Lines Matching +full:ports +full:- +full:block +full:- +full:pack +full:- +full:mode
1 /* SPDX-License-Identifier: GPL-2.0 */
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
60 ------------------------------------
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
75 If "action" is "block", then we prohibit the flow, otherwise:
79 to a complete xfrm_state (see below) and we pack bundle of transformations
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
85 |---. child .-> NULL
87 Bundles are cached at xrfm_policy struct (field ->bundles).
91 -----------------------
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
106 with appropriate mode/proto/algo, permitted by selector.
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
200 u8 mode; member
230 /* Data for care-of address */
247 /* replay detection mode */
269 /* used to fix curlft->add_time when changing date */
296 return read_pnet(&x->xs_net); in xs_net()
299 /* xflags - make enum if more show up */
458 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || in xfrm_ip2inner_mode()
459 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) in xfrm_ip2inner_mode()
460 return &x->inner_mode; in xfrm_ip2inner_mode()
462 return &x->inner_mode_iaf; in xfrm_ip2inner_mode()
467 * daddr - destination of tunnel, may be zero for transport mode.
468 * spi - zero to acquire spi. Not zero if spi is static, then
470 * proto - AH/ESP/IPCOMP
481 /* Mode: transport, tunnel etc. */
482 u8 mode; member
484 /* Sharing mode: unique, this session only, this user only etc. */
556 return read_pnet(&xp->xp_net); in xp_net()
572 u8 mode; member
623 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
646 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
650 * to transmit header information to the mode input/output functions.
678 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
692 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
787 refcount_inc(&policy->refcnt); in xfrm_pol_hold()
794 if (refcount_dec_and_test(&policy->refcnt)) in xfrm_pol_put()
801 for (i = npols - 1; i >= 0; --i) in xfrm_pols_put()
809 refcount_dec(&x->refcnt); in __xfrm_state_put()
814 if (refcount_dec_and_test(&x->refcnt)) in xfrm_state_put()
820 if (refcount_dec_and_test(&x->refcnt)) in xfrm_state_put_sync()
826 refcount_inc(&x->refcnt); in xfrm_state_hold()
847 mask = htonl((0xffffffff) << (32 - pbi)); in addr_match()
861 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen))); in addr4_match()
868 switch(fl->flowi_proto) { in xfrm_flowi_sport()
873 port = uli->ports.sport; in xfrm_flowi_sport()
877 port = htons(uli->icmpt.type); in xfrm_flowi_sport()
880 port = htons(uli->mht.type); in xfrm_flowi_sport()
883 port = htons(ntohl(uli->gre_key) >> 16); in xfrm_flowi_sport()
895 switch(fl->flowi_proto) { in xfrm_flowi_dport()
900 port = uli->ports.dport; in xfrm_flowi_dport()
904 port = htons(uli->icmpt.code); in xfrm_flowi_dport()
907 port = htons(ntohl(uli->gre_key) & 0xffff); in xfrm_flowi_dport()
919 /* If neither has a context --> match
926 (s1->ctx_sid == s2->ctx_sid) && in xfrm_sec_ctx_match()
927 (s1->ctx_doi == s2->ctx_doi) && in xfrm_sec_ctx_match()
928 (s1->ctx_alg == s2->ctx_alg))); in xfrm_sec_ctx_match()
939 * xdst->child points to the next element of bundle.
940 * dst->xfrm points to an instanse of transformer.
