6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * Kazunori MIYAZAWA @USAGI
11 * Split up af-specific portion
12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor
16 #include <linux/config.h>
17 #include <linux/slab.h>
18 #include <linux/kmod.h>
19 #include <linux/list.h>
20 #include <linux/spinlock.h>
21 #include <linux/workqueue.h>
25 DECLARE_MUTEX(xfrm_cfg_sem);
27 static rwlock_t xfrm_policy_lock = RW_LOCK_UNLOCKED;
29 struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
31 static rwlock_t xfrm_policy_afinfo_lock = RW_LOCK_UNLOCKED;
32 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
34 kmem_cache_t *xfrm_dst_cache;
36 static struct work_struct xfrm_policy_gc_work;
37 static struct list_head xfrm_policy_gc_list =
38 LIST_HEAD_INIT(xfrm_policy_gc_list);
39 static spinlock_t xfrm_policy_gc_lock = SPIN_LOCK_UNLOCKED;
41 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
43 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
44 struct xfrm_type_map *typemap;
47 if (unlikely(afinfo == NULL))
49 typemap = afinfo->type_map;
51 write_lock(&typemap->lock);
52 if (likely(typemap->map[type->proto] == NULL))
53 typemap->map[type->proto] = type;
56 write_unlock(&typemap->lock);
57 xfrm_policy_put_afinfo(afinfo);
61 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
63 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
64 struct xfrm_type_map *typemap;
67 if (unlikely(afinfo == NULL))
69 typemap = afinfo->type_map;
71 write_lock(&typemap->lock);
72 if (unlikely(typemap->map[type->proto] != type))
75 typemap->map[type->proto] = NULL;
76 write_unlock(&typemap->lock);
77 xfrm_policy_put_afinfo(afinfo);
81 struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
83 struct xfrm_policy_afinfo *afinfo;
84 struct xfrm_type_map *typemap;
85 struct xfrm_type *type;
86 int modload_attempted = 0;
89 afinfo = xfrm_policy_get_afinfo(family);
90 if (unlikely(afinfo == NULL))
92 typemap = afinfo->type_map;
94 read_lock(&typemap->lock);
95 type = typemap->map[proto];
96 if (unlikely(type && !try_module_get(type->owner)))
98 read_unlock(&typemap->lock);
99 if (!type && !modload_attempted) {
100 xfrm_policy_put_afinfo(afinfo);
101 request_module("xfrm-type-%d-%d",
102 (int) family, (int) proto);
103 modload_attempted = 1;
107 xfrm_policy_put_afinfo(afinfo);
111 int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl,
112 unsigned short family)
114 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
117 if (unlikely(afinfo == NULL))
118 return -EAFNOSUPPORT;
120 if (likely(afinfo->dst_lookup != NULL))
121 err = afinfo->dst_lookup(dst, fl);
124 xfrm_policy_put_afinfo(afinfo);
128 void xfrm_put_type(struct xfrm_type *type)
130 module_put(type->owner);
133 static inline unsigned long make_jiffies(long secs)
135 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
136 return MAX_SCHEDULE_TIMEOUT-1;
141 static void xfrm_policy_timer(unsigned long data)
143 struct xfrm_policy *xp = (struct xfrm_policy*)data;
144 unsigned long now = (unsigned long)xtime.tv_sec;
145 long next = LONG_MAX;
154 if (xp->lft.hard_add_expires_seconds) {
155 long tmo = xp->lft.hard_add_expires_seconds +
156 xp->curlft.add_time - now;
162 if (xp->lft.hard_use_expires_seconds) {
163 long tmo = xp->lft.hard_use_expires_seconds +
164 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
170 if (xp->lft.soft_add_expires_seconds) {
171 long tmo = xp->lft.soft_add_expires_seconds +
172 xp->curlft.add_time - now;
175 tmo = XFRM_KM_TIMEOUT;
180 if (xp->lft.soft_use_expires_seconds) {
181 long tmo = xp->lft.soft_use_expires_seconds +
182 (xp->curlft.use_time ? : xp->curlft.add_time) - now;
185 tmo = XFRM_KM_TIMEOUT;
192 km_policy_expired(xp, dir, 0);
193 if (next != LONG_MAX &&
194 !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
202 km_policy_expired(xp, dir, 1);
203 xfrm_policy_delete(xp, dir);
208 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
