1 /* xfrm_user.c: User interface to configure xfrm engine.
3 * Copyright (C) 2002 David S. Miller (davem@redhat.com)
7 * Kazunori MIYAZAWA @USAGI
8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
13 #include <linux/crypto.h>
14 #include <linux/module.h>
15 #include <linux/kernel.h>
16 #include <linux/types.h>
17 #include <linux/slab.h>
18 #include <linux/socket.h>
19 #include <linux/string.h>
20 #include <linux/net.h>
21 #include <linux/skbuff.h>
22 #include <linux/pfkeyv2.h>
23 #include <linux/ipsec.h>
24 #include <linux/init.h>
25 #include <linux/security.h>
28 #include <net/netlink.h>
30 #include <asm/uaccess.h>
31 #if IS_ENABLED(CONFIG_IPV6)
32 #include <linux/in6.h>
35 static inline int aead_len(struct xfrm_algo_aead
*alg
)
37 return sizeof(*alg
) + ((alg
->alg_key_len
+ 7) / 8);
40 static int verify_one_alg(struct nlattr
**attrs
, enum xfrm_attr_type_t type
)
42 struct nlattr
*rt
= attrs
[type
];
43 struct xfrm_algo
*algp
;
49 if (nla_len(rt
) < xfrm_alg_len(algp
))
62 algp
->alg_name
[CRYPTO_MAX_ALG_NAME
- 1] = '\0';
66 static int verify_auth_trunc(struct nlattr
**attrs
)
68 struct nlattr
*rt
= attrs
[XFRMA_ALG_AUTH_TRUNC
];
69 struct xfrm_algo_auth
*algp
;
75 if (nla_len(rt
) < xfrm_alg_auth_len(algp
))
78 algp
->alg_name
[CRYPTO_MAX_ALG_NAME
- 1] = '\0';
82 static int verify_aead(struct nlattr
**attrs
)
84 struct nlattr
*rt
= attrs
[XFRMA_ALG_AEAD
];
85 struct xfrm_algo_aead
*algp
;
91 if (nla_len(rt
) < aead_len(algp
))
94 algp
->alg_name
[CRYPTO_MAX_ALG_NAME
- 1] = '\0';
98 static void verify_one_addr(struct nlattr
**attrs
, enum xfrm_attr_type_t type
,
99 xfrm_address_t
**addrp
)
101 struct nlattr
*rt
= attrs
[type
];
104 *addrp
= nla_data(rt
);
107 static inline int verify_sec_ctx_len(struct nlattr
**attrs
)
109 struct nlattr
*rt
= attrs
[XFRMA_SEC_CTX
];
110 struct xfrm_user_sec_ctx
*uctx
;
116 if (uctx
->len
!= (sizeof(struct xfrm_user_sec_ctx
) + uctx
->ctx_len
))
122 static inline int verify_replay(struct xfrm_usersa_info
*p
,
123 struct nlattr
**attrs
)
125 struct nlattr
*rt
= attrs
[XFRMA_REPLAY_ESN_VAL
];
126 struct xfrm_replay_state_esn
*rs
;
128 if (p
->flags
& XFRM_STATE_ESN
) {
134 if (rs
->bmp_len
> XFRMA_REPLAY_ESN_MAX
/ sizeof(rs
->bmp
[0]) / 8)
137 if (nla_len(rt
) < xfrm_replay_state_esn_len(rs
) &&
138 nla_len(rt
) != sizeof(*rs
))
145 if (p
->id
.proto
!= IPPROTO_ESP
)
148 if (p
->replay_window
!= 0)
154 static int verify_newsa_info(struct xfrm_usersa_info
*p
,
155 struct nlattr
**attrs
)
165 #if IS_ENABLED(CONFIG_IPV6)
177 switch (p
->id
.proto
) {
179 if ((!attrs
[XFRMA_ALG_AUTH
] &&
180 !attrs
[XFRMA_ALG_AUTH_TRUNC
]) ||
181 attrs
[XFRMA_ALG_AEAD
] ||
182 attrs
[XFRMA_ALG_CRYPT
] ||
183 attrs
[XFRMA_ALG_COMP
] ||
189 if (attrs
[XFRMA_ALG_COMP
])
191 if (!attrs
[XFRMA_ALG_AUTH
] &&
192 !attrs
[XFRMA_ALG_AUTH_TRUNC
] &&
193 !attrs
[XFRMA_ALG_CRYPT
] &&
194 !attrs
[XFRMA_ALG_AEAD
])
196 if ((attrs
[XFRMA_ALG_AUTH
] ||
197 attrs
[XFRMA_ALG_AUTH_TRUNC
] ||
198 attrs
[XFRMA_ALG_CRYPT
]) &&
199 attrs
[XFRMA_ALG_AEAD
])
201 if (attrs
[XFRMA_TFCPAD
] &&
202 p
->mode
!= XFRM_MODE_TUNNEL
)
207 if (!attrs
[XFRMA_ALG_COMP
] ||
208 attrs
[XFRMA_ALG_AEAD
] ||
209 attrs
[XFRMA_ALG_AUTH
] ||
210 attrs
[XFRMA_ALG_AUTH_TRUNC
] ||
211 attrs
[XFRMA_ALG_CRYPT
] ||
216 #if IS_ENABLED(CONFIG_IPV6)
217 case IPPROTO_DSTOPTS
:
218 case IPPROTO_ROUTING
:
219 if (attrs
[XFRMA_ALG_COMP
] ||
220 attrs
[XFRMA_ALG_AUTH
] ||
221 attrs
[XFRMA_ALG_AUTH_TRUNC
] ||
222 attrs
[XFRMA_ALG_AEAD
] ||
223 attrs
[XFRMA_ALG_CRYPT
] ||
224 attrs
[XFRMA_ENCAP
] ||
225 attrs
[XFRMA_SEC_CTX
] ||
226 attrs
[XFRMA_TFCPAD
] ||
227 !attrs
[XFRMA_COADDR
])
236 if ((err
= verify_aead(attrs
)))
238 if ((err
= verify_auth_trunc(attrs
)))
240 if ((err
= verify_one_alg(attrs
, XFRMA_ALG_AUTH
)))
242 if ((err
= verify_one_alg(attrs
, XFRMA_ALG_CRYPT
)))
244 if ((err
= verify_one_alg(attrs
, XFRMA_ALG_COMP
)))
246 if ((err
= verify_sec_ctx_len(attrs
)))
248 if ((err
= verify_replay(p
, attrs
)))
253 case XFRM_MODE_TRANSPORT
:
254 case XFRM_MODE_TUNNEL
:
255 case XFRM_MODE_ROUTEOPTIMIZATION
:
269 static int attach_one_algo(struct xfrm_algo
**algpp
, u8
*props
,
270 struct xfrm_algo_desc
*(*get_byname
)(const char *, int),
273 struct xfrm_algo
*p
, *ualg
;
274 struct xfrm_algo_desc
*algo
;
279 ualg
= nla_data(rta
);
281 algo
= get_byname(ualg
->alg_name
, 1);
284 *props
= algo
->desc
.sadb_alg_id
;
286 p
= kmemdup(ualg
, xfrm_alg_len(ualg
), GFP_KERNEL
);
290 strcpy(p
->alg_name
, algo
->name
);
295 static int attach_auth(struct xfrm_algo_auth
**algpp
, u8
*props
,
298 struct xfrm_algo
*ualg
;
299 struct xfrm_algo_auth
*p
;
300 struct xfrm_algo_desc
*algo
;
305 ualg
= nla_data(rta
);
307 algo
= xfrm_aalg_get_byname(ualg
->alg_name
, 1);
310 *props
= algo
->desc
.sadb_alg_id
;
312 p
= kmalloc(sizeof(*p
) + (ualg
->alg_key_len
+ 7) / 8, GFP_KERNEL
);
316 strcpy(p
->alg_name
, algo
->name
);
317 p
->alg_key_len
= ualg
->alg_key_len
;
318 p
->alg_trunc_len
= algo
->uinfo
.auth
.icv_truncbits
;
319 memcpy(p
->alg_key
, ualg
->alg_key
, (ualg
->alg_key_len
+ 7) / 8);
325 static int attach_auth_trunc(struct xfrm_algo_auth
**algpp
, u8
*props
,
328 struct xfrm_algo_auth
*p
, *ualg
;
329 struct xfrm_algo_desc
*algo
;
334 ualg
= nla_data(rta
);
336 algo
= xfrm_aalg_get_byname(ualg
->alg_name
, 1);
339 if ((ualg
->alg_trunc_len
/ 8) > MAX_AH_AUTH_LEN
||
340 ualg
->alg_trunc_len
> algo
->uinfo
.auth
.icv_fullbits
)
342 *props
= algo
->desc
.sadb_alg_id
;
344 p
= kmemdup(ualg
, xfrm_alg_auth_len(ualg
), GFP_KERNEL
);
348 strcpy(p
->alg_name
, algo
->name
);
349 if (!p
->alg_trunc_len
)
350 p
->alg_trunc_len
= algo
->uinfo
.auth
.icv_truncbits
;
356 static int attach_aead(struct xfrm_algo_aead
**algpp
, u8
*props
,
359 struct xfrm_algo_aead
*p
, *ualg
;
360 struct xfrm_algo_desc
*algo
;
365 ualg
= nla_data(rta
);
367 algo
= xfrm_aead_get_byname(ualg
->alg_name
, ualg
->alg_icv_len
, 1);
370 *props
= algo
->desc
.sadb_alg_id
;
372 p
= kmemdup(ualg
, aead_len(ualg
), GFP_KERNEL
);
376 strcpy(p
->alg_name
, algo
->name
);
381 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn
*replay_esn
,
384 struct xfrm_replay_state_esn
*up
;
387 if (!replay_esn
|| !rp
)
391 ulen
= xfrm_replay_state_esn_len(up
);
393 if (nla_len(rp
) < ulen
|| xfrm_replay_state_esn_len(replay_esn
) != ulen
)
399 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn
**replay_esn
,
400 struct xfrm_replay_state_esn
**preplay_esn
,
403 struct xfrm_replay_state_esn
*p
, *pp
, *up
;
410 klen
= xfrm_replay_state_esn_len(up
);
411 ulen
= nla_len(rta
) >= klen
? klen
: sizeof(*up
);
413 p
= kzalloc(klen
, GFP_KERNEL
);
417 pp
= kzalloc(klen
, GFP_KERNEL
);
424 memcpy(pp
, up
, ulen
);
432 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx
*xfrm_ctx
)
437 len
+= sizeof(struct xfrm_user_sec_ctx
);
438 len
+= xfrm_ctx
->ctx_len
;
443 static void copy_from_user_state(struct xfrm_state
*x
, struct xfrm_usersa_info
*p
)
445 memcpy(&x
->id
, &p
->id
, sizeof(x
->id
));
446 memcpy(&x
->sel
, &p
->sel
, sizeof(x
->sel
));
447 memcpy(&x
->lft
, &p
->lft
, sizeof(x
->lft
));
448 x
->props
.mode
= p
->mode
;
449 x
->props
.replay_window
= min_t(unsigned int, p
->replay_window
,
450 sizeof(x
->replay
.bitmap
) * 8);
451 x
->props
.reqid
= p
->reqid
;
452 x
->props
.family
= p
->family
;
453 memcpy(&x
->props
.saddr
, &p
->saddr
, sizeof(x
->props
.saddr
));
454 x
->props
.flags
= p
->flags
;
456 if (!x
->sel
.family
&& !(p
->flags
& XFRM_STATE_AF_UNSPEC
))
457 x
->sel
.family
= p
->family
;
461 * someday when pfkey also has support, we could have the code
462 * somehow made shareable and move it to xfrm_state.c - JHS
465 static void xfrm_update_ae_params(struct xfrm_state
*x
, struct nlattr
**attrs
,
468 struct nlattr
*rp
= attrs
[XFRMA_REPLAY_VAL
];
469 struct nlattr
*re
= update_esn
? attrs
[XFRMA_REPLAY_ESN_VAL
] : NULL
;
470 struct nlattr
*lt
= attrs
[XFRMA_LTIME_VAL
];
471 struct nlattr
*et
= attrs
[XFRMA_ETIMER_THRESH
];
472 struct nlattr
*rt
= attrs
[XFRMA_REPLAY_THRESH
];
475 struct xfrm_replay_state_esn
*replay_esn
;
476 replay_esn
= nla_data(re
);
477 memcpy(x
->replay_esn
, replay_esn
,
478 xfrm_replay_state_esn_len(replay_esn
));
479 memcpy(x
->preplay_esn
, replay_esn
,
480 xfrm_replay_state_esn_len(replay_esn
));
484 struct xfrm_replay_state
*replay
;
485 replay
= nla_data(rp
);
486 memcpy(&x
->replay
, replay
, sizeof(*replay
));
487 memcpy(&x
->preplay
, replay
, sizeof(*replay
));
491 struct xfrm_lifetime_cur
*ltime
;
492 ltime
= nla_data(lt
);
493 x
->curlft
.bytes
= ltime
->bytes
;
494 x
->curlft
.packets
= ltime
->packets
;
495 x
->curlft
.add_time
= ltime
->add_time
