2019-05-19 12:08:55 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2007-02-09 14:25:29 +00:00
|
|
|
/*
|
2005-04-16 22:20:36 +00:00
|
|
|
* xfrm_policy.c
|
|
|
|
|
*
|
|
|
|
|
* Changes:
|
|
|
|
|
* Mitsuru KANDA @USAGI
|
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
|
* Kunihiro Ishiguro <kunihiro@ipinfusion.com>
|
|
|
|
|
* IPv6 support
|
|
|
|
|
* Kazunori MIYAZAWA @USAGI
|
|
|
|
|
* YOSHIFUJI Hideaki
|
|
|
|
|
* Split up af-specific portion
|
|
|
|
|
* Derek Atkins <derek@ihtfp.com> Add the post_input processor
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
*
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-11-14 05:37:28 +00:00
|
|
|
#include <linux/err.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/kmod.h>
|
|
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/workqueue.h>
|
|
|
|
|
#include <linux/notifier.h>
|
|
|
|
|
#include <linux/netdevice.h>
|
2006-01-07 07:06:30 +00:00
|
|
|
#include <linux/netfilter.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/module.h>
|
2006-08-24 11:45:07 +00:00
|
|
|
#include <linux/cache.h>
|
2017-07-17 11:57:27 +00:00
|
|
|
#include <linux/cpu.h>
|
2007-12-21 04:49:33 +00:00
|
|
|
#include <linux/audit.h>
|
2018-11-07 22:00:35 +00:00
|
|
|
#include <linux/rhashtable.h>
|
2019-04-16 14:44:39 +00:00
|
|
|
#include <linux/if_tunnel.h>
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
#include <linux/icmp.h>
|
2007-12-11 17:32:34 +00:00
|
|
|
#include <net/dst.h>
|
2012-02-16 20:08:39 +00:00
|
|
|
#include <net/flow.h>
|
2022-01-10 13:43:06 +00:00
|
|
|
#include <net/inet_ecn.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <net/xfrm.h>
|
|
|
|
|
#include <net/ip.h>
|
2021-11-19 17:20:16 +00:00
|
|
|
#include <net/gre.h>
|
2019-04-16 14:44:39 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6_MIP6)
|
|
|
|
|
#include <net/mip6.h>
|
|
|
|
|
#endif
|
2007-12-21 04:42:57 +00:00
|
|
|
#ifdef CONFIG_XFRM_STATISTICS
|
|
|
|
|
#include <net/snmp.h>
|
|
|
|
|
#endif
|
2020-07-16 08:09:03 +00:00
|
|
|
#ifdef CONFIG_XFRM_ESPINTCP
|
2019-11-25 13:49:02 +00:00
|
|
|
#include <net/espintcp.h>
|
|
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 11:50:50 +00:00
|
|
|
#include "xfrm_hash.h"
|
|
|
|
|
|
2013-02-05 11:52:55 +00:00
|
|
|
#define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10))
|
|
|
|
|
#define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
|
|
|
|
|
#define XFRM_MAX_QUEUE_LEN 100
|
|
|
|
|
|
2014-09-16 08:08:49 +00:00
|
|
|
struct xfrm_flo {
|
|
|
|
|
struct dst_entry *dst_orig;
|
|
|
|
|
u8 flags;
|
|
|
|
|
};
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
/* prefixes smaller than this are stored in lists, not trees. */
|
|
|
|
|
#define INEXACT_PREFIXLEN_IPV4 16
|
|
|
|
|
#define INEXACT_PREFIXLEN_IPV6 48
|
2018-11-07 22:00:38 +00:00
|
|
|
|
|
|
|
|
struct xfrm_pol_inexact_node {
|
|
|
|
|
struct rb_node node;
|
|
|
|
|
union {
|
|
|
|
|
xfrm_address_t addr;
|
|
|
|
|
struct rcu_head rcu;
|
|
|
|
|
};
|
|
|
|
|
u8 prefixlen;
|
|
|
|
|
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
struct rb_root root;
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
/* the policies matching this node, can be empty list */
|
|
|
|
|
struct hlist_head hhead;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* xfrm inexact policy search tree:
|
|
|
|
|
* xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
|
|
|
|
* |
|
|
|
|
|
* +---- root_d: sorted by daddr:prefix
|
|
|
|
|
* | |
|
|
|
|
|
* | xfrm_pol_inexact_node
|
|
|
|
|
* | |