212 struct xfrm_policy *xfrm_policy_alloc(int gfp)
214 struct xfrm_policy *policy;
216 policy = kmalloc(sizeof(struct xfrm_policy), gfp);
219 memset(policy, 0, sizeof(struct xfrm_policy));
220 atomic_set(&policy->refcnt, 1);
221 policy->lock = RW_LOCK_UNLOCKED;
222 init_timer(&policy->timer);
223 policy->timer.data = (unsigned long)policy;
224 policy->timer.function = xfrm_policy_timer;
229 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
231 void __xfrm_policy_destroy(struct xfrm_policy *policy)
239 if (del_timer(&policy->timer))
245 static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
247 struct dst_entry *dst;
249 while ((dst = policy->bundles) != NULL) {
250 policy->bundles = dst->next;
254 if (del_timer(&policy->timer))
255 atomic_dec(&policy->refcnt);
257 if (atomic_read(&policy->refcnt) > 1)
260 xfrm_pol_put(policy);
263 static void xfrm_policy_gc_task(void *data)
265 struct xfrm_policy *policy;
266 struct list_head *entry, *tmp;
267 struct list_head gc_list = LIST_HEAD_INIT(gc_list);
269 spin_lock_bh(&xfrm_policy_gc_lock);
270 list_splice_init(&xfrm_policy_gc_list, &gc_list);
271 spin_unlock_bh(&xfrm_policy_gc_lock);
273 list_for_each_safe(entry, tmp, &gc_list) {
274 policy = list_entry(entry, struct xfrm_policy, list);
275 xfrm_policy_gc_kill(policy);
279 /* Rule must be locked. Release descentant resources, announce
280 * entry dead. The rule must be unlinked from lists to the moment.
283 void xfrm_policy_kill(struct xfrm_policy *policy)
285 write_lock_bh(&policy->lock);
291 spin_lock(&xfrm_policy_gc_lock);
292 list_add(&policy->list, &xfrm_policy_gc_list);
293 spin_unlock(&xfrm_policy_gc_lock);
294 schedule_work(&xfrm_policy_gc_work);
297 write_unlock_bh(&policy->lock);
300 /* Generate new index... KAME seems to generate them ordered by cost
301 * of an absolute inpredictability of ordering of rules. This will not pass. */
302 static u32 xfrm_gen_index(int dir)
305 struct xfrm_policy *p;
306 static u32 idx_generator;
309 idx = (idx_generator | dir);
313 for (p = xfrm_policy_list[dir]; p; p = p->next) {
322 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
324 struct xfrm_policy *pol, **p;
325 struct xfrm_policy *delpol = NULL;
326 struct xfrm_policy **newpos = NULL;
328 write_lock_bh(&xfrm_policy_lock);
329 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
330 if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
332 write_unlock_bh(&xfrm_policy_lock);
337 if (policy->priority > pol->priority)
339 } else if (policy->priority >= pol->priority)
348 xfrm_pol_hold(policy);
351 atomic_inc(&flow_cache_genid);
352 policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
353 policy->curlft.add_time = (unsigned long)xtime.tv_sec;
354 policy->curlft.use_time = 0;
355 if (!mod_timer(&policy->timer, jiffies + HZ))
356 xfrm_pol_hold(policy);
357 write_unlock_bh(&xfrm_policy_lock);
360 xfrm_policy_kill(delpol);
365 struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
368 struct xfrm_policy *pol, **p;
370 write_lock_bh(&xfrm_policy_lock);
371 for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
372 if (memcmp(sel, &pol->selector, sizeof(*sel)) == 0) {
379 write_unlock_bh(&xfrm_policy_lock);
382 atomic_inc(&flow_cache_genid);
383 xfrm_policy_kill(pol);
388 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete)
390 struct xfrm_policy *pol, **p;
392 write_lock_bh(&xfrm_policy_lock);
393 for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
394 if (pol->index == id) {
401 write_unlock_bh(&xfrm_policy_lock);
404 atomic_inc(&flow_cache_genid);
405 xfrm_policy_kill(pol);
410 void xfrm_policy_flush(void)
412 struct xfrm_policy *xp;
415 write_lock_bh(&xfrm_policy_lock);
416 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
417 while ((xp = xfrm_policy_list[dir]) != NULL) {
418 xfrm_policy_list[dir] = xp->next;
419 write_unlock_bh(&xfrm_policy_lock);
421 xfrm_policy_kill(xp);
423 write_lock_bh(&xfrm_policy_lock);
426 atomic_inc(&flow_cache_genid);