;
496 x
->curlft
.use_time
= ltime
->use_time
;
500 x
->replay_maxage
= nla_get_u32(et
);
503 x
->replay_maxdiff
= nla_get_u32(rt
);
506 static struct xfrm_state
*xfrm_state_construct(struct net
*net
,
507 struct xfrm_usersa_info
*p
,
508 struct nlattr
**attrs
,
511 struct xfrm_state
*x
= xfrm_state_alloc(net
);
517 copy_from_user_state(x
, p
);
519 if (attrs
[XFRMA_SA_EXTRA_FLAGS
])
520 x
->props
.extra_flags
= nla_get_u32(attrs
[XFRMA_SA_EXTRA_FLAGS
]);
522 if ((err
= attach_aead(&x
->aead
, &x
->props
.ealgo
,
523 attrs
[XFRMA_ALG_AEAD
])))
525 if ((err
= attach_auth_trunc(&x
->aalg
, &x
->props
.aalgo
,
526 attrs
[XFRMA_ALG_AUTH_TRUNC
])))
528 if (!x
->props
.aalgo
) {
529 if ((err
= attach_auth(&x
->aalg
, &x
->props
.aalgo
,
530 attrs
[XFRMA_ALG_AUTH
])))
533 if ((err
= attach_one_algo(&x
->ealg
, &x
->props
.ealgo
,
534 xfrm_ealg_get_byname
,
535 attrs
[XFRMA_ALG_CRYPT
])))
537 if ((err
= attach_one_algo(&x
->calg
, &x
->props
.calgo
,
538 xfrm_calg_get_byname
,
539 attrs
[XFRMA_ALG_COMP
])))
542 if (attrs
[XFRMA_ENCAP
]) {
543 x
->encap
= kmemdup(nla_data(attrs
[XFRMA_ENCAP
]),
544 sizeof(*x
->encap
), GFP_KERNEL
);
545 if (x
->encap
== NULL
)
549 if (attrs
[XFRMA_TFCPAD
])
550 x
->tfcpad
= nla_get_u32(attrs
[XFRMA_TFCPAD
]);
552 if (attrs
[XFRMA_COADDR
]) {
553 x
->coaddr
= kmemdup(nla_data(attrs
[XFRMA_COADDR
]),
554 sizeof(*x
->coaddr
), GFP_KERNEL
);
555 if (x
->coaddr
== NULL
)
559 xfrm_mark_get(attrs
, &x
->mark
);
561 err
= __xfrm_init_state(x
, false);
565 if (attrs
[XFRMA_SEC_CTX
] &&
566 security_xfrm_state_alloc(x
, nla_data(attrs
[XFRMA_SEC_CTX
])))
569 if ((err
= xfrm_alloc_replay_state_esn(&x
->replay_esn
, &x
->preplay_esn
,
570 attrs
[XFRMA_REPLAY_ESN_VAL
])))
574 x
->replay_maxdiff
= net
->xfrm
.sysctl_aevent_rseqth
;
575 /* sysctl_xfrm_aevent_etime is in 100ms units */
576 x
->replay_maxage
= (net
->xfrm
.sysctl_aevent_etime
*HZ
)/XFRM_AE_ETH_M
;
578 if ((err
= xfrm_init_replay(x
)))
581 /* override default values from above */
582 xfrm_update_ae_params(x
, attrs
, 0);
587 x
->km
.state
= XFRM_STATE_DEAD
;
594 static int xfrm_add_sa(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
595 struct nlattr
**attrs
)
597 struct net
*net
= sock_net(skb
->sk
);
598 struct xfrm_usersa_info
*p
= nlmsg_data(nlh
);
599 struct xfrm_state
*x
;
602 kuid_t loginuid
= audit_get_loginuid(current
);
603 u32 sessionid
= audit_get_sessionid(current
);
606 err
= verify_newsa_info(p
, attrs
);
610 x
= xfrm_state_construct(net
, p
, attrs
, &err
);
615 if (nlh
->nlmsg_type
== XFRM_MSG_NEWSA
)
616 err
= xfrm_state_add(x
);
618 err
= xfrm_state_update(x
);
620 security_task_getsecid(current
, &sid
);
621 xfrm_audit_state_add(x
, err
? 0 : 1, loginuid
, sessionid
, sid
);
624 x
->km
.state
= XFRM_STATE_DEAD
;
629 c
.seq
= nlh
->nlmsg_seq
;
630 c
.portid
= nlh
->nlmsg_pid
;
631 c
.event
= nlh
->nlmsg_type
;
633 km_state_notify(x
, &c
);
639 static struct xfrm_state
*xfrm_user_state_lookup(struct net
*net
,
640 struct xfrm_usersa_id
*p
,
641 struct nlattr
**attrs
,
644 struct xfrm_state
*x
= NULL
;
647 u32 mark
= xfrm_mark_get(attrs
, &m
);
649 if (xfrm_id_proto_match(p
->proto
, IPSEC_PROTO_ANY
)) {
651 x
= xfrm_state_lookup(net
, mark
, &p
->daddr
, p
->spi
, p
->proto
, p
->family
);
653 xfrm_address_t
*saddr
= NULL
;
655 verify_one_addr(attrs
, XFRMA_SRCADDR
, &saddr
);
662 x
= xfrm_state_lookup_byaddr(net
, mark
,
664 p
->proto
, p
->family
);
673 static int xfrm_del_sa(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
674 struct nlattr
**attrs
)
676 struct net
*net
= sock_net(skb
->sk
);
677 struct xfrm_state
*x
;
680 struct xfrm_usersa_id
*p
= nlmsg_data(nlh
);
681 kuid_t loginuid
= audit_get_loginuid(current
);
682 u32 sessionid
= audit_get_sessionid(current
);
685 x
= xfrm_user_state_lookup(net
, p
, attrs
, &err
);
689 if ((err
= security_xfrm_state_delete(x
)) != 0)
692 if (xfrm_state_kern(x
)) {
697 err
= xfrm_state_delete(x
);
702 c
.seq
= nlh
->nlmsg_seq
;
703 c
.portid
= nlh
->nlmsg_pid
;
704 c
.event
= nlh
->nlmsg_type
;
705 km_state_notify(x
, &c
);
708 security_task_getsecid(current
, &sid
);
709 xfrm_audit_state_delete(x
, err
? 0 : 1, loginuid
, sessionid
, sid
);
714 static void copy_to_user_state(struct xfrm_state
*x
, struct xfrm_usersa_info
*p
)
716 memset(p
, 0, sizeof(*p
));
717 memcpy(&p
->id
, &x
->id
, sizeof(p
->id
));
718 memcpy(&p
->sel
, &x
->sel
, sizeof(p
->sel
));
719 memcpy(&p
->lft
, &x
->lft
, sizeof(p
->lft
));
720 memcpy(&p
->curlft
, &x
->curlft
, sizeof(p
->curlft
));
721 memcpy(&p
->stats
, &x
->stats
, sizeof(p
->stats
));
722 memcpy(&p
->saddr
, &x
->props
.saddr
, sizeof(p
->saddr
));
723 p
->mode
= x
->props
.mode
;
724 p
->replay_window
= x
->props
.replay_window
;
725 p
->reqid
= x
->props
.reqid
;
726 p
->family
= x
->props
.family
;
727 p
->flags
= x
->props
.flags
;
731 struct xfrm_dump_info
{
732 struct sk_buff
*in_skb
;
733 struct sk_buff
*out_skb
;
738 static int copy_sec_ctx(struct xfrm_sec_ctx
*s
, struct sk_buff
*skb
)
740 struct xfrm_user_sec_ctx
*uctx
;
742 int ctx_size
= sizeof(*uctx
) + s
->ctx_len
;
744 attr
= nla_reserve(skb
, XFRMA_SEC_CTX
, ctx_size
);
748 uctx
= nla_data(attr
);
749 uctx
->exttype
= XFRMA_SEC_CTX
;
750 uctx
->len
= ctx_size
;
751 uctx
->ctx_doi
= s
->ctx_doi
;
752 uctx
->ctx_alg
= s
->ctx_alg
;
753 uctx
->ctx_len
= s
->ctx_len
;
754 memcpy(uctx
+ 1, s
->ctx_str
, s
->ctx_len
);
759 static int copy_to_user_auth(struct xfrm_algo_auth
*auth
, struct sk_buff
*skb
)
761 struct xfrm_algo
*algo
;
764 nla
= nla_reserve(skb
, XFRMA_ALG_AUTH
,
765 sizeof(*algo
) + (auth
->alg_key_len
+ 7) / 8);
769 algo
= nla_data(nla
);
770 strncpy(algo
->alg_name
, auth
->alg_name
, sizeof(algo
->alg_name
));
771 memcpy(algo
->alg_key
, auth
->alg_key
, (auth
->alg_key_len
+ 7) / 8);
772 algo
->alg_key_len
= auth
->alg_key_len
;
777 /* Don't change this without updating xfrm_sa_len! */
778 static int copy_to_user_state_extra(struct xfrm_state
*x
,
779 struct xfrm_usersa_info
*p
,
784 copy_to_user_state(x
, p
);
786 if (x
->props
.extra_flags
) {
787 ret
= nla_put_u32(skb
, XFRMA_SA_EXTRA_FLAGS
,
788 x
->props
.extra_flags
);
794 ret
= nla_put(skb
, XFRMA_COADDR
, sizeof(*x
->coaddr
), x
->coaddr
);
799 ret
= nla_put_u64(skb
, XFRMA_LASTUSED
, x
->lastused
);
804 ret
= nla_put(skb
, XFRMA_ALG_AEAD
, aead_len(x
->aead
), x
->aead
);
809 ret
= copy_to_user_auth(x
->aalg
, skb
);
811 ret
= nla_put(skb
, XFRMA_ALG_AUTH_TRUNC
,
812 xfrm_alg_auth_len(x
->aalg
), x
->aalg
);
817 ret
= nla_put(skb
, XFRMA_ALG_CRYPT
, xfrm_alg_len(x
->ealg
), x
->ealg
);
822 ret
= nla_put(skb
, XFRMA_ALG_COMP
, sizeof(*(x
->calg
)), x
->calg
);
827 ret
= nla_put(skb
, XFRMA_ENCAP
, sizeof(*x
->encap
), x
->encap
);
832 ret
= nla_put_u32(skb
, XFRMA_TFCPAD
, x
->tfcpad
);
836 ret
= xfrm_mark_put(skb
, &x
->mark
);
840 ret
= nla_put(skb
, XFRMA_REPLAY_ESN_VAL
,
841 xfrm_replay_state_esn_len(x
->replay_esn
),
847 ret
= copy_sec_ctx(x
->security
, skb
);
852 static int dump_one_state(struct xfrm_state
*x
, int count
, void *ptr
)
854 struct xfrm_dump_info
*sp
= ptr
;
855 struct sk_buff
*in_skb
= sp
->in_skb
;
856 struct sk_buff
*skb
= sp
->out_skb
;
857 struct xfrm_usersa_info
*p
;
858 struct nlmsghdr
*nlh
;
861 nlh
= nlmsg_put(skb
, NETLINK_CB(in_skb
).portid
, sp
->nlmsg_seq
,
862 XFRM_MSG_NEWSA
, sizeof(*p
), sp
->nlmsg_flags
);
868 err
= copy_to_user_state_extra(x
, p
, skb
);
870 nlmsg_cancel(skb
, nlh
);
877 static int xfrm_dump_sa_done(struct netlink_callback
*cb
)
879 struct xfrm_state_walk
*walk
= (struct xfrm_state_walk
*) &cb
->args
[1];
880 xfrm_state_walk_done(walk
);
884 static int xfrm_dump_sa(struct sk_buff
*skb
, struct netlink_callback
*cb
)
886 struct net
*net
= sock_net(skb
->sk
);
887 struct xfrm_state_walk
*walk
= (struct xfrm_state_walk
*) &cb
->args
[1];
888 struct xfrm_dump_info info
;
890 BUILD_BUG_ON(sizeof(struct xfrm_state_walk
) >
891 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
893 info
.in_skb
= cb
->skb
;
895 info
.nlmsg_seq
= cb
->nlh
->nlmsg_seq
;
896 info
.nlmsg_flags
= NLM_F_MULTI
;
900 xfrm_state_walk_init(walk
, 0);
903 (void) xfrm_state_walk(net
, walk
, dump_one_state
, &info
);
908 static struct sk_buff
*xfrm_state_netlink(struct sk_buff
*in_skb
,
909 struct xfrm_state
*x
, u32 seq
)
911 struct xfrm_dump_info info
;
915 skb
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_ATOMIC
);
917 return ERR_PTR(-ENOMEM
);
919 info
.in_skb
= in_skb
;
921 info
.nlmsg_seq
= seq
;
922 info
.nlmsg_flags
= 0;
924 err
= dump_one_state(x
, 0, &info
);
933 /* A wrapper for nlmsg_multicast() checking that nlsk is still available.