970 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { in xfrm_dst_path()
973 return xdst->path; in xfrm_dst_path()
982 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { in xfrm_dst_child()
984 return xdst->child; in xfrm_dst_child()
993 xdst->child = child; in xfrm_dst_set_child()
998 xfrm_pols_put(xdst->pols, xdst->num_pols); in xfrm_dst_destroy()
999 dst_release(xdst->route); in xfrm_dst_destroy()
1000 if (likely(xdst->u.dst.xfrm)) in xfrm_dst_destroy()
1001 xfrm_state_put(xdst->u.dst.xfrm); in xfrm_dst_destroy()
1078 return addr->a4 == 0; in xfrm_addr_any()
1080 return ipv6_addr_any(&addr->in6); in xfrm_addr_any()
1088 return (tmpl->saddr.a4 && in __xfrm4_state_addr_cmp()
1089 tmpl->saddr.a4 != x->props.saddr.a4); in __xfrm4_state_addr_cmp()
1095 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && in __xfrm6_state_addr_cmp()
1096 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); in __xfrm6_state_addr_cmp()
1116 return sp->xvec[sp->len - 1]; in xfrm_input_state()
1125 if (!sp || !sp->olen || sp->len != sp->olen) in xfrm_offload()
1128 return &sp->ovec[sp->olen - 1]; in xfrm_offload()
1141 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) in __xfrm_check_nopolicy()
1142 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; in __xfrm_check_nopolicy()
1154 return IPCB(skb)->flags & IPSKB_NOPOLICY; in __xfrm_check_dev_nopolicy()
1156 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); in __xfrm_check_dev_nopolicy()
1163 struct net *net = dev_net(skb->dev); in __xfrm_policy_check2()
1168 if (sk && sk->sk_policy[XFRM_POLICY_IN]) in __xfrm_policy_check2()
1173 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) in __xfrm_policy_check2()
1174 return (xo->flags & CRYPTO_DONE) && in __xfrm_policy_check2()
1175 (xo->status & CRYPTO_SUCCESS); in __xfrm_policy_check2()
1230 struct net *net = dev_net(skb->dev); in xfrm_route_forward()
1232 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && in xfrm_route_forward()
1233 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) in xfrm_route_forward()
1236 return (skb_dst(skb)->flags & DST_NOXFRM) || in xfrm_route_forward()
1256 sk->sk_policy[0] = NULL; in xfrm_sk_clone_policy()
1257 sk->sk_policy[1] = NULL; in xfrm_sk_clone_policy()
1258 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) in xfrm_sk_clone_policy()
1269 pol = rcu_dereference_protected(sk->sk_policy[0], 1); in xfrm_sk_free_policy()
1272 sk->sk_policy[0] = NULL; in xfrm_sk_free_policy()
1274 pol = rcu_dereference_protected(sk->sk_policy[1], 1); in xfrm_sk_free_policy()
1277 sk->sk_policy[1] = NULL; in xfrm_sk_free_policy()
1303 return -ENOSYS; in xfrm_decode_session_reverse()
1322 return (xfrm_address_t *)&fl->u.ip4.daddr; in xfrm_flowi_daddr()
1324 return (xfrm_address_t *)&fl->u.ip6.daddr; in xfrm_flowi_daddr()
1334 return (xfrm_address_t *)&fl->u.ip4.saddr; in xfrm_flowi_saddr()
1336 return (xfrm_address_t *)&fl->u.ip6.saddr; in xfrm_flowi_saddr()
1348 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); in xfrm_flowi_addr_get()
1349 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); in xfrm_flowi_addr_get()
1352 saddr->in6 = fl->u.ip6.saddr; in xfrm_flowi_addr_get()
1353 daddr->in6 = fl->u.ip6.daddr; in xfrm_flowi_addr_get()
1362 if (daddr->a4 == x->id.daddr.a4 && in __xfrm4_state_addr_check()
1363 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) in __xfrm4_state_addr_check()
1372 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && in __xfrm6_state_addr_check()
1373 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || in __xfrm6_state_addr_check()
1375 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) in __xfrm6_state_addr_check()
1401 (const xfrm_address_t *)&fl->u.ip4.daddr, in xfrm_state_addr_flow_check()
1402 (const xfrm_address_t *)&fl->u.ip4.saddr); in xfrm_state_addr_flow_check()
1405 (const xfrm_address_t *)&fl->u.ip6.daddr, in xfrm_state_addr_flow_check()
1406 (const xfrm_address_t *)&fl->u.ip6.saddr); in xfrm_state_addr_flow_check()
1413 return atomic_read(&x->tunnel_users); in xfrm_state_kern()
1576 u8 mode, u8 proto, u32 reqid);
1583 struct xfrm_dev_offload *xdo = &x->xso; in xfrm_dev_state_update_curlft()
1584 struct net_device *dev = xdo->dev; in xfrm_dev_state_update_curlft()
1586 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) in xfrm_dev_state_update_curlft()
1589 if (dev && dev->xfrmdev_ops && in xfrm_dev_state_update_curlft()
