrm_state_addr_flow_check()
1426 (const xfrm_address_t *)&fl->u.ip6.saddr); in xfrm_state_addr_flow_check()
1433 return atomic_read(&x->tunnel_users); in xfrm_state_kern()
1596 u8 mode, u8 proto, u32 reqid);
1603 struct xfrm_dev_offload *xdo = &x->xso; in xfrm_dev_state_update_curlft()
1604 struct net_device *dev = READ_ONCE(xdo->dev); in xfrm_dev_state_update_curlft()
1606 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) in xfrm_dev_state_update_curlft()
1609 if (dev && dev->xfrmdev_ops && in xfrm_dev_state_update_curlft()
1610 dev->xfrmdev_ops->xdo_dev_state_update_curlft) in xfrm_dev_state_update_curlft()
1611 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x); in xfrm_dev_state_update_curlft()
1700 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; in xfrm4_rcv_spi()
1701 XFRM_SPI_SKB_CB(skb)->family = AF_INET; in xfrm4_rcv_spi()
1702 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); in xfrm4_rcv_spi()
1741 return -ENOPROTOOPT; in xfrm_user_policy()
1772 u8 mode, u32 reqid, u32 if_id, u8 proto,
1831 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; in xfrm_addr_equal()
1855 nlsk = rcu_dereference(net->xfrm.nlsk); in xfrm_aevent_is_on()
1868 nlsk = rcu_dereference(net->xfrm.nlsk); in xfrm_acquire_is_on()
1879 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in aead_len()
1884 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in xfrm_alg_len()
1889 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in xfrm_alg_auth_len()
1894 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); in xfrm_replay_state_esn_len()
1902 x->replay_esn = kmemdup(orig->replay_esn, in xfrm_replay_clone()
1903 xfrm_replay_state_esn_len(orig->replay_esn), in xfrm_replay_clone()
1905 if (!x->replay_esn) in xfrm_replay_clone()
1906 return -ENOMEM; in xfrm_replay_clone()
1907 x->preplay_esn = kmemdup(orig->preplay_esn, in xfrm_replay_clone()
1908 xfrm_replay_state_esn_len(orig->preplay_esn), in xfrm_replay_clone()
1910 if (!x->preplay_esn) in xfrm_replay_clone()
1911 return -ENOMEM; in xfrm_replay_clone()
1965 struct xfrm_dev_offload *xso = &x->xso; in xfrm_dev_state_advance_esn()
1966 struct net_device *dev = READ_ONCE(xso->dev); in xfrm_dev_state_advance_esn()
1968 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn) in xfrm_dev_state_advance_esn()
1969 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); in xfrm_dev_state_advance_esn()
1974 struct xfrm_state *x = dst->xfrm; in xfrm_dst_offload_ok()
1977 if (!x || !x->type_offload) in xfrm_dst_offload_ok()
1981 if (!x->xso.offload_handle && !xdst->child->xfrm) in xfrm_dst_offload_ok()
1983 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) && in xfrm_dst_offload_ok()
1984 !xdst->child->xfrm) in xfrm_dst_offload_ok()
1992 struct xfrm_dev_offload *xdo = &x->xdo; in xfrm_dev_policy_delete()
1993 struct net_device *dev = xdo->dev; in xfrm_dev_policy_delete()
1995 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete) in xfrm_dev_policy_delete()
1996 dev->xfrmdev_ops->xdo_dev_policy_delete(x); in xfrm_dev_policy_delete()
2001 struct xfrm_dev_offload *xdo = &x->xdo; in xfrm_dev_policy_free()
2002 struct net_device *dev = xdo->dev; in xfrm_dev_policy_free()
2004 if (dev && dev->xfrmdev_ops) { in xfrm_dev_policy_free()
2005 if (dev->xfrmdev_ops->xdo_dev_policy_free) in xfrm_dev_policy_free()
2006 dev->xfrmdev_ops->xdo_dev_policy_free(x); in xfrm_dev_policy_free()
2007 xdo->dev = NULL; in xfrm_dev_policy_free()
2008 netdev_put(dev, &xdo->dev_tracker); in xfrm_dev_policy_free()
2073 m->v = m->m = 0; in xfrm_mark_get()
2075 return m->v & m->m; in xfrm_mark_get()
2082 if (m->m | m->v) in xfrm_mark_put()
2089 struct xfrm_mark *m = &x->props.smark; in xfrm_smark_get()
2091 return (m->v & m->m) | (mark & ~m->m); in xfrm_smark_get()
2110 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) in xfrm_tunnel_check()
2114 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) in xfrm_tunnel_check()
2118 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)) in xfrm_tunnel_check()
2119 return -EINVAL; in xfrm_tunnel_check()
2131 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2136 /* Translate 32-bit user_policy from sockptr */
2162 if (!sk || sk->sk_family != AF_INET6) in xfrm6_local_dontfrag()
2165 proto = sk->sk_protocol; in xfrm6_local_dontfrag()
2167 return inet6_sk(sk)->dontfrag; in xfrm6_local_dontfrag()