934 * Must be called with RCU read lock.
936 static inline int xfrm_nlmsg_multicast(struct net
*net
, struct sk_buff
*skb
,
937 u32 pid
, unsigned int group
)
939 struct sock
*nlsk
= rcu_dereference(net
->xfrm
.nlsk
);
942 return nlmsg_multicast(nlsk
, skb
, pid
, group
, GFP_ATOMIC
);
947 static inline size_t xfrm_spdinfo_msgsize(void)
949 return NLMSG_ALIGN(4)
950 + nla_total_size(sizeof(struct xfrmu_spdinfo
))
951 + nla_total_size(sizeof(struct xfrmu_spdhinfo
));
954 static int build_spdinfo(struct sk_buff
*skb
, struct net
*net
,
955 u32 portid
, u32 seq
, u32 flags
)
957 struct xfrmk_spdinfo si
;
958 struct xfrmu_spdinfo spc
;
959 struct xfrmu_spdhinfo sph
;
960 struct nlmsghdr
*nlh
;
964 nlh
= nlmsg_put(skb
, portid
, seq
, XFRM_MSG_NEWSPDINFO
, sizeof(u32
), 0);
965 if (nlh
== NULL
) /* shouldn't really happen ... */
970 xfrm_spd_getinfo(net
, &si
);
971 spc
.incnt
= si
.incnt
;
972 spc
.outcnt
= si
.outcnt
;
973 spc
.fwdcnt
= si
.fwdcnt
;
974 spc
.inscnt
= si
.inscnt
;
975 spc
.outscnt
= si
.outscnt
;
976 spc
.fwdscnt
= si
.fwdscnt
;
977 sph
.spdhcnt
= si
.spdhcnt
;
978 sph
.spdhmcnt
= si
.spdhmcnt
;
980 err
= nla_put(skb
, XFRMA_SPD_INFO
, sizeof(spc
), &spc
);
982 err
= nla_put(skb
, XFRMA_SPD_HINFO
, sizeof(sph
), &sph
);
984 nlmsg_cancel(skb
, nlh
);
988 return nlmsg_end(skb
, nlh
);
991 static int xfrm_get_spdinfo(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
992 struct nlattr
**attrs
)
994 struct net
*net
= sock_net(skb
->sk
);
995 struct sk_buff
*r_skb
;
996 u32
*flags
= nlmsg_data(nlh
);
997 u32 sportid
= NETLINK_CB(skb
).portid
;
998 u32 seq
= nlh
->nlmsg_seq
;
1000 r_skb
= nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC
);
1004 if (build_spdinfo(r_skb
, net
, sportid
, seq
, *flags
) < 0)
1007 return nlmsg_unicast(net
->xfrm
.nlsk
, r_skb
, sportid
);
1010 static inline size_t xfrm_sadinfo_msgsize(void)
1012 return NLMSG_ALIGN(4)
1013 + nla_total_size(sizeof(struct xfrmu_sadhinfo
))
1014 + nla_total_size(4); /* XFRMA_SAD_CNT */
1017 static int build_sadinfo(struct sk_buff
*skb
, struct net
*net
,
1018 u32 portid
, u32 seq
, u32 flags
)
1020 struct xfrmk_sadinfo si
;
1021 struct xfrmu_sadhinfo sh
;
1022 struct nlmsghdr
*nlh
;
1026 nlh
= nlmsg_put(skb
, portid
, seq
, XFRM_MSG_NEWSADINFO
, sizeof(u32
), 0);
1027 if (nlh
== NULL
) /* shouldn't really happen ... */
1030 f
= nlmsg_data(nlh
);
1032 xfrm_sad_getinfo(net
, &si
);
1034 sh
.sadhmcnt
= si
.sadhmcnt
;
1035 sh
.sadhcnt
= si
.sadhcnt
;
1037 err
= nla_put_u32(skb
, XFRMA_SAD_CNT
, si
.sadcnt
);
1039 err
= nla_put(skb
, XFRMA_SAD_HINFO
, sizeof(sh
), &sh
);
1041 nlmsg_cancel(skb
, nlh
);
1045 return nlmsg_end(skb
, nlh
);
1048 static int xfrm_get_sadinfo(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1049 struct nlattr
**attrs
)
1051 struct net
*net
= sock_net(skb
->sk
);
1052 struct sk_buff
*r_skb
;
1053 u32
*flags
= nlmsg_data(nlh
);
1054 u32 sportid
= NETLINK_CB(skb
).portid
;
1055 u32 seq
= nlh
->nlmsg_seq
;
1057 r_skb
= nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC
);
1061 if (build_sadinfo(r_skb
, net
, sportid
, seq
, *flags
) < 0)
1064 return nlmsg_unicast(net
->xfrm
.nlsk
, r_skb
, sportid
);
1067 static int xfrm_get_sa(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1068 struct nlattr
**attrs
)
1070 struct net
*net
= sock_net(skb
->sk
);
1071 struct xfrm_usersa_id
*p
= nlmsg_data(nlh
);
1072 struct xfrm_state
*x
;
1073 struct sk_buff
*resp_skb
;
1076 x
= xfrm_user_state_lookup(net
, p
, attrs
, &err
);
1080 resp_skb
= xfrm_state_netlink(skb
, x
, nlh
->nlmsg_seq
);
1081 if (IS_ERR(resp_skb
)) {
1082 err
= PTR_ERR(resp_skb
);
1084 err
= nlmsg_unicast(net
->xfrm
.nlsk
, resp_skb
, NETLINK_CB(skb
).portid
);
1091 static int verify_userspi_info(struct xfrm_userspi_info
*p
)
1093 switch (p
->info
.id
.proto
) {
1099 /* IPCOMP spi is 16-bits. */
1100 if (p
->max
>= 0x10000)
1108 if (p
->min
> p
->max
)
1114 static int xfrm_alloc_userspi(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1115 struct nlattr
**attrs
)
1117 struct net
*net
= sock_net(skb
->sk
);
1118 struct xfrm_state
*x
;
1119 struct xfrm_userspi_info
*p
;
1120 struct sk_buff
*resp_skb
;
1121 xfrm_address_t
*daddr
;
1127 p
= nlmsg_data(nlh
);
1128 err
= verify_userspi_info(p
);
1132 family
= p
->info
.family
;
1133 daddr
= &p
->info
.id
.daddr
;
1137 mark
= xfrm_mark_get(attrs
, &m
);
1139 x
= xfrm_find_acq_byseq(net
, mark
, p
->info
.seq
);
1140 if (x
&& !xfrm_addr_equal(&x
->id
.daddr
, daddr
, family
)) {
1147 x
= xfrm_find_acq(net
, &m
, p
->info
.mode
, p
->info
.reqid
,
1148 p
->info
.id
.proto
, daddr
,
1155 err
= xfrm_alloc_spi(x
, p
->min
, p
->max
);
1159 resp_skb
= xfrm_state_netlink(skb
, x
, nlh
->nlmsg_seq
);
1160 if (IS_ERR(resp_skb
)) {
1161 err
= PTR_ERR(resp_skb
);
1165 err
= nlmsg_unicast(net
->xfrm
.nlsk
, resp_skb
, NETLINK_CB(skb
).portid
);
1173 static int verify_policy_dir(u8 dir
)
1176 case XFRM_POLICY_IN
:
1177 case XFRM_POLICY_OUT
:
1178 case XFRM_POLICY_FWD
:
1188 static int verify_policy_type(u8 type
)
1191 case XFRM_POLICY_TYPE_MAIN
:
1192 #ifdef CONFIG_XFRM_SUB_POLICY
1193 case XFRM_POLICY_TYPE_SUB
:
1204 static int verify_newpolicy_info(struct xfrm_userpolicy_info
*p
)
1207 case XFRM_SHARE_ANY
:
1208 case XFRM_SHARE_SESSION
:
1209 case XFRM_SHARE_USER
:
1210 case XFRM_SHARE_UNIQUE
:
1217 switch (p
->action
) {
1218 case XFRM_POLICY_ALLOW
:
1219 case XFRM_POLICY_BLOCK
:
1226 switch (p
->sel
.family
) {
1231 #if IS_ENABLED(CONFIG_IPV6)
1234 return -EAFNOSUPPORT
;
1241 return verify_policy_dir(p
->dir
);
1244 static int copy_from_user_sec_ctx(struct xfrm_policy
*pol
, struct nlattr
**attrs
)
1246 struct nlattr
*rt
= attrs
[XFRMA_SEC_CTX
];
1247 struct xfrm_user_sec_ctx
*uctx
;
1252 uctx
= nla_data(rt
);
1253 return security_xfrm_policy_alloc(&pol
->security
, uctx
);
1256 static void copy_templates(struct xfrm_policy
*xp
, struct xfrm_user_tmpl
*ut
,
1262 for (i
= 0; i
< nr
; i
++, ut
++) {
1263 struct xfrm_tmpl
*t
= &xp
->xfrm_vec
[i
];
1265 memcpy(&t
->id
, &ut
->id
, sizeof(struct xfrm_id
));
1266 memcpy(&t
->saddr
, &ut
->saddr
,
1267 sizeof(xfrm_address_t
));
1268 t
->reqid
= ut
->reqid
;
1270 t
->share
= ut
->share
;
1271 t
->optional
= ut
->optional
;
1272 t
->aalgos
= ut
->aalgos
;
1273 t
->ealgos
= ut
->ealgos
;
1274 t
->calgos
= ut
->calgos
;
1275 /* If all masks are ~0, then we allow all algorithms. */
1276 t
->allalgs
= !~(t
->aalgos
& t
->ealgos
& t
->calgos
);
1277 t
->encap_family
= ut
->family
;
1281 static int validate_tmpl(int nr
, struct xfrm_user_tmpl
*ut
, u16 family
)
1285 if (nr
> XFRM_MAX_DEPTH
)
1288 for (i
= 0; i
< nr
; i
++) {
1289 /* We never validated the ut->family value, so many
1290 * applications simply leave it at zero. The check was
1291 * never made and ut->family was ignored because all
1292 * templates could be assumed to have the same family as
1293 * the policy itself. Now that we will have ipv4-in-ipv6
1294 * and ipv6-in-ipv4 tunnels, this is no longer true.