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
* | +- root: sorted by saddr/prefix
|
|
|
|
|
* | | |
|
|
|
|
|
* | | xfrm_pol_inexact_node
|
|
|
|
|
* | | |
|
|
|
|
|
* | | + root: unused
|
|
|
|
|
* | | |
|
|
|
|
|
* | | + hhead: saddr:daddr policies
|
|
|
|
|
* | |
|
2018-11-07 22:00:38 +00:00
|
|
|
* | +- coarse policies and all any:daddr policies
|
|
|
|
|
* |
|
2018-11-07 22:00:40 +00:00
|
|
|
* +---- root_s: sorted by saddr:prefix
|
|
|
|
|
* | |
|
|
|
|
|
* | xfrm_pol_inexact_node
|
|
|
|
|
* | |
|
|
|
|
|
* | + root: unused
|
|
|
|
|
* | |
|
|
|
|
|
* | + hhead: saddr:any policies
|
|
|
|
|
* |
|
2018-11-07 22:00:38 +00:00
|
|
|
* +---- coarse policies and all any:any policies
|
|
|
|
|
*
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
* Lookups return four candidate lists:
|
2018-11-07 22:00:38 +00:00
|
|
|
* 1. any:any list from top-level xfrm_pol_inexact_bin
|
|
|
|
|
* 2. any:daddr list from daddr tree
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
* 3. saddr:daddr list from 2nd level daddr tree
|
|
|
|
|
* 4. saddr:any list from saddr tree
|
2018-11-07 22:00:38 +00:00
|
|
|
*
|
|
|
|
|
* This result set then needs to be searched for the policy with
|
|
|
|
|
* the lowest priority. If two results have same prio, youngest one wins.
|
|
|
|
|
*/
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
struct xfrm_pol_inexact_key {
|
|
|
|
|
possible_net_t net;
|
2018-11-07 22:00:36 +00:00
|
|
|
u32 if_id;
|
2018-11-07 22:00:35 +00:00
|
|
|
u16 family;
|
|
|
|
|
u8 dir, type;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct xfrm_pol_inexact_bin {
|
|
|
|
|
struct xfrm_pol_inexact_key k;
|
|
|
|
|
struct rhash_head head;
|
2018-11-07 22:00:37 +00:00
|
|
|
/* list containing '*:*' policies */
|
2018-11-07 22:00:35 +00:00
|
|
|
struct hlist_head hhead;
|
|
|
|
|
|
2020-07-20 15:55:22 +00:00
|
|
|
seqcount_spinlock_t count;
|
2018-11-07 22:00:38 +00:00
|
|
|
/* tree sorted by daddr/prefix */
|
|
|
|
|
struct rb_root root_d;
|
|
|
|
|
|
2018-11-07 22:00:40 +00:00
|
|
|
/* tree sorted by saddr/prefix */
|
|
|
|
|
struct rb_root root_s;
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
/* slow path below */
|
|
|
|
|
struct list_head inexact_bins;
|
|
|
|
|
struct rcu_head rcu;
|
|
|
|
|
};
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
enum xfrm_pol_inexact_candidate_type {
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
XFRM_POL_CAND_BOTH,
|
2018-11-07 22:00:40 +00:00
|
|
|
XFRM_POL_CAND_SADDR,
|
2018-11-07 22:00:38 +00:00
|
|
|
XFRM_POL_CAND_DADDR,
|
2018-11-07 22:00:37 +00:00
|
|
|
XFRM_POL_CAND_ANY,
|
|
|
|
|
|
|
|
|
|
XFRM_POL_CAND_MAX,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct xfrm_pol_inexact_candidates {
|
|
|
|
|
struct hlist_head *res[XFRM_POL_CAND_MAX];
|
|
|
|
|
};
|
|
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
struct xfrm_flow_keys {
|
|
|
|
|
struct flow_dissector_key_basic basic;
|
|
|
|
|
struct flow_dissector_key_control control;
|
|
|
|
|
union {
|
|
|
|
|
struct flow_dissector_key_ipv4_addrs ipv4;
|
|
|
|
|
struct flow_dissector_key_ipv6_addrs ipv6;
|
|
|
|
|
} addrs;
|
|
|
|
|
struct flow_dissector_key_ip ip;
|
|
|
|
|
struct flow_dissector_key_icmp icmp;
|
|
|
|
|
struct flow_dissector_key_ports ports;
|
|
|
|
|
struct flow_dissector_key_keyid gre;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct flow_dissector xfrm_session_dissector __ro_after_init;
|
|
|
|
|
|
2018-06-12 12:07:12 +00:00
|
|
|
static DEFINE_SPINLOCK(xfrm_if_cb_lock);
|
|
|
|
|