427 write_unlock_bh(&xfrm_policy_lock);
430 int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*),
433 struct xfrm_policy *xp;
438 read_lock_bh(&xfrm_policy_lock);
439 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
440 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next)
449 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
450 for (xp = xfrm_policy_list[dir]; xp; xp = xp->next) {
451 error = func(xp, dir%XFRM_POLICY_MAX, --count, data);
458 read_unlock_bh(&xfrm_policy_lock);
463 /* Find policy to apply to this flow. */
465 static void xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir,
466 void **objp, atomic_t **obj_refp)
468 struct xfrm_policy *pol;
470 read_lock_bh(&xfrm_policy_lock);
471 for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
472 struct xfrm_selector *sel = &pol->selector;
475 if (pol->family != family)
478 match = xfrm_selector_match(sel, fl, family);
484 read_unlock_bh(&xfrm_policy_lock);
485 if ((*objp = (void *) pol) != NULL)
486 *obj_refp = &pol->refcnt;
489 struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
491 struct xfrm_policy *pol;
493 read_lock_bh(&xfrm_policy_lock);
494 if ((pol = sk->sk_policy[dir]) != NULL) {
495 int match = xfrm_selector_match(&pol->selector, fl,
502 read_unlock_bh(&xfrm_policy_lock);
506 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
508 pol->next = xfrm_policy_list[dir];
509 xfrm_policy_list[dir] = pol;
513 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
516 struct xfrm_policy **polp;
518 for (polp = &xfrm_policy_list[dir];
519 *polp != NULL; polp = &(*polp)->next) {
522 atomic_dec(&pol->refcnt);
529 void xfrm_policy_delete(struct xfrm_policy *pol, int dir)
531 write_lock_bh(&xfrm_policy_lock);
532 pol = __xfrm_policy_unlink(pol, dir);
533 write_unlock_bh(&xfrm_policy_lock);
535 xfrm_policy_kill(pol);
538 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
540 struct xfrm_policy *old_pol;
542 write_lock_bh(&xfrm_policy_lock);
543 old_pol = sk->sk_policy[dir];
544 sk->sk_policy[dir] = pol;
546 pol->curlft.add_time = (unsigned long)xtime.tv_sec;
547 pol->index = xfrm_gen_index(XFRM_POLICY_MAX+dir);
548 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
551 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
552 write_unlock_bh(&xfrm_policy_lock);
555 xfrm_policy_kill(old_pol);
560 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
562 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC);
565 newp->selector = old->selector;
566 newp->lft = old->lft;
567 newp->curlft = old->curlft;
568 newp->action = old->action;
569 newp->flags = old->flags;
570 newp->xfrm_nr = old->xfrm_nr;
571 newp->index = old->index;
572 memcpy(newp->xfrm_vec, old->xfrm_vec,
573 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
574 write_lock_bh(&xfrm_policy_lock);
575 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
576 write_unlock_bh(&xfrm_policy_lock);
581 int __xfrm_sk_clone_policy(struct sock *sk)
583 struct xfrm_policy *p0 = sk->sk_policy[0],
584 *p1 = sk->sk_policy[1];
586 sk->sk_policy[0] = sk->sk_policy[1] = NULL;
587 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
589 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
594 /* Resolve list of templates for the flow, given policy. */
597 xfrm_tmpl_resolve(struct xfrm_policy *policy, struct flowi *fl,
598 struct xfrm_state **xfrm,
599 unsigned short family)
603 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
604 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
606 for (nx=0, i = 0; i < policy->xfrm_nr; i++) {
607 struct xfrm_state *x;
608 xfrm_address_t *remote = daddr;
609 xfrm_address_t *local = saddr;
610 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
613 remote = &tmpl->id.daddr;
614 local = &tmpl->saddr;
617 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
619 if (x && x->km.state == XFRM_STATE_VALID) {
626 error = (x->km.state == XFRM_STATE_ERROR ?