1297 ut
[i
].family
= family
;
1299 switch (ut
[i
].family
) {
1302 #if IS_ENABLED(CONFIG_IPV6)
1314 static int copy_from_user_tmpl(struct xfrm_policy
*pol
, struct nlattr
**attrs
)
1316 struct nlattr
*rt
= attrs
[XFRMA_TMPL
];
1321 struct xfrm_user_tmpl
*utmpl
= nla_data(rt
);
1322 int nr
= nla_len(rt
) / sizeof(*utmpl
);
1325 err
= validate_tmpl(nr
, utmpl
, pol
->family
);
1329 copy_templates(pol
, utmpl
, nr
);
1334 static int copy_from_user_policy_type(u8
*tp
, struct nlattr
**attrs
)
1336 struct nlattr
*rt
= attrs
[XFRMA_POLICY_TYPE
];
1337 struct xfrm_userpolicy_type
*upt
;
1338 u8 type
= XFRM_POLICY_TYPE_MAIN
;
1346 err
= verify_policy_type(type
);
1354 static void copy_from_user_policy(struct xfrm_policy
*xp
, struct xfrm_userpolicy_info
*p
)
1356 xp
->priority
= p
->priority
;
1357 xp
->index
= p
->index
;
1358 memcpy(&xp
->selector
, &p
->sel
, sizeof(xp
->selector
));
1359 memcpy(&xp
->lft
, &p
->lft
, sizeof(xp
->lft
));
1360 xp
->action
= p
->action
;
1361 xp
->flags
= p
->flags
;
1362 xp
->family
= p
->sel
.family
;
1363 /* XXX xp->share = p->share; */
1366 static void copy_to_user_policy(struct xfrm_policy
*xp
, struct xfrm_userpolicy_info
*p
, int dir
)
1368 memset(p
, 0, sizeof(*p
));
1369 memcpy(&p
->sel
, &xp
->selector
, sizeof(p
->sel
));
1370 memcpy(&p
->lft
, &xp
->lft
, sizeof(p
->lft
));
1371 memcpy(&p
->curlft
, &xp
->curlft
, sizeof(p
->curlft
));
1372 p
->priority
= xp
->priority
;
1373 p
->index
= xp
->index
;
1374 p
->sel
.family
= xp
->family
;
1376 p
->action
= xp
->action
;
1377 p
->flags
= xp
->flags
;
1378 p
->share
= XFRM_SHARE_ANY
; /* XXX xp->share */
1381 static struct xfrm_policy
*xfrm_policy_construct(struct net
*net
, struct xfrm_userpolicy_info
*p
, struct nlattr
**attrs
, int *errp
)
1383 struct xfrm_policy
*xp
= xfrm_policy_alloc(net
, GFP_KERNEL
);
1391 copy_from_user_policy(xp
, p
);
1393 err
= copy_from_user_policy_type(&xp
->type
, attrs
);
1397 if (!(err
= copy_from_user_tmpl(xp
, attrs
)))
1398 err
= copy_from_user_sec_ctx(xp
, attrs
);
1402 xfrm_mark_get(attrs
, &xp
->mark
);
1408 xfrm_policy_destroy(xp
);
1412 static int xfrm_add_policy(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1413 struct nlattr
**attrs
)
1415 struct net
*net
= sock_net(skb
->sk
);
1416 struct xfrm_userpolicy_info
*p
= nlmsg_data(nlh
);
1417 struct xfrm_policy
*xp
;
1421 kuid_t loginuid
= audit_get_loginuid(current
);
1422 u32 sessionid
= audit_get_sessionid(current
);
1425 err
= verify_newpolicy_info(p
);
1428 err
= verify_sec_ctx_len(attrs
);
1432 xp
= xfrm_policy_construct(net
, p
, attrs
, &err
);
1436 /* shouldn't excl be based on nlh flags??
1437 * Aha! this is anti-netlink really i.e more pfkey derived
1438 * in netlink excl is a flag and you wouldnt need
1439 * a type XFRM_MSG_UPDPOLICY - JHS */
1440 excl
= nlh
->nlmsg_type
== XFRM_MSG_NEWPOLICY
;
1441 err
= xfrm_policy_insert(p
->dir
, xp
, excl
);
1442 security_task_getsecid(current
, &sid
);
1443 xfrm_audit_policy_add(xp
, err
? 0 : 1, loginuid
, sessionid
, sid
);
1446 security_xfrm_policy_free(xp
->security
);
1451 c
.event
= nlh
->nlmsg_type
;
1452 c
.seq
= nlh
->nlmsg_seq
;
1453 c
.portid
= nlh
->nlmsg_pid
;
1454 km_policy_notify(xp
, p
->dir
, &c
);
1461 static int copy_to_user_tmpl(struct xfrm_policy
*xp
, struct sk_buff
*skb
)
1463 struct xfrm_user_tmpl vec
[XFRM_MAX_DEPTH
];
1466 if (xp
->xfrm_nr
== 0)
1469 for (i
= 0; i
< xp
->xfrm_nr
; i
++) {
1470 struct xfrm_user_tmpl
*up
= &vec
[i
];
1471 struct xfrm_tmpl
*kp
= &xp
->xfrm_vec
[i
];
1473 memset(up
, 0, sizeof(*up
));
1474 memcpy(&up
->id
, &kp
->id
, sizeof(up
->id
));
1475 up
->family
= kp
->encap_family
;
1476 memcpy(&up
->saddr
, &kp
->saddr
, sizeof(up
->saddr
));
1477 up
->reqid
= kp
->reqid
;
1478 up
->mode
= kp
->mode
;
1479 up
->share
= kp
->share
;
1480 up
->optional
= kp
->optional
;
1481 up
->aalgos
= kp
->aalgos
;
1482 up
->ealgos
= kp
->ealgos
;
1483 up
->calgos
= kp
->calgos
;
1486 return nla_put(skb
, XFRMA_TMPL
,
1487 sizeof(struct xfrm_user_tmpl
) * xp
->xfrm_nr
, vec
);
1490 static inline int copy_to_user_state_sec_ctx(struct xfrm_state
*x
, struct sk_buff
*skb
)
1493 return copy_sec_ctx(x
->security
, skb
);
1498 static inline int copy_to_user_sec_ctx(struct xfrm_policy
*xp
, struct sk_buff
*skb
)
1501 return copy_sec_ctx(xp
->security
, skb
);
1504 static inline size_t userpolicy_type_attrsize(void)
1506 #ifdef CONFIG_XFRM_SUB_POLICY
1507 return nla_total_size(sizeof(struct xfrm_userpolicy_type
));
1513 #ifdef CONFIG_XFRM_SUB_POLICY
1514 static int copy_to_user_policy_type(u8 type
, struct sk_buff
*skb
)
1516 struct xfrm_userpolicy_type upt
= {
1520 return nla_put(skb
, XFRMA_POLICY_TYPE
, sizeof(upt
), &upt
);
1524 static inline int copy_to_user_policy_type(u8 type
, struct sk_buff
*skb
)
1530 static int dump_one_policy(struct xfrm_policy
*xp
, int dir
, int count
, void *ptr
)
1532 struct xfrm_dump_info
*sp
= ptr
;
1533 struct xfrm_userpolicy_info
*p
;
1534 struct sk_buff
*in_skb
= sp
->in_skb
;
1535 struct sk_buff
*skb
= sp
->out_skb
;
1536 struct nlmsghdr
*nlh
;
1539 nlh
= nlmsg_put(skb
, NETLINK_CB(in_skb
).portid
, sp
->nlmsg_seq
,
1540 XFRM_MSG_NEWPOLICY
, sizeof(*p
), sp
->nlmsg_flags
);
1544 p
= nlmsg_data(nlh
);
1545 copy_to_user_policy(xp
, p
, dir
);
1546 err
= copy_to_user_tmpl(xp
, skb
);
1548 err
= copy_to_user_sec_ctx(xp
, skb
);
1550 err
= copy_to_user_policy_type(xp
->type
, skb
);
1552 err
= xfrm_mark_put(skb
, &xp
->mark
);
1554 nlmsg_cancel(skb
, nlh
);
1557 nlmsg_end(skb
, nlh
);
1561 static int xfrm_dump_policy_done(struct netlink_callback
*cb
)
1563 struct xfrm_policy_walk
*walk
= (struct xfrm_policy_walk
*) &cb
->args
[1];
1565 xfrm_policy_walk_done(walk
);
1569 static int xfrm_dump_policy(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1571 struct net
*net
= sock_net(skb
->sk
);
1572 struct xfrm_policy_walk
*walk
= (struct xfrm_policy_walk
*) &cb
->args
[1];
1573 struct xfrm_dump_info info
;
1575 BUILD_BUG_ON(sizeof(struct xfrm_policy_walk
) >
1576 sizeof(cb
->args
) - sizeof(cb
->args
[0]));
1578 info
.in_skb
= cb
->skb
;
1580 info
.nlmsg_seq
= cb
->nlh
->nlmsg_seq
;
1581 info
.nlmsg_flags
= NLM_F_MULTI
;
1585 xfrm_policy_walk_init(walk
, XFRM_POLICY_TYPE_ANY
);
1588 (void) xfrm_policy_walk(net
, walk
, dump_one_policy
, &info
);
1593 static struct sk_buff
*xfrm_policy_netlink(struct sk_buff
*in_skb
,
1594 struct xfrm_policy
*xp
,
1597 struct xfrm_dump_info info
;
1598 struct sk_buff
*skb
;
1601 skb
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1603 return ERR_PTR(-ENOMEM
);
1605 info
.in_skb
= in_skb
;
1607 info
.nlmsg_seq
= seq
;
1608 info
.nlmsg_flags
= 0;
1610 err
= dump_one_policy(xp
, dir
, 0, &info
);
1613 return ERR_PTR(err
);
1619 static int xfrm_get_policy(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1620 struct nlattr
**attrs
)
1622 struct net
*net
= sock_net(skb
->sk
);
1623 struct xfrm_policy
*xp
;
1624 struct xfrm_userpolicy_id
*p
;
1625 u8 type
= XFRM_POLICY_TYPE_MAIN
;
1630 u32 mark
= xfrm_mark_get(attrs
, &m
);
1632 p
= nlmsg_data(nlh
);
1633 delete = nlh
->nlmsg_type
== XFRM_MSG_DELPOLICY
;
1635 err
= copy_from_user_policy_type(&type
, attrs
);
1639 err
= verify_policy_dir(p
->dir
);
1644 xp
= xfrm_policy_byid(net
, mark
, type
, p
->dir
, p
->index
, delete, &err
);
1646 struct nlattr
*rt
= attrs
[XFRMA_SEC_CTX
];
1647 struct xfrm_sec_ctx
*ctx
;
1649 err
= verify_sec_ctx_len(attrs
);
1655 struct xfrm_user_sec_ctx
*uctx
= nla_data(rt
);
1657 err
= security_xfrm_policy_alloc(&ctx
, uctx
);
1661 xp
= xfrm_policy_bysel_ctx(net
, mark
, type
, p
->dir
, &p
->sel
,
1663 security_xfrm_policy_free(ctx
);
1669 struct sk_buff
*resp_skb
;
1671 resp_skb
= xfrm_policy_netlink(skb
, xp
, p
->dir
, nlh
->nlmsg_seq
);
1672 if (IS_ERR(resp_skb
)) {
1673 err
= PTR_ERR(resp_skb
);
1675 err
= nlmsg_unicast(net
->xfrm
.nlsk
, resp_skb
,
1676 NETLINK_CB(skb
).portid
);
1679 kuid_t loginuid
= audit_get_loginuid(current
);
1680 u32 sessionid
= audit_get_sessionid(current
);
1683 security_task_getsecid(current
, &sid
);
1684 xfrm_audit_policy_delete(xp
, err
? 0 : 1, loginuid
, sessionid
,
1690 c
.data
.byid
= p
->index
;
1691 c
.event
= nlh
->nlmsg_type
;
1692 c
.seq
= nlh
->nlmsg_seq
;
1693 c
.portid
= nlh
->nlmsg_pid
;
1694 km_policy_notify(xp
, p
->dir
, &c
);
1699 if (delete && err
== 0)
1700 xfrm_garbage_collect(net
);
1704 static int xfrm_flush_sa(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1705 struct nlattr
**attrs
)
1707 struct net
*net
= sock_net(skb
->sk
);
1709 struct xfrm_usersa_flush
*p
= nlmsg_data(nlh
);
1710 struct xfrm_audit audit_info
;
1713 audit_info
.loginuid
= audit_get_loginuid(current
);
1714 audit_info
.sessionid
= audit_get_sessionid(current
);
1715 security_task_getsecid(current
, &audit_info
.secid
);
1716 err
= xfrm_state_flush(net
, p
->proto
, &audit_info
);
1718 if (err
== -ESRCH
) /* empty table */
1722 c
.data
.proto
= p
->proto
;
1723 c
.event
= nlh
->nlmsg_type
;
1724 c
.seq
= nlh
->nlmsg_seq
;
1725 c
.portid
= nlh
->nlmsg_pid
;
1727 km_state_notify(NULL
, &c
);
1732 static inline size_t xfrm_aevent_msgsize(struct xfrm_state
*x
)
1734 size_t replay_size
= x
->replay_esn
?