static struct xfrm_if_cb const __rcu *xfrm_if_cb __read_mostly;
|
|
|
|
|
|
2012-08-12 21:22:29 +00:00
|
|
|
static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);
|
2017-02-07 14:00:19 +00:00
|
|
|
static struct xfrm_policy_afinfo const __rcu *xfrm_policy_afinfo[AF_INET6 + 1]
|
2012-08-12 21:22:29 +00:00
|
|
|
__read_mostly;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2018-02-24 18:21:38 +00:00
|
|
|
static struct kmem_cache *xfrm_dst_cache __ro_after_init;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static struct rhashtable xfrm_policy_inexact_table;
|
|
|
|
|
static const struct rhashtable_params xfrm_pol_inexact_params;
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr);
|
2010-04-07 00:30:05 +00:00
|
|
|
static int stale_bundle(struct dst_entry *dst);
|
2011-06-29 23:18:20 +00:00
|
|
|
static int xfrm_bundle_ok(struct xfrm_dst *xdst);
|
2017-10-17 00:28:56 +00:00
|
|
|
static void xfrm_policy_queue_process(struct timer_list *t);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-11-13 09:09:50 +00:00
|
|
|
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);
|
2008-12-03 08:33:09 +00:00
|
|
|
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
|
|
|
|
|
int dir);
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static struct xfrm_pol_inexact_bin *
|
2018-11-07 22:00:36 +00:00
|
|
|
xfrm_policy_inexact_lookup(struct net *net, u8 type, u16 family, u8 dir,
|
|
|
|
|
u32 if_id);
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
static struct xfrm_pol_inexact_bin *
|
|
|
|
|
xfrm_policy_inexact_lookup_rcu(struct net *net,
|
2018-11-07 22:00:36 +00:00
|
|
|
u8 type, u16 family, u8 dir, u32 if_id);
|
2018-11-07 22:00:35 +00:00
|
|
|
static struct xfrm_policy *
|
|
|
|
|
xfrm_policy_insert_list(struct hlist_head *chain, struct xfrm_policy *policy,
|
|
|
|
|
bool excl);
|
|
|
|
|
static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
|
|
|
|
|
struct xfrm_policy *policy);
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static bool
|
|
|
|
|
xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
|
|
|
|
|
struct xfrm_pol_inexact_bin *b,
|
|
|
|
|
const xfrm_address_t *saddr,
|
|
|
|
|
const xfrm_address_t *daddr);
|
|
|
|
|
|
2016-08-11 13:17:55 +00:00
|
|
|
static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
|
|
|
|
|
{
|
2017-07-04 12:53:22 +00:00
|
|
|
return refcount_inc_not_zero(&policy->refcnt);
|
2016-08-11 13:17:55 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-15 19:04:57 +00:00
|
|
|
static inline bool
|
2011-02-24 05:12:25 +00:00
|
|
|
__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
|
2006-11-09 06:46:26 +00:00
|
|
|
{
|
2011-03-12 07:42:11 +00:00
|
|
|
const struct flowi4 *fl4 = &fl->u.ip4;
|
|
|
|
|
|
2011-11-22 06:46:02 +00:00
|
|
|
return addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) &&
|
|
|
|
|
addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) &&
|
2011-03-12 07:42:11 +00:00
|
|
|
!((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
|
|
|
|
|
!((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
|
|
|
|
|
(fl4->flowi4_proto == sel->proto || !sel->proto) &&
|
|
|
|
|
(fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
|
2006-11-09 06:46:26 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-15 19:04:57 +00:00
|
|
|
static inline bool
|
2011-02-24 05:12:25 +00:00
|
|
|
__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
|
2006-11-09 06:46:26 +00:00
|
|
|
{
|
2011-03-12 07:42:11 +00:00
|
|
|
const struct flowi6 *fl6 = &fl->u.ip6;