637 for (nx--; nx>=0; nx--)
638 xfrm_state_put(xfrm[nx]);
642 /* Check that the bundle accepts the flow and its components are
646 static struct dst_entry *
647 xfrm_find_bundle(struct flowi *fl, struct rtable *rt, struct xfrm_policy *policy, unsigned short family)
650 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
651 if (unlikely(afinfo == NULL))
652 return ERR_PTR(-EINVAL);
653 x = afinfo->find_bundle(fl, rt, policy);
654 xfrm_policy_put_afinfo(afinfo);
658 /* Allocate chain of dst_entry's, attach known xfrm's, calculate
659 * all the metrics... Shortly, bundle a bundle.
663 xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx,
664 struct flowi *fl, struct dst_entry **dst_p,
665 unsigned short family)
668 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
669 if (unlikely(afinfo == NULL))
671 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p);
672 xfrm_policy_put_afinfo(afinfo);
676 static inline int policy_to_flow_dir(int dir)
678 if (XFRM_POLICY_IN == FLOW_DIR_IN &&
679 XFRM_POLICY_OUT == FLOW_DIR_OUT &&
680 XFRM_POLICY_FWD == FLOW_DIR_FWD)
686 case XFRM_POLICY_OUT:
688 case XFRM_POLICY_FWD:
693 /* Main function: finds/creates a bundle for given flow.
695 * At the moment we eat a raw IP route. Mostly to speed up lookups
696 * on interfaces with disabled IPsec.
698 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
699 struct sock *sk, int flags)
701 struct xfrm_policy *policy;
702 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
703 struct rtable *rt = (struct rtable*)*dst_p;
704 struct dst_entry *dst;
708 u16 family = (*dst_p)->ops->family;
713 fl->fl4_src = rt->rt_src;
715 fl->fl4_dst = rt->rt_dst;
717 /* Still not clear... */
723 genid = atomic_read(&flow_cache_genid);
725 if (sk && sk->sk_policy[1])
726 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
729 /* To accelerate a bit... */
730 if ((rt->u.dst.flags & DST_NOXFRM) || !xfrm_policy_list[XFRM_POLICY_OUT])
733 policy = flow_cache_lookup(fl, family,
734 policy_to_flow_dir(XFRM_POLICY_OUT),
741 policy->curlft.use_time = (unsigned long)xtime.tv_sec;
743 switch (policy->action) {
744 case XFRM_POLICY_BLOCK:
745 /* Prohibit the flow */
746 xfrm_pol_put(policy);
749 case XFRM_POLICY_ALLOW:
750 if (policy->xfrm_nr == 0) {
751 /* Flow passes not transformed. */
752 xfrm_pol_put(policy);
756 /* Try to find matching bundle.
758 * LATER: help from flow cache. It is optional, this
759 * is required only for output policy.
761 dst = xfrm_find_bundle(fl, rt, policy, family);
763 xfrm_pol_put(policy);
770 nx = xfrm_tmpl_resolve(policy, fl, xfrm, family);
772 if (unlikely(nx<0)) {
774 if (err == -EAGAIN) {
775 struct task_struct *tsk = current;
776 DECLARE_WAITQUEUE(wait, tsk);
780 __set_task_state(tsk, TASK_INTERRUPTIBLE);
781 add_wait_queue(&km_waitq, &wait);
782 err = xfrm_tmpl_resolve(policy, fl, xfrm, family);
785 __set_task_state(tsk, TASK_RUNNING);
786 remove_wait_queue(&km_waitq, &wait);
788 if (err == -EAGAIN && signal_pending(current)) {
792 if (err == -EAGAIN ||
793 genid != atomic_read(&flow_cache_genid)) {
794 xfrm_pol_put(policy);
800 } else if (nx == 0) {
801 /* Flow passes not transformed. */
802 xfrm_pol_put(policy);
807 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family);
812 xfrm_state_put(xfrm[i]);
816 write_lock_bh(&policy->lock);
817 if (unlikely(policy->dead)) {
818 /* Wow! While we worked on resolving, this
819 * policy has gone. Retry. It is not paranoia,
820 * we just cannot enlist new bundle to dead object.