1735 xfrm_replay_state_esn_len(x
->replay_esn
) :
1736 sizeof(struct xfrm_replay_state
);
1738 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id
))
1739 + nla_total_size(replay_size
)
1740 + nla_total_size(sizeof(struct xfrm_lifetime_cur
))
1741 + nla_total_size(sizeof(struct xfrm_mark
))
1742 + nla_total_size(4) /* XFRM_AE_RTHR */
1743 + nla_total_size(4); /* XFRM_AE_ETHR */
1746 static int build_aevent(struct sk_buff
*skb
, struct xfrm_state
*x
, const struct km_event
*c
)
1748 struct xfrm_aevent_id
*id
;
1749 struct nlmsghdr
*nlh
;
1752 nlh
= nlmsg_put(skb
, c
->portid
, c
->seq
, XFRM_MSG_NEWAE
, sizeof(*id
), 0);
1756 id
= nlmsg_data(nlh
);
1757 memcpy(&id
->sa_id
.daddr
, &x
->id
.daddr
,sizeof(x
->id
.daddr
));
1758 id
->sa_id
.spi
= x
->id
.spi
;
1759 id
->sa_id
.family
= x
->props
.family
;
1760 id
->sa_id
.proto
= x
->id
.proto
;
1761 memcpy(&id
->saddr
, &x
->props
.saddr
,sizeof(x
->props
.saddr
));
1762 id
->reqid
= x
->props
.reqid
;
1763 id
->flags
= c
->data
.aevent
;
1765 if (x
->replay_esn
) {
1766 err
= nla_put(skb
, XFRMA_REPLAY_ESN_VAL
,
1767 xfrm_replay_state_esn_len(x
->replay_esn
),
1770 err
= nla_put(skb
, XFRMA_REPLAY_VAL
, sizeof(x
->replay
),
1775 err
= nla_put(skb
, XFRMA_LTIME_VAL
, sizeof(x
->curlft
), &x
->curlft
);
1779 if (id
->flags
& XFRM_AE_RTHR
) {
1780 err
= nla_put_u32(skb
, XFRMA_REPLAY_THRESH
, x
->replay_maxdiff
);
1784 if (id
->flags
& XFRM_AE_ETHR
) {
1785 err
= nla_put_u32(skb
, XFRMA_ETIMER_THRESH
,
1786 x
->replay_maxage
* 10 / HZ
);
1790 err
= xfrm_mark_put(skb
, &x
->mark
);
1794 return nlmsg_end(skb
, nlh
);
1797 nlmsg_cancel(skb
, nlh
);
1801 static int xfrm_get_ae(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1802 struct nlattr
**attrs
)
1804 struct net
*net
= sock_net(skb
->sk
);
1805 struct xfrm_state
*x
;
1806 struct sk_buff
*r_skb
;
1811 struct xfrm_aevent_id
*p
= nlmsg_data(nlh
);
1812 struct xfrm_usersa_id
*id
= &p
->sa_id
;
1814 mark
= xfrm_mark_get(attrs
, &m
);
1816 x
= xfrm_state_lookup(net
, mark
, &id
->daddr
, id
->spi
, id
->proto
, id
->family
);
1820 r_skb
= nlmsg_new(xfrm_aevent_msgsize(x
), GFP_ATOMIC
);
1821 if (r_skb
== NULL
) {
1827 * XXX: is this lock really needed - none of the other
1828 * gets lock (the concern is things getting updated
1829 * while we are still reading) - jhs
1831 spin_lock_bh(&x
->lock
);
1832 c
.data
.aevent
= p
->flags
;
1833 c
.seq
= nlh
->nlmsg_seq
;
1834 c
.portid
= nlh
->nlmsg_pid
;
1836 if (build_aevent(r_skb
, x
, &c
) < 0)
1838 err
= nlmsg_unicast(net
->xfrm
.nlsk
, r_skb
, NETLINK_CB(skb
).portid
);
1839 spin_unlock_bh(&x
->lock
);
1844 static int xfrm_new_ae(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1845 struct nlattr
**attrs
)
1847 struct net
*net
= sock_net(skb
->sk
);
1848 struct xfrm_state
*x
;
1853 struct xfrm_aevent_id
*p
= nlmsg_data(nlh
);
1854 struct nlattr
*rp
= attrs
[XFRMA_REPLAY_VAL
];
1855 struct nlattr
*re
= attrs
[XFRMA_REPLAY_ESN_VAL
];
1856 struct nlattr
*lt
= attrs
[XFRMA_LTIME_VAL
];
1858 if (!lt
&& !rp
&& !re
)
1861 /* pedantic mode - thou shalt sayeth replaceth */
1862 if (!(nlh
->nlmsg_flags
&NLM_F_REPLACE
))
1865 mark
= xfrm_mark_get(attrs
, &m
);
1867 x
= xfrm_state_lookup(net
, mark
, &p
->sa_id
.daddr
, p
->sa_id
.spi
, p
->sa_id
.proto
, p
->sa_id
.family
);
1871 if (x
->km
.state
!= XFRM_STATE_VALID
)
1874 err
= xfrm_replay_verify_len(x
->replay_esn
, re
);
1878 spin_lock_bh(&x
->lock
);
1879 xfrm_update_ae_params(x
, attrs
, 1);
1880 spin_unlock_bh(&x
->lock
);
1882 c
.event
= nlh
->nlmsg_type
;
1883 c
.seq
= nlh
->nlmsg_seq
;
1884 c
.portid
= nlh
->nlmsg_pid
;
1885 c
.data
.aevent
= XFRM_AE_CU
;
1886 km_state_notify(x
, &c
);
1893 static int xfrm_flush_policy(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1894 struct nlattr
**attrs
)
1896 struct net
*net
= sock_net(skb
->sk
);
1898 u8 type
= XFRM_POLICY_TYPE_MAIN
;
1900 struct xfrm_audit audit_info
;
1902 err
= copy_from_user_policy_type(&type
, attrs
);
1906 audit_info
.loginuid
= audit_get_loginuid(current
);
1907 audit_info
.sessionid
= audit_get_sessionid(current
);
1908 security_task_getsecid(current
, &audit_info
.secid
);
1909 err
= xfrm_policy_flush(net
, type
, &audit_info
);
1911 if (err
== -ESRCH
) /* empty table */
1917 c
.event
= nlh
->nlmsg_type
;
1918 c
.seq
= nlh
->nlmsg_seq
;
1919 c
.portid
= nlh
->nlmsg_pid
;
1921 km_policy_notify(NULL
, 0, &c
);
1925 static int xfrm_add_pol_expire(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1926 struct nlattr
**attrs
)
1928 struct net
*net
= sock_net(skb
->sk
);
1929 struct xfrm_policy
*xp
;
1930 struct xfrm_user_polexpire
*up
= nlmsg_data(nlh
);
1931 struct xfrm_userpolicy_info
*p
= &up
->pol
;
1932 u8 type
= XFRM_POLICY_TYPE_MAIN
;
1935 u32 mark
= xfrm_mark_get(attrs
, &m
);
1937 err
= copy_from_user_policy_type(&type
, attrs
);
1941 err
= verify_policy_dir(p
->dir
);
1946 xp
= xfrm_policy_byid(net
, mark
, type
, p
->dir
, p
->index
, 0, &err
);
1948 struct nlattr
*rt
= attrs
[XFRMA_SEC_CTX
];
1949 struct xfrm_sec_ctx
*ctx
;
1951 err
= verify_sec_ctx_len(attrs
);
1957 struct xfrm_user_sec_ctx
*uctx
= nla_data(rt
);
1959 err
= security_xfrm_policy_alloc(&ctx
, uctx
);
1963 xp
= xfrm_policy_bysel_ctx(net
, mark
, type
, p
->dir
,
1964 &p
->sel
, ctx
, 0, &err
);
1965 security_xfrm_policy_free(ctx
);
1970 if (unlikely(xp
->walk
.dead
))
1975 kuid_t loginuid
= audit_get_loginuid(current
);
1976 u32 sessionid
= audit_get_sessionid(current
);
1979 security_task_getsecid(current
, &sid
);
1980 xfrm_policy_delete(xp
, p
->dir
);
1981 xfrm_audit_policy_delete(xp
, 1, loginuid
, sessionid
, sid
);
1984 // reset the timers here?