|
|
|
|
|
|
|
|
|
|
return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
|
|
|
|
|
addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
|
|
|
|
|
!((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
|
|
|
|
|
!((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
|
|
|
|
|
(fl6->flowi6_proto == sel->proto || !sel->proto) &&
|
|
|
|
|
(fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
|
2006-11-09 06:46:26 +00:00
|
|
|
}
|
|
|
|
|
|
2012-05-15 19:04:57 +00:00
|
|
|
bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
|
|
|
|
|
unsigned short family)
|
2006-11-09 06:46:26 +00:00
|
|
|
{
|
|
|
|
|
switch (family) {
|
|
|
|
|
case AF_INET:
|
|
|
|
|
return __xfrm4_selector_match(sel, fl);
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
return __xfrm6_selector_match(sel, fl);
|
|
|
|
|
}
|
2012-05-15 19:04:57 +00:00
|
|
|
return false;
|
2006-11-09 06:46:26 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-07 14:00:17 +00:00
|
|
|
static const struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)
|
2012-08-19 10:31:48 +00:00
|
|
|
{
|
2017-02-07 14:00:17 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo;
|
2012-08-19 10:31:48 +00:00
|
|
|
|
2017-02-07 14:00:17 +00:00
|
|
|
if (unlikely(family >= ARRAY_SIZE(xfrm_policy_afinfo)))
|
2012-08-19 10:31:48 +00:00
|
|
|
return NULL;
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
afinfo = rcu_dereference(xfrm_policy_afinfo[family]);
|
|
|
|
|
if (unlikely(!afinfo))
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return afinfo;
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-12 12:07:12 +00:00
|
|
|
/* Called with rcu_read_lock(). */
|
|
|
|
|
static const struct xfrm_if_cb *xfrm_if_get_cb(void)
|
|
|
|
|
{
|
|
|
|
|
return rcu_dereference(xfrm_if_cb);
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-14 08:06:10 +00:00
|
|
|
struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
|
|
|
|
|
const xfrm_address_t *saddr,
|
|
|
|
|
const xfrm_address_t *daddr,
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
int family, u32 mark)
|
2008-02-22 05:48:22 +00:00
|
|
|
{
|
2017-02-07 14:00:19 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo;
|
2008-02-22 05:48:22 +00:00
|
|
|
struct dst_entry *dst;
|
|
|
|
|
|
|
|
|
|
afinfo = xfrm_policy_get_afinfo(family);
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
|
return ERR_PTR(-EAFNOSUPPORT);
|
|
|
|
|
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark);
|
2008-02-22 05:48:22 +00:00
|
|
|
|
2017-02-07 14:00:18 +00:00
|
|
|
rcu_read_unlock();
|
2008-02-22 05:48:22 +00:00
|
|
|
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
2017-04-14 08:06:10 +00:00
|
|
|
EXPORT_SYMBOL(__xfrm_dst_lookup);
|
2008-02-22 05:48:22 +00:00
|
|
|
|
2015-08-10 22:58:11 +00:00
|
|
|
static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
|
|
|
|
|
int tos, int oif,
|
2008-02-22 05:48:22 +00:00
|
|
|
xfrm_address_t *prev_saddr,
|
|
|
|
|
xfrm_address_t *prev_daddr,
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
int family, u32 mark)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:51:25 +00:00
|
|
|
struct net *net = xs_net(x);
|
2007-11-14 05:37:28 +00:00
|
|
|
xfrm_address_t *saddr = &x->props.saddr;
|
|
|
|
|
xfrm_address_t *daddr = &x->id.daddr;
|
|
|
|
|
struct dst_entry *dst;
|
|
|
|
|
|
2008-02-22 05:48:22 +00:00
|
|
|
if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {
|
2007-11-14 05:37:28 +00:00
|
|
|
saddr = x->coaddr;
|
2008-02-22 05:48:22 +00:00
|
|
|
daddr = prev_daddr;