822 write_unlock_bh(&policy->lock);
824 xfrm_pol_put(policy);
829 dst->next = policy->bundles;
830 policy->bundles = dst;
832 write_unlock_bh(&policy->lock);
836 xfrm_pol_put(policy);
841 xfrm_pol_put(policy);
846 /* When skb is transformed back to its "native" form, we have to
847 * check policy restrictions. At the moment we make this in maximally
848 * stupid way. Shame on me. :-) Of course, connected sockets must
849 * have policy cached at them.
853 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
854 unsigned short family)
856 return x->id.proto == tmpl->id.proto &&
857 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
858 (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
859 x->props.mode == tmpl->mode &&
860 (tmpl->aalgos & (1<<x->props.aalgo)) &&
861 !(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
865 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int idx,
866 unsigned short family)
868 for (; idx < sp->len; idx++) {
869 if (xfrm_state_ok(tmpl, sp->x[idx].xvec, family))
876 _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
878 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
880 if (unlikely(afinfo == NULL))
881 return -EAFNOSUPPORT;
883 afinfo->decode_session(skb, fl);
884 xfrm_policy_put_afinfo(afinfo);
888 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
889 unsigned short family)
891 struct xfrm_policy *pol;
894 if (_decode_session(skb, &fl, family) < 0)
897 /* First, check used SA against their selectors. */
901 for (i=skb->sp->len-1; i>=0; i--) {
902 struct sec_decap_state *xvec = &(skb->sp->x[i]);
903 if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
906 /* If there is a post_input processor, try running it */
907 if (xvec->xvec->type->post_input &&
908 (xvec->xvec->type->post_input)(xvec->xvec,
916 if (sk && sk->sk_policy[dir])
917 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
920 pol = flow_cache_lookup(&fl, family,
921 policy_to_flow_dir(dir),
927 pol->curlft.use_time = (unsigned long)xtime.tv_sec;
929 if (pol->action == XFRM_POLICY_ALLOW) {
930 if (pol->xfrm_nr != 0) {
932 static struct sec_path dummy;
935 if ((sp = skb->sp) == NULL)
938 /* For each tmpl search corresponding xfrm.
939 * Order is _important_. Later we will implement
940 * some barriers, but at the moment barriers
941 * are implied between each two transformations.
943 for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) {
944 if (pol->xfrm_vec[i].optional)
946 k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k, family);
960 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
964 if (_decode_session(skb, &fl, family) < 0)
967 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
970 /* Optimize later using cookies and generation ids. */
972 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
974 struct dst_entry *child = dst;
977 if (child->obsolete > 0 ||
978 (child->xfrm && child->xfrm->km.state != XFRM_STATE_VALID)) {
982 child = child->child;
988 static void xfrm_dst_destroy(struct dst_entry *dst)
990 xfrm_state_put(dst->xfrm);
994 static void xfrm_link_failure(struct sk_buff *skb)
996 /* Impossible. Such dst must be popped before reaches point of failure. */
1000 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
1003 if (dst->obsolete) {
1011 static void __xfrm_garbage_collect(void)
1014 struct xfrm_policy *pol;
1015 struct dst_entry *dst, **dstp, *gc_list = NULL;
1017 read_lock_bh(&xfrm_policy_lock);
1018 for (i=0; i<2*XFRM_POLICY_MAX; i++) {
1019 for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
1020 write_lock(&pol->lock);
1021 dstp = &pol->bundles;
1022 while ((dst=*dstp) != NULL) {
1023 if (atomic_read(&dst->__refcnt) == 0) {
1025 dst->next = gc_list;
1031 write_unlock(&pol->lock);
1034 read_unlock_bh(&xfrm_policy_lock);
1038 gc_list = dst->next;
1043 static int bundle_depends_on(struct dst_entry *dst, struct xfrm_state *x)
1048 } while ((dst = dst->child) != NULL);
1052 int xfrm_flush_bundles(struct xfrm_state *x)
1055 struct xfrm_policy *pol;
1056 struct dst_entry *dst, **dstp, *gc_list = NULL;
1058 read_lock_bh(&xfrm_policy_lock);
1059 for (i=0; i<2*XFRM_POLICY_MAX; i++) {
1060 for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
1061 write_lock(&pol->lock);
1062 dstp = &pol->bundles;
1063 while ((dst=*dstp) != NULL) {
1064 if (bundle_depends_on(dst, x)) {
1066 dst->next = gc_list;
1072 write_unlock(&pol->lock);
1075 read_unlock_bh(&xfrm_policy_lock);
1079 gc_list = dst->next;
1086 /* Well... that's _TASK_. We need to scan through transformation
1087 * list and figure out what mss tcp should generate in order to
1088 * final datagram fit to mtu. Mama mia... :-)
1090 * Apparently, some easy way exists, but we used to choose the most
1091 * bizarre ones. :-) So, raising Kalashnikov... tra-ta-ta.