1985 WARN(1, "Dont know what to do with soft policy expire\n");
1987 km_policy_expired(xp
, p
->dir
, up
->hard
, nlh
->nlmsg_pid
);
1994 static int xfrm_add_sa_expire(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
1995 struct nlattr
**attrs
)
1997 struct net
*net
= sock_net(skb
->sk
);
1998 struct xfrm_state
*x
;
2000 struct xfrm_user_expire
*ue
= nlmsg_data(nlh
);
2001 struct xfrm_usersa_info
*p
= &ue
->state
;
2003 u32 mark
= xfrm_mark_get(attrs
, &m
);
2005 x
= xfrm_state_lookup(net
, mark
, &p
->id
.daddr
, p
->id
.spi
, p
->id
.proto
, p
->family
);
2011 spin_lock_bh(&x
->lock
);
2013 if (x
->km
.state
!= XFRM_STATE_VALID
)
2015 km_state_expired(x
, ue
->hard
, nlh
->nlmsg_pid
);
2018 kuid_t loginuid
= audit_get_loginuid(current
);
2019 u32 sessionid
= audit_get_sessionid(current
);
2022 security_task_getsecid(current
, &sid
);
2023 __xfrm_state_delete(x
);
2024 xfrm_audit_state_delete(x
, 1, loginuid
, sessionid
, sid
);
2028 spin_unlock_bh(&x
->lock
);
2033 static int xfrm_add_acquire(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
2034 struct nlattr
**attrs
)
2036 struct net
*net
= sock_net(skb
->sk
);
2037 struct xfrm_policy
*xp
;
2038 struct xfrm_user_tmpl
*ut
;
2040 struct nlattr
*rt
= attrs
[XFRMA_TMPL
];
2041 struct xfrm_mark mark
;
2043 struct xfrm_user_acquire
*ua
= nlmsg_data(nlh
);
2044 struct xfrm_state
*x
= xfrm_state_alloc(net
);
2050 xfrm_mark_get(attrs
, &mark
);
2052 err
= verify_newpolicy_info(&ua
->policy
);
2057 xp
= xfrm_policy_construct(net
, &ua
->policy
, attrs
, &err
);
2061 memcpy(&x
->id
, &ua
->id
, sizeof(ua
->id
));
2062 memcpy(&x
->props
.saddr
, &ua
->saddr
, sizeof(ua
->saddr
));
2063 memcpy(&x
->sel
, &ua
->sel
, sizeof(ua
->sel
));
2064 xp
->mark
.m
= x
->mark
.m
= mark
.m
;
2065 xp
->mark
.v
= x
->mark
.v
= mark
.v
;
2067 /* extract the templates and for each call km_key */
2068 for (i
= 0; i
< xp
->xfrm_nr
; i
++, ut
++) {
2069 struct xfrm_tmpl
*t
= &xp
->xfrm_vec
[i
];
2070 memcpy(&x
->id
, &t
->id
, sizeof(x
->id
));
2071 x
->props
.mode
= t
->mode
;
2072 x
->props
.reqid
= t
->reqid
;
2073 x
->props
.family
= ut
->family
;
2074 t
->aalgos
= ua
->aalgos
;
2075 t
->ealgos
= ua
->ealgos
;
2076 t
->calgos
= ua
->calgos
;
2077 err
= km_query(x
, t
, xp
);
2087 WARN(1, "BAD policy passed\n");
2094 #ifdef CONFIG_XFRM_MIGRATE
2095 static int copy_from_user_migrate(struct xfrm_migrate
*ma
,
2096 struct xfrm_kmaddress
*k
,
2097 struct nlattr
**attrs
, int *num
)
2099 struct nlattr
*rt
= attrs
[XFRMA_MIGRATE
];
2100 struct xfrm_user_migrate
*um
;
2104 struct xfrm_user_kmaddress
*uk
;
2106 uk
= nla_data(attrs
[XFRMA_KMADDRESS
]);
2107 memcpy(&k
->local
, &uk
->local
, sizeof(k
->local
));
2108 memcpy(&k
->remote
, &uk
->remote
, sizeof(k
->remote
));
2109 k
->family
= uk
->family
;
2110 k
->reserved
= uk
->reserved
;
2114 num_migrate
= nla_len(rt
) / sizeof(*um
);
2116 if (num_migrate
<= 0 || num_migrate
> XFRM_MAX_DEPTH
)
2119 for (i
= 0; i
< num_migrate
; i
++, um
++, ma
++) {
2120 memcpy(&ma
->old_daddr
, &um
->old_daddr
, sizeof(ma
->old_daddr
));
2121 memcpy(&ma
->old_saddr
, &um
->old_saddr
, sizeof(ma
->old_saddr
));
2122 memcpy(&ma
->new_daddr
, &um
->new_daddr
, sizeof(ma
->new_daddr
));
2123 memcpy(&ma
->new_saddr
, &um
->new_saddr
, sizeof(ma
->new_saddr
));
2125 ma
->proto
= um
->proto
;
2126 ma
->mode
= um
->mode
;
2127 ma
->reqid
= um
->reqid
;
2129 ma
->old_family
= um
->old_family
;
2130 ma
->new_family
= um
->new_family
;
2137 static int xfrm_do_migrate(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
2138 struct nlattr
**attrs
)
2140 struct xfrm_userpolicy_id
*pi
= nlmsg_data(nlh
);
2141 struct xfrm_migrate m
[XFRM_MAX_DEPTH
];
2142 struct xfrm_kmaddress km
, *kmp
;
2147 if (attrs
[XFRMA_MIGRATE
] == NULL
)
2150 kmp
= attrs
[XFRMA_KMADDRESS
] ? &km
: NULL
;
2152 err
= copy_from_user_policy_type(&type
, attrs
);
2156 err
= copy_from_user_migrate((struct xfrm_migrate
*)m
, kmp
, attrs
, &n
);
2163 xfrm_migrate(&pi
->sel
, pi
->dir
, type
, m
, n
, kmp
);
2168 static int xfrm_do_migrate(struct sk_buff
*skb
, struct nlmsghdr
*nlh
,
2169 struct nlattr
**attrs
)
2171 return -ENOPROTOOPT
;
2175 #ifdef CONFIG_XFRM_MIGRATE
2176 static int copy_to_user_migrate(const struct xfrm_migrate
*m
, struct sk_buff
*skb
)
2178 struct xfrm_user_migrate um
;
2180 memset(&um
, 0, sizeof(um
));
2181 um
.proto
= m
->proto
;
2183 um
.reqid
= m
->reqid
;
2184 um
.old_family
= m
->old_family
;
2185 memcpy(&um
.old_daddr
, &m
->old_daddr
, sizeof(um
.old_daddr
));
2186 memcpy(&um
.old_saddr
, &m
->old_saddr
, sizeof(um
.old_saddr
));
2187 um
.new_family
= m
->new_family
;
2188 memcpy(&um
.new_daddr
, &m
->new_daddr
, sizeof(um
.new_daddr
));
2189 memcpy(&um
.new_saddr
, &m
->new_saddr
, sizeof(um
.new_saddr
));
2191 return nla_put(skb
, XFRMA_MIGRATE
, sizeof(um
), &um
);
2194 static int copy_to_user_kmaddress(const struct xfrm_kmaddress
*k
, struct sk_buff
*skb
)
2196 struct xfrm_user_kmaddress uk
;
2198 memset(&uk
, 0, sizeof(uk
));
2199 uk
.family
= k
->family
;
2200 uk
.reserved
= k
->reserved
;
2201 memcpy(&uk
.local
, &k
->local
, sizeof(uk
.local
));
2202 memcpy(&uk
.remote
, &k
->remote
, sizeof(uk
.remote
));
2204 return nla_put(skb
, XFRMA_KMADDRESS
, sizeof(uk
), &uk
);
2207 static inline size_t xfrm_migrate_msgsize(int num_migrate
, int with_kma
)
2209 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id
))
2210 + (with_kma
? nla_total_size(sizeof(struct xfrm_kmaddress
)) : 0)
2211 + nla_total_size(sizeof(struct xfrm_user_migrate
) * num_migrate
)
2212 + userpolicy_type_attrsize();
2215 static int build_migrate(struct sk_buff
*skb
, const struct xfrm_migrate
*m
,
2216 int num_migrate
, const struct xfrm_kmaddress
*k
,
2217 const struct xfrm_selector
*sel
, u8 dir
, u8 type
)
2219 const struct xfrm_migrate
*mp
;
2220 struct xfrm_userpolicy_id
*pol_id
;
2221 struct nlmsghdr
*nlh
;
2224 nlh
= nlmsg_put(skb
, 0, 0, XFRM_MSG_MIGRATE
, sizeof(*pol_id
), 0);
2228 pol_id
= nlmsg_data(nlh
);
2229 /* copy data from selector, dir, and type to the pol_id */
2230 memset(pol_id
, 0, sizeof(*pol_id
));
2231 memcpy(&pol_id
->sel
, sel
, sizeof(pol_id
->sel
));
2235 err
= copy_to_user_kmaddress(k
, skb
);
2239 err
= copy_to_user_policy_type(type
, skb
);
2242 for (i
= 0, mp
= m
; i
< num_migrate
; i
++, mp
++) {
2243 err
= copy_to_user_migrate(mp
, skb
);
2248 return nlmsg_end(skb
, nlh
);
2251 nlmsg_cancel(skb
, nlh
);
2255 static int xfrm_send_migrate(const struct xfrm_selector
*sel
, u8 dir
, u8 type
,
2256 const struct xfrm_migrate
*m
, int num_migrate
,
2257 const struct xfrm_kmaddress
*k
)
2259 struct net
*net
= &init_net
;
2260 struct sk_buff
*skb
;
2262 skb
= nlmsg_new(xfrm_migrate_msgsize(num_migrate
, !!k
), GFP_ATOMIC
);
2267 if (build_migrate(skb
, m
, num_migrate
, k
, sel
, dir
, type
) < 0)
2270 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_MIGRATE
);
2273 static int xfrm_send_migrate(const struct xfrm_selector
*sel
, u8 dir
, u8 type
,
2274 const struct xfrm_migrate
*m
, int num_migrate
,
2275 const struct xfrm_kmaddress
*k
)
2277 return -ENOPROTOOPT
;
2281 #define XMSGSIZE(type) sizeof(struct type)
2283 static const int xfrm_msg_min
[XFRM_NR_MSGTYPES
] = {
2284 [XFRM_MSG_NEWSA
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_usersa_info
),
2285 [XFRM_MSG_DELSA
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_usersa_id
),
2286 [XFRM_MSG_GETSA
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_usersa_id
),
2287 [XFRM_MSG_NEWPOLICY
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userpolicy_info
),
2288 [XFRM_MSG_DELPOLICY
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userpolicy_id
),
2289 [XFRM_MSG_GETPOLICY
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userpolicy_id
),
2290 [XFRM_MSG_ALLOCSPI
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userspi_info
),
2291 [XFRM_MSG_ACQUIRE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_user_acquire
),
2292 [XFRM_MSG_EXPIRE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_user_expire
),
2293 [XFRM_MSG_UPDPOLICY
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userpolicy_info
),
2294 [XFRM_MSG_UPDSA
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_usersa_info
),
2295 [XFRM_MSG_POLEXPIRE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_user_polexpire
),
2296 [XFRM_MSG_FLUSHSA
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_usersa_flush
),
2297 [XFRM_MSG_FLUSHPOLICY
- XFRM_MSG_BASE
] = 0,
2298 [XFRM_MSG_NEWAE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_aevent_id
),
2299 [XFRM_MSG_GETAE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_aevent_id
),
2300 [XFRM_MSG_REPORT
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_user_report
),
2301 [XFRM_MSG_MIGRATE
- XFRM_MSG_BASE
] = XMSGSIZE(xfrm_userpolicy_id
),
2302 [XFRM_MSG_GETSADINFO
- XFRM_MSG_BASE
] = sizeof(u32
),
2303 [XFRM_MSG_GETSPDINFO
- XFRM_MSG_BASE
] = sizeof(u32
),
2308 static const struct nla_policy xfrma_policy
[XFRMA_MAX
+1] = {
2309 [XFRMA_SA
] = { .len
= sizeof(struct xfrm_usersa_info
)},
2310 [XFRMA_POLICY
] = { .len
= sizeof(struct xfrm_userpolicy_info
)},
2311 [XFRMA_LASTUSED
] = { .type
= NLA_U64
},
2312 [XFRMA_ALG_AUTH_TRUNC
] = { .len
= sizeof(struct xfrm_algo_auth
)},
2313 [XFRMA_ALG_AEAD
] = { .len
= sizeof(struct xfrm_algo_aead
) },
2314 [XFRMA_ALG_AUTH
] = { .len
= sizeof(struct xfrm_algo
) },
2315 [XFRMA_ALG_CRYPT
] = { .len
= sizeof(struct xfrm_algo
) },
2316 [XFRMA_ALG_COMP
] = { .len
= sizeof(struct xfrm_algo
) },
2317 [XFRMA_ENCAP
] = { .len
= sizeof(struct xfrm_encap_tmpl
) },
2318 [XFRMA_TMPL
] = { .len
= sizeof(struct xfrm_user_tmpl
) },
2319 [XFRMA_SEC_CTX
] = { .len
= sizeof(struct xfrm_sec_ctx
) },
2320 [XFRMA_LTIME_VAL
] = { .len
= sizeof(struct xfrm_lifetime_cur
) },
2321 [XFRMA_REPLAY_VAL