1590 dev->xfrmdev_ops->xdo_dev_state_update_curlft) in xfrm_dev_state_update_curlft()
1591 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x); in xfrm_dev_state_update_curlft()
1680 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; in xfrm4_rcv_spi()
1681 XFRM_SPI_SKB_CB(skb)->family = AF_INET; in xfrm4_rcv_spi()
1682 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); in xfrm4_rcv_spi()
1721 return -ENOPROTOOPT; in xfrm_user_policy()
1755 u8 mode, u32 reqid, u32 if_id, u8 proto,
1814 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; in xfrm_addr_equal()
1838 nlsk = rcu_dereference(net->xfrm.nlsk); in xfrm_aevent_is_on()
1851 nlsk = rcu_dereference(net->xfrm.nlsk); in xfrm_acquire_is_on()
1862 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in aead_len()
1867 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in xfrm_alg_len()
1872 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); in xfrm_alg_auth_len()
1877 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); in xfrm_replay_state_esn_len()
1885 x->replay_esn = kmemdup(orig->replay_esn, in xfrm_replay_clone()
1886 xfrm_replay_state_esn_len(orig->replay_esn), in xfrm_replay_clone()
1888 if (!x->replay_esn) in xfrm_replay_clone()
1889 return -ENOMEM; in xfrm_replay_clone()
1890 x->preplay_esn = kmemdup(orig->preplay_esn, in xfrm_replay_clone()
1891 xfrm_replay_state_esn_len(orig->preplay_esn), in xfrm_replay_clone()
1893 if (!x->preplay_esn) in xfrm_replay_clone()
1894 return -ENOMEM; in xfrm_replay_clone()
1946 struct xfrm_dev_offload *xso = &x->xso; in xfrm_dev_state_advance_esn()
1948 if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn) in xfrm_dev_state_advance_esn()
1949 xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); in xfrm_dev_state_advance_esn()
1954 struct xfrm_state *x = dst->xfrm; in xfrm_dst_offload_ok()
1957 if (!x || !x->type_offload) in xfrm_dst_offload_ok()
1961 if (!x->xso.offload_handle && !xdst->child->xfrm) in xfrm_dst_offload_ok()
1963 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) && in xfrm_dst_offload_ok()
1964 !xdst->child->xfrm) in xfrm_dst_offload_ok()
1972 struct xfrm_dev_offload *xso = &x->xso; in xfrm_dev_state_delete()
1974 if (xso->dev) in xfrm_dev_state_delete()
1975 xso->dev->xfrmdev_ops->xdo_dev_state_delete(x); in xfrm_dev_state_delete()
1980 struct xfrm_dev_offload *xso = &x->xso; in xfrm_dev_state_free()
1981 struct net_device *dev = xso->dev; in xfrm_dev_state_free()
1983 if (dev && dev->xfrmdev_ops) { in xfrm_dev_state_free()
1984 if (dev->xfrmdev_ops->xdo_dev_state_free) in xfrm_dev_state_free()
1985 dev->xfrmdev_ops->xdo_dev_state_free(x); in xfrm_dev_state_free()
1986 xso->dev = NULL; in xfrm_dev_state_free()
1987 xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; in xfrm_dev_state_free()
1988 netdev_put(dev, &xso->dev_tracker); in xfrm_dev_state_free()
1994 struct xfrm_dev_offload *xdo = &x->xdo; in xfrm_dev_policy_delete()
1995 struct net_device *dev = xdo->dev; in xfrm_dev_policy_delete()
1997 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete) in xfrm_dev_policy_delete()
1998 dev->xfrmdev_ops->xdo_dev_policy_delete(x); in xfrm_dev_policy_delete()
2003 struct xfrm_dev_offload *xdo = &x->xdo; in xfrm_dev_policy_free()
2004 struct net_device *dev = xdo->dev; in xfrm_dev_policy_free()
2006 if (dev && dev->xfrmdev_ops) { in xfrm_dev_policy_free()
2007 if (dev->xfrmdev_ops->xdo_dev_policy_free) in xfrm_dev_policy_free()
2008 dev->xfrmdev_ops->xdo_dev_policy_free(x); in xfrm_dev_policy_free()
2009 xdo->dev = NULL; in xfrm_dev_policy_free()
2010 netdev_put(dev, &xdo->dev_tracker); in xfrm_dev_policy_free()
2075 m->v = m->m = 0; in xfrm_mark_get()
2077 return m->v & m->m; in xfrm_mark_get()
2084 if (m->m | m->v) in xfrm_mark_put()
2091 struct xfrm_mark *m = &x->props.smark; in xfrm_smark_get()
2093 return (m->v & m->m) | (mark & ~m->m); in xfrm_smark_get()
2112 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) in xfrm_tunnel_check()
2116 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) in xfrm_tunnel_check()
2120 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)) in xfrm_tunnel_check()
2121 return -EINVAL; in xfrm_tunnel_check()
2133 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2138 /* Translate 32-bit user_policy from sockptr */
2164 if (!sk || sk->sk_family != AF_INET6) in xfrm6_local_dontfrag()
2167 proto = sk->sk_protocol; in xfrm6_local_dontfrag()
2169 return inet6_sk(sk)->dontfrag; in xfrm6_local_dontfrag()