1093 * Consider this function as something like dark humour. :-)
1095 static int xfrm_get_mss(struct dst_entry *dst, u32 mtu)
1097 int res = mtu - dst->header_len;
1100 struct dst_entry *d = dst;
1104 struct xfrm_state *x = d->xfrm;
1106 spin_lock_bh(&x->lock);
1107 if (x->km.state == XFRM_STATE_VALID &&
1108 x->type && x->type->get_max_size)
1109 m = x->type->get_max_size(d->xfrm, m);
1111 m += x->props.header_len;
1112 spin_unlock_bh(&x->lock);
1114 } while ((d = d->child) != NULL);
1123 return res + dst->header_len;
1126 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
1129 if (unlikely(afinfo == NULL))
1131 if (unlikely(afinfo->family >= NPROTO))
1132 return -EAFNOSUPPORT;
1133 write_lock(&xfrm_policy_afinfo_lock);
1134 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
1137 struct dst_ops *dst_ops = afinfo->dst_ops;
1138 if (likely(dst_ops->kmem_cachep == NULL))
1139 dst_ops->kmem_cachep = xfrm_dst_cache;
1140 if (likely(dst_ops->check == NULL))
1141 dst_ops->check = xfrm_dst_check;
1142 if (likely(dst_ops->destroy == NULL))
1143 dst_ops->destroy = xfrm_dst_destroy;
1144 if (likely(dst_ops->negative_advice == NULL))
1145 dst_ops->negative_advice = xfrm_negative_advice;
1146 if (likely(dst_ops->link_failure == NULL))
1147 dst_ops->link_failure = xfrm_link_failure;
1148 if (likely(dst_ops->get_mss == NULL))
1149 dst_ops->get_mss = xfrm_get_mss;
1150 if (likely(afinfo->garbage_collect == NULL))
1151 afinfo->garbage_collect = __xfrm_garbage_collect;
1152 xfrm_policy_afinfo[afinfo->family] = afinfo;
1154 write_unlock(&xfrm_policy_afinfo_lock);
1158 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
1161 if (unlikely(afinfo == NULL))
1163 if (unlikely(afinfo->family >= NPROTO))
1164 return -EAFNOSUPPORT;
1165 write_lock(&xfrm_policy_afinfo_lock);
1166 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
1167 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
1170 struct dst_ops *dst_ops = afinfo->dst_ops;
1171 xfrm_policy_afinfo[afinfo->family] = NULL;
1172 dst_ops->kmem_cachep = NULL;
1173 dst_ops->check = NULL;
1174 dst_ops->destroy = NULL;
1175 dst_ops->negative_advice = NULL;
1176 dst_ops->link_failure = NULL;
1177 dst_ops->get_mss = NULL;
1178 afinfo->garbage_collect = NULL;
1181 write_unlock(&xfrm_policy_afinfo_lock);
1185 struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
1187 struct xfrm_policy_afinfo *afinfo;
1188 if (unlikely(family >= NPROTO))
1190 read_lock(&xfrm_policy_afinfo_lock);
1191 afinfo = xfrm_policy_afinfo[family];
1192 if (likely(afinfo != NULL))
1193 read_lock(&afinfo->lock);
1194 read_unlock(&xfrm_policy_afinfo_lock);
1198 void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo)
1200 if (unlikely(afinfo == NULL))
1202 read_unlock(&afinfo->lock);
1205 void __init xfrm_policy_init(void)
1207 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache",
1208 sizeof(struct xfrm_dst),
1209 0, SLAB_HWCACHE_ALIGN,
1211 if (!xfrm_dst_cache)
1212 panic("XFRM: failed to allocate xfrm_dst_cache\n");
1214 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task, NULL);
1217 void __init xfrm_init(void)