] = { .len
= sizeof(struct xfrm_replay_state
) },
2322 [XFRMA_REPLAY_THRESH
] = { .type
= NLA_U32
},
2323 [XFRMA_ETIMER_THRESH
] = { .type
= NLA_U32
},
2324 [XFRMA_SRCADDR
] = { .len
= sizeof(xfrm_address_t
) },
2325 [XFRMA_COADDR
] = { .len
= sizeof(xfrm_address_t
) },
2326 [XFRMA_POLICY_TYPE
] = { .len
= sizeof(struct xfrm_userpolicy_type
)},
2327 [XFRMA_MIGRATE
] = { .len
= sizeof(struct xfrm_user_migrate
) },
2328 [XFRMA_KMADDRESS
] = { .len
= sizeof(struct xfrm_user_kmaddress
) },
2329 [XFRMA_MARK
] = { .len
= sizeof(struct xfrm_mark
) },
2330 [XFRMA_TFCPAD
] = { .type
= NLA_U32
},
2331 [XFRMA_REPLAY_ESN_VAL
] = { .len
= sizeof(struct xfrm_replay_state_esn
) },
2332 [XFRMA_SA_EXTRA_FLAGS
] = { .type
= NLA_U32
},
2335 static const struct xfrm_link
{
2336 int (*doit
)(struct sk_buff
*, struct nlmsghdr
*, struct nlattr
**);
2337 int (*dump
)(struct sk_buff
*, struct netlink_callback
*);
2338 int (*done
)(struct netlink_callback
*);
2339 } xfrm_dispatch
[XFRM_NR_MSGTYPES
] = {
2340 [XFRM_MSG_NEWSA
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_sa
},
2341 [XFRM_MSG_DELSA
- XFRM_MSG_BASE
] = { .doit
= xfrm_del_sa
},
2342 [XFRM_MSG_GETSA
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_sa
,
2343 .dump
= xfrm_dump_sa
,
2344 .done
= xfrm_dump_sa_done
},
2345 [XFRM_MSG_NEWPOLICY
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_policy
},
2346 [XFRM_MSG_DELPOLICY
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_policy
},
2347 [XFRM_MSG_GETPOLICY
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_policy
,
2348 .dump
= xfrm_dump_policy
,
2349 .done
= xfrm_dump_policy_done
},
2350 [XFRM_MSG_ALLOCSPI
- XFRM_MSG_BASE
] = { .doit
= xfrm_alloc_userspi
},
2351 [XFRM_MSG_ACQUIRE
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_acquire
},
2352 [XFRM_MSG_EXPIRE
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_sa_expire
},
2353 [XFRM_MSG_UPDPOLICY
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_policy
},
2354 [XFRM_MSG_UPDSA
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_sa
},
2355 [XFRM_MSG_POLEXPIRE
- XFRM_MSG_BASE
] = { .doit
= xfrm_add_pol_expire
},
2356 [XFRM_MSG_FLUSHSA
- XFRM_MSG_BASE
] = { .doit
= xfrm_flush_sa
},
2357 [XFRM_MSG_FLUSHPOLICY
- XFRM_MSG_BASE
] = { .doit
= xfrm_flush_policy
},
2358 [XFRM_MSG_NEWAE
- XFRM_MSG_BASE
] = { .doit
= xfrm_new_ae
},
2359 [XFRM_MSG_GETAE
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_ae
},
2360 [XFRM_MSG_MIGRATE
- XFRM_MSG_BASE
] = { .doit
= xfrm_do_migrate
},
2361 [XFRM_MSG_GETSADINFO
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_sadinfo
},
2362 [XFRM_MSG_GETSPDINFO
- XFRM_MSG_BASE
] = { .doit
= xfrm_get_spdinfo
},
2365 static int xfrm_user_rcv_msg(struct sk_buff
*skb
, struct nlmsghdr
*nlh
)
2367 struct net
*net
= sock_net(skb
->sk
);
2368 struct nlattr
*attrs
[XFRMA_MAX
+1];
2369 const struct xfrm_link
*link
;
2372 type
= nlh
->nlmsg_type
;
2373 if (type
> XFRM_MSG_MAX
)
2376 type
-= XFRM_MSG_BASE
;
2377 link
= &xfrm_dispatch
[type
];
2379 /* All operations require privileges, even GET */
2380 if (!netlink_net_capable(skb
, CAP_NET_ADMIN
))
2383 if ((type
== (XFRM_MSG_GETSA
- XFRM_MSG_BASE
) ||
2384 type
== (XFRM_MSG_GETPOLICY
- XFRM_MSG_BASE
)) &&
2385 (nlh
->nlmsg_flags
& NLM_F_DUMP
)) {
2386 if (link
->dump
== NULL
)
2390 struct netlink_dump_control c
= {
2394 return netlink_dump_start(net
->xfrm
.nlsk
, skb
, nlh
, &c
);
2398 err
= nlmsg_parse(nlh
, xfrm_msg_min
[type
], attrs
, XFRMA_MAX
,
2403 if (link
->doit
== NULL
)
2406 return link
->doit(skb
, nlh
, attrs
);
2409 static void xfrm_netlink_rcv(struct sk_buff
*skb
)
2411 mutex_lock(&xfrm_cfg_mutex
);
2412 netlink_rcv_skb(skb
, &xfrm_user_rcv_msg
);
2413 mutex_unlock(&xfrm_cfg_mutex
);
2416 static inline size_t xfrm_expire_msgsize(void)
2418 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire
))
2419 + nla_total_size(sizeof(struct xfrm_mark
));
2422 static int build_expire(struct sk_buff
*skb
, struct xfrm_state
*x
, const struct km_event
*c
)
2424 struct xfrm_user_expire
*ue
;
2425 struct nlmsghdr
*nlh
;
2428 nlh
= nlmsg_put(skb
, c
->portid
, 0, XFRM_MSG_EXPIRE
, sizeof(*ue
), 0);
2432 ue
= nlmsg_data(nlh
);
2433 copy_to_user_state(x
, &ue
->state
);
2434 ue
->hard
= (c
->data
.hard
!= 0) ? 1 : 0;
2436 err
= xfrm_mark_put(skb
, &x
->mark
);
2440 return nlmsg_end(skb
, nlh
);
2443 static int xfrm_exp_state_notify(struct xfrm_state
*x
, const struct km_event
*c
)
2445 struct net
*net
= xs_net(x
);
2446 struct sk_buff
*skb
;
2448 skb
= nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC
);
2452 if (build_expire(skb
, x
, c
) < 0) {
2457 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_EXPIRE
);
2460 static int xfrm_aevent_state_notify(struct xfrm_state
*x
, const struct km_event
*c
)
2462 struct net
*net
= xs_net(x
);
2463 struct sk_buff
*skb
;
2465 skb
= nlmsg_new(xfrm_aevent_msgsize(x
), GFP_ATOMIC
);
2469 if (build_aevent(skb
, x
, c
) < 0)
2472 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_AEVENTS
);
2475 static int xfrm_notify_sa_flush(const struct km_event
*c
)
2477 struct net
*net
= c
->net
;
2478 struct xfrm_usersa_flush
*p
;
2479 struct nlmsghdr
*nlh
;
2480 struct sk_buff
*skb
;
2481 int len
= NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush
));
2483 skb
= nlmsg_new(len
, GFP_ATOMIC
);
2487 nlh
= nlmsg_put(skb
, c
->portid
, c
->seq
, XFRM_MSG_FLUSHSA
, sizeof(*p
), 0);
2493 p
= nlmsg_data(nlh
);
2494 p
->proto
= c
->data
.proto
;
2496 nlmsg_end(skb
, nlh
);
2498 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_SA
);
2501 static inline size_t xfrm_sa_len(struct xfrm_state
*x
)
2505 l
+= nla_total_size(aead_len(x
->aead
));
2507 l
+= nla_total_size(sizeof(struct xfrm_algo
) +
2508 (x
->aalg
->alg_key_len
+ 7) / 8);
2509 l
+= nla_total_size(xfrm_alg_auth_len(x
->aalg
));
2512 l
+= nla_total_size(xfrm_alg_len(x
->ealg
));
2514 l
+= nla_total_size(sizeof(*x
->calg
));
2516 l
+= nla_total_size(sizeof(*x
->encap
));
2518 l
+= nla_total_size(sizeof(x
->tfcpad
));
2520 l
+= nla_total_size(xfrm_replay_state_esn_len(x
->replay_esn
));
2522 l
+= nla_total_size(sizeof(struct xfrm_user_sec_ctx
) +
2523 x
->security
->ctx_len
);
2525 l
+= nla_total_size(sizeof(*x
->coaddr
));
2526 if (x
->props
.extra_flags
)
2527 l
+= nla_total_size(sizeof(x
->props
.extra_flags
));
2529 /* Must count x->lastused as it may become non-zero behind our back. */
2530 l
+= nla_total_size(sizeof(u64
));
2535 static int xfrm_notify_sa(struct xfrm_state
*x
, const struct km_event
*c
)
2537 struct net
*net
= xs_net(x
);
2538 struct xfrm_usersa_info
*p
;
2539 struct xfrm_usersa_id
*id
;
2540 struct nlmsghdr
*nlh
;
2541 struct sk_buff
*skb
;
2542 int len
= xfrm_sa_len(x
);
2545 headlen
= sizeof(*p
);
2546 if (c
->event
== XFRM_MSG_DELSA
) {
2547 len
+= nla_total_size(headlen
);
2548 headlen
= sizeof(*id
);
2549 len
+= nla_total_size(sizeof(struct xfrm_mark
));
2551 len
+= NLMSG_ALIGN(headlen
);
2553 skb
= nlmsg_new(len
, GFP_ATOMIC
);
2557 nlh
= nlmsg_put(skb
, c
->portid
, c
->seq
, c
->event
, headlen
, 0);
2562 p
= nlmsg_data(nlh
);
2563 if (c
->event
== XFRM_MSG_DELSA
) {
2564 struct nlattr
*attr
;
2566 id
= nlmsg_data(nlh
);
2567 memcpy(&id
->daddr
, &x
->id
.daddr
, sizeof(id
->daddr
));
2568 id
->spi
= x
->id
.spi
;
2569 id
->family
= x
->props
.family
;
2570 id
->proto
= x
->id
.proto
;
2572 attr
= nla_reserve(skb
, XFRMA_SA
, sizeof(*p
));
2579 err
= copy_to_user_state_extra(x
, p
, skb
);
2583 nlmsg_end(skb
, nlh
);
2585 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_SA
);
2592 static int xfrm_send_state_notify(struct xfrm_state
*x
, const struct km_event
*c
)
2596 case XFRM_MSG_EXPIRE
:
2597 return xfrm_exp_state_notify(x
, c
);
2598 case XFRM_MSG_NEWAE
:
2599 return xfrm_aevent_state_notify(x
, c
);
2600 case XFRM_MSG_DELSA
:
2601 case XFRM_MSG_UPDSA
:
2602 case XFRM_MSG_NEWSA
:
2603 return xfrm_notify_sa(x
, c
);
2604 case XFRM_MSG_FLUSHSA
:
2605 return xfrm_notify_sa_flush(c
);
2607 printk(KERN_NOTICE
"xfrm_user: Unknown SA event %d\n",
2616 static inline size_t xfrm_acquire_msgsize(struct xfrm_state
*x
,
2617 struct xfrm_policy
*xp
)
2619 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire
))
2620 + nla_total_size(sizeof(struct xfrm_user_tmpl
) * xp
->xfrm_nr
)
2621 + nla_total_size(sizeof(struct xfrm_mark
))
2622 + nla_total_size(xfrm_user_sec_ctx_size(x
->security
))
2623 + userpolicy_type_attrsize();
2626 static int build_acquire(struct sk_buff
*skb
, struct xfrm_state
*x
,
2627 struct xfrm_tmpl
*xt
, struct xfrm_policy
*xp
)
2629 __u32 seq
= xfrm_get_acqseq();
2630 struct xfrm_user_acquire
*ua
;
2631 struct nlmsghdr
*nlh
;
2634 nlh
= nlmsg_put(skb
, 0, 0, XFRM_MSG_ACQUIRE
, sizeof(*ua
), 0);
2638 ua
= nlmsg_data(nlh
);
2639 memcpy(&ua
->id
, &x
->id
, sizeof(ua
->id
));
2640 memcpy(&ua
->saddr
, &x
->props
.saddr
, sizeof(ua
->saddr
));
2641 memcpy(&ua
->sel
, &x
->sel
, sizeof(ua
->sel
));
2642 copy_to_user_policy(xp
, &ua
->policy
, XFRM_POLICY_OUT
);
2643 ua
->aalgos
= xt
->aalgos
;
2644 ua
->ealgos
= xt
->ealgos
;
2645 ua
->calgos
= xt
->calgos
;
2646 ua
->seq
= x
->km
.seq
= seq
;
2648 err
= copy_to_user_tmpl(xp
, skb
);
2650 err
= copy_to_user_state_sec_ctx(x
, skb
);
2652 err
= copy_to_user_policy_type(xp
->type
, skb
);
2654 err
= xfrm_mark_put(skb
, &xp
->mark
);
2656 nlmsg_cancel(skb
, nlh
);
2660 return nlmsg_end(skb
, nlh
);
2663 static int xfrm_send_acquire(struct xfrm_state
*x
, struct xfrm_tmpl
*xt
,
2664 struct xfrm_policy
*xp
)
2666 struct net
*net
= xs_net(x
);
2667 struct sk_buff
*skb
;
2669 skb
= nlmsg_new(xfrm_acquire_msgsize(x
, xp
), GFP_ATOMIC
);
2673 if (build_acquire(skb
, x
, xt
, xp
) < 0)
2676 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_ACQUIRE
);
2679 /* User gives us xfrm_user_policy_info followed by an array of 0
2680 * or more templates.
2682 static struct xfrm_policy
*xfrm_compile_policy(struct sock
*sk
, int opt
,
2683 u8
*data
, int len
, int *dir
)
2685 struct net
*net
= sock_net(sk
);
2686 struct xfrm_userpolicy_info
*p
= (struct xfrm_userpolicy_info
*)data
;
2687 struct xfrm_user_tmpl
*ut
= (struct xfrm_user_tmpl
*) (p
+ 1);
2688 struct xfrm_policy
*xp
;
2691 switch (sk
->sk_family
) {
2693 if (opt
!= IP_XFRM_POLICY
) {
2698 #if IS_ENABLED(CONFIG_IPV6)
2700 if (opt
!= IPV6_XFRM_POLICY
) {
2713 if (len
< sizeof(*p
) ||
2714 verify_newpolicy_info(p
))
2717 nr
= ((len
- sizeof(*p
)) / sizeof(*ut
));
2718 if (validate_tmpl(nr
, ut
, p
->sel
.family
))
2721 if (p
->dir
> XFRM_POLICY_OUT
)
2724 xp
= xfrm_policy_alloc(net
, GFP_ATOMIC
);
2730 copy_from_user_policy(xp
, p
);
2731 xp
->type
= XFRM_POLICY_TYPE_MAIN
;
2732 copy_templates(xp
, ut
, nr
);
2739 static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy
*xp
)
2741 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire
))
2742 + nla_total_size(sizeof(struct xfrm_user_tmpl
) * xp
->xfrm_nr
)
2743 + nla_total_size(xfrm_user_sec_ctx_size(xp
->security
))
2744 + nla_total_size(sizeof(struct xfrm_mark
))
2745 + userpolicy_type_attrsize();
2748 static int build_polexpire(struct sk_buff
*skb
, struct xfrm_policy
*xp
,
2749 int dir
, const struct km_event
*c
)
2751 struct xfrm_user_polexpire
*upe
;
2752 int hard
= c
->data
.hard
;
2753 struct nlmsghdr
*nlh
;
2756 nlh
= nlmsg_put(skb
, c
->portid
, 0, XFRM_MSG_POLEXPIRE
, sizeof(*upe
), 0);
2760 upe
= nlmsg_data(nlh
);
2761 copy_to_user_policy(xp
, &upe
->pol
, dir
);
2762 err
= copy_to_user_tmpl(xp
, skb
);
2764 err
= copy_to_user_sec_ctx(xp
, skb
);
2766 err
= copy_to_user_policy_type(xp
->type
, skb
);
2768 err
= xfrm_mark_put(skb
, &xp
->mark
);
2770 nlmsg_cancel(skb
, nlh
);
2775 return nlmsg_end(skb
, nlh
);
2778 static int xfrm_exp_policy_notify(struct xfrm_policy
*xp
, int dir
, const struct km_event
*c
)
2780 struct net
*net
= xp_net(xp
);
2781 struct sk_buff
*skb
;
2783 skb
= nlmsg_new(xfrm_polexpire_msgsize(xp
), GFP_ATOMIC
);
2787 if (build_polexpire(skb
, xp
, dir
, c
) < 0)
2790 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_EXPIRE
);
2793 static int xfrm_notify_policy(struct xfrm_policy
*xp
, int dir
, const struct km_event
*c
)
2795 int len
= nla_total_size(sizeof(struct xfrm_user_tmpl
) * xp
->xfrm_nr
);
2796 struct net
*net
= xp_net(xp
);
2797 struct xfrm_userpolicy_info
*p
;
2798 struct xfrm_userpolicy_id
*id
;
2799 struct nlmsghdr
*nlh
;
2800 struct sk_buff
*skb
;
2803 headlen
= sizeof(*p
);
2804 if (c
->event
== XFRM_MSG_DELPOLICY
) {
2805 len
+= nla_total_size(headlen
);
2806 headlen
= sizeof(*id
);
2808 len
+= userpolicy_type_attrsize();
2809 len
+= nla_total_size(sizeof(struct xfrm_mark
));
2810 len
+= NLMSG_ALIGN(headlen
);
2812 skb
= nlmsg_new(len
, GFP_ATOMIC
);
2816 nlh
= nlmsg_put(skb
, c
->portid
, c
->seq
, c
->event
, headlen
, 0);
2821 p
= nlmsg_data(nlh
);
2822 if (c
->event
== XFRM_MSG_DELPOLICY
) {
2823 struct nlattr
*attr
;
2825 id
= nlmsg_data(nlh
);
2826 memset(id
, 0, sizeof(*id
));
2829 id
->index
= xp
->index
;
2831 memcpy(&id
->sel
, &xp
->selector
, sizeof(id
->sel
));
2833 attr
= nla_reserve(skb
, XFRMA_POLICY
, sizeof(*p
));
2841 copy_to_user_policy(xp
, p
, dir
);
2842 err
= copy_to_user_tmpl(xp
, skb
);
2844 err
= copy_to_user_policy_type(xp
->type
, skb
);
2846 err
= xfrm_mark_put(skb
, &xp
->mark
);
2850 nlmsg_end(skb
, nlh
);
2852 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_POLICY
);
2859 static int xfrm_notify_policy_flush(const struct km_event
*c
)
2861 struct net
*net
= c
->net
;
2862 struct nlmsghdr
*nlh
;
2863 struct sk_buff
*skb
;
2866 skb
= nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC
);
2870 nlh
= nlmsg_put(skb
, c
->portid
, c
->seq
, XFRM_MSG_FLUSHPOLICY
, 0, 0);
2874 err
= copy_to_user_policy_type(c
->data
.type
, skb
);
2878 nlmsg_end(skb
, nlh
);
2880 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_POLICY
);
2887 static int xfrm_send_policy_notify(struct xfrm_policy
*xp
, int dir
, const struct km_event
*c
)
2891 case XFRM_MSG_NEWPOLICY
:
2892 case XFRM_MSG_UPDPOLICY
:
2893 case XFRM_MSG_DELPOLICY
:
2894 return xfrm_notify_policy(xp
, dir
, c
);
2895 case XFRM_MSG_FLUSHPOLICY
:
2896 return xfrm_notify_policy_flush(c
);
2897 case XFRM_MSG_POLEXPIRE
:
2898 return xfrm_exp_policy_notify(xp
, dir
, c
);
2900 printk(KERN_NOTICE
"xfrm_user: Unknown Policy event %d\n",
2908 static inline size_t xfrm_report_msgsize(void)
2910 return NLMSG_ALIGN(sizeof(struct xfrm_user_report
));
2913 static int build_report(struct sk_buff
*skb
, u8 proto
,
2914 struct xfrm_selector
*sel
, xfrm_address_t
*addr
)
2916 struct xfrm_user_report
*ur
;
2917 struct nlmsghdr
*nlh
;
2919 nlh
= nlmsg_put(skb
, 0, 0, XFRM_MSG_REPORT
, sizeof(*ur
), 0);
2923 ur
= nlmsg_data(nlh
);
2925 memcpy(&ur
->sel
, sel
, sizeof(ur
->sel
));
2928 int err
= nla_put(skb
, XFRMA_COADDR
, sizeof(*addr
), addr
);
2930 nlmsg_cancel(skb
, nlh
);
2934 return nlmsg_end(skb
, nlh
);
2937 static int xfrm_send_report(struct net
*net
, u8 proto
,
2938 struct xfrm_selector
*sel
, xfrm_address_t
*addr
)
2940 struct sk_buff
*skb
;
2942 skb
= nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC
);
2946 if (build_report(skb
, proto
, sel
, addr
) < 0)
2949 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_REPORT
);
2952 static inline size_t xfrm_mapping_msgsize(void)
2954 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping
));
2957 static int build_mapping(struct sk_buff
*skb
, struct xfrm_state
*x
,
2958 xfrm_address_t
*new_saddr
, __be16 new_sport
)
2960 struct xfrm_user_mapping
*um
;
2961 struct nlmsghdr
*nlh
;
2963 nlh
= nlmsg_put(skb
, 0, 0, XFRM_MSG_MAPPING
, sizeof(*um
), 0);
2967 um
= nlmsg_data(nlh
);
2969 memcpy(&um
->id
.daddr
, &x
->id
.daddr
, sizeof(um
->id
.daddr
));
2970 um
->id
.spi
= x
->id
.spi
;
2971 um
->id
.family
= x
->props
.family
;
2972 um
->id
.proto
= x
->id
.proto
;
2973 memcpy(&um
->new_saddr
, new_saddr
, sizeof(um
->new_saddr
));
2974 memcpy(&um
->old_saddr
, &x
->props
.saddr
, sizeof(um
->old_saddr
));
2975 um
->new_sport
= new_sport
;
2976 um
->old_sport
= x
->encap
->encap_sport
;
2977 um
->reqid
= x
->props
.reqid
;
2979 return nlmsg_end(skb
, nlh
);
2982 static int xfrm_send_mapping(struct xfrm_state
*x
, xfrm_address_t
*ipaddr
,
2985 struct net
*net
= xs_net(x
);
2986 struct sk_buff
*skb
;
2988 if (x
->id
.proto
!= IPPROTO_ESP
)
2994 skb
= nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC
);
2998 if (build_mapping(skb
, x
, ipaddr
, sport
) < 0)
3001 return xfrm_nlmsg_multicast(net
, skb
, 0, XFRMNLGRP_MAPPING
);
3004 static struct xfrm_mgr netlink_mgr
= {
3006 .notify
= xfrm_send_state_notify
,
3007 .acquire
= xfrm_send_acquire
,
3008 .compile_policy
= xfrm_compile_policy
,
3009 .notify_policy
= xfrm_send_policy_notify
,
3010 .report
= xfrm_send_report
,
3011 .migrate
= xfrm_send_migrate
,
3012 .new_mapping
= xfrm_send_mapping
,
3015 static int __net_init
xfrm_user_net_init(struct net
*net
)
3018 struct netlink_kernel_cfg cfg
= {
3019 .groups
= XFRMNLGRP_MAX
,
3020 .input
= xfrm_netlink_rcv
,
3023 nlsk
= netlink_kernel_create(net
, NETLINK_XFRM
, &cfg
);
3026 net
->xfrm
.nlsk_stash
= nlsk
; /* Don't set to NULL */
3027 rcu_assign_pointer(net
->xfrm
.nlsk
, nlsk
);
3031 static void __net_exit
xfrm_user_net_exit(struct list_head
*net_exit_list
)
3034 list_for_each_entry(net
, net_exit_list
, exit_list
)
3035 RCU_INIT_POINTER(net
->xfrm
.nlsk
, NULL
);
3037 list_for_each_entry(net
, net_exit_list
, exit_list
)
3038 netlink_kernel_release(net
->xfrm
.nlsk_stash
);
3041 static struct pernet_operations xfrm_user_net_ops
= {
3042 .init
= xfrm_user_net_init
,
3043 .exit_batch
= xfrm_user_net_exit
,
3046 static int __init
xfrm_user_init(void)
3050 printk(KERN_INFO
"Initializing XFRM netlink socket\n");
3052 rv
= register_pernet_subsys(&xfrm_user_net_ops
);
3055 rv
= xfrm_register_km(&netlink_mgr
);
3057 unregister_pernet_subsys(&xfrm_user_net_ops
);
3061 static void __exit
xfrm_user_exit(void)
3063 xfrm_unregister_km(&netlink_mgr
);
3064 unregister_pernet_subsys(&xfrm_user_net_ops
);
3067 module_init(xfrm_user_init
);
3068 module_exit(xfrm_user_exit
);
3069 MODULE_LICENSE("GPL");
3070 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK
, NETLINK_XFRM
);