|
|
|
|
|
}
|
|
|
|
|
if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
|
|
|
|
|
saddr = prev_saddr;
|
2007-11-14 05:37:28 +00:00
|
|
|
daddr = x->coaddr;
|
2008-02-22 05:48:22 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark);
|
2008-02-22 05:48:22 +00:00
|
|
|
|
|
|
|
|
if (!IS_ERR(dst)) {
|
|
|
|
|
if (prev_saddr != saddr)
|
|
|
|
|
memcpy(prev_saddr, saddr, sizeof(*prev_saddr));
|
|
|
|
|
if (prev_daddr != daddr)
|
|
|
|
|
memcpy(prev_daddr, daddr, sizeof(*prev_daddr));
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-11-14 05:37:28 +00:00
|
|
|
return dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned long make_jiffies(long secs)
|
|
|
|
|
{
|
|
|
|
|
if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
|
|
|
|
|
return MAX_SCHEDULE_TIMEOUT-1;
|
|
|
|
|
else
|
2007-02-09 14:25:29 +00:00
|
|
|
return secs*HZ;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-17 00:28:56 +00:00
|
|
|
static void xfrm_policy_timer(struct timer_list *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-10-17 00:28:56 +00:00
|
|
|
struct xfrm_policy *xp = from_timer(xp, t, timer);
|
2018-07-11 10:19:13 +00:00
|
|
|
time64_t now = ktime_get_real_seconds();
|
|
|
|
|
time64_t next = TIME64_MAX;
|
2005-04-16 22:20:36 +00:00
|
|
|
int warn = 0;
|
|
|
|
|
int dir;
|
|
|
|
|
|
|
|
|
|
read_lock(&xp->lock);
|
|
|
|
|
|
2010-03-31 00:17:05 +00:00
|
|
|
if (unlikely(xp->walk.dead))
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
|
|
|
|
|
2005-10-05 19:15:12 +00:00
|
|
|
dir = xfrm_policy_id2dir(xp->index);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (xp->lft.hard_add_expires_seconds) {
|
2018-07-11 10:19:13 +00:00
|
|
|
time64_t tmo = xp->lft.hard_add_expires_seconds +
|
2005-04-16 22:20:36 +00:00
|
|
|
xp->curlft.add_time - now;
|
|
|
|
|
if (tmo <= 0)
|
|
|
|
|
goto expired;
|
|
|
|
|
if (tmo < next)
|
|
|
|
|
next = tmo;
|
|
|
|
|
}
|
|
|
|
|
if (xp->lft.hard_use_expires_seconds) {
|
2018-07-11 10:19:13 +00:00
|
|
|
time64_t tmo = xp->lft.hard_use_expires_seconds +
|
2023-01-26 11:21:30 +00:00
|
|
|
(READ_ONCE(xp->curlft.use_time) ? : xp->curlft.add_time) - now;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (tmo <= 0)
|
|
|
|
|
goto expired;
|
|
|
|
|
if (tmo < next)
|
|
|
|
|
next = tmo;
|
|
|
|
|
}
|
|
|
|
|
if (xp->lft.soft_add_expires_seconds) {
|
2018-07-11 10:19:13 +00:00
|
|
|
time64_t tmo = xp->lft.soft_add_expires_seconds +
|
2005-04-16 22:20:36 +00:00
|
|
|
xp->curlft.add_time - now;
|
|
|
|
|
if (tmo <= 0) {
|
|
|
|
|
warn = 1;
|
|
|
|
|
tmo = XFRM_KM_TIMEOUT;
|
|
|
|
|
}
|
|
|
|
|
if (tmo < next)
|
|
|
|
|
next = tmo;
|
|
|
|
|
}
|
|
|
|
|
if (xp->lft.soft_use_expires_seconds) {
|
2018-07-11 10:19:13 +00:00
|
|
|
time64_t tmo = xp->lft.soft_use_expires_seconds +
|
2023-01-26 11:21:30 +00:00
|
|
|
(READ_ONCE(xp->curlft.use_time) ? : xp->curlft.add_time) - now;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (tmo <= 0) {
|
|
|
|
|
warn = 1;
|
|
|
|
|
tmo = XFRM_KM_TIMEOUT;
|
|
|
|
|
}
|
|
|
|
|
if (tmo < next)
|
|
|
|
|
next = tmo;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (warn)
|
2006-03-21 03:17:25 +00:00
|
|
|
km_policy_expired(xp, dir, 0, 0);
|
2018-07-11 10:19:13 +00:00
|
|
|
if (next != TIME64_MAX &&
|
2005-04-16 22:20:36 +00:00
|
|
|
!mod_timer(&xp->timer, jiffies + make_jiffies(next)))
|
|
|
|
|
xfrm_pol_hold(xp);
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
read_unlock(&xp->lock);
|
|
|
|
|
xfrm_pol_put(xp);
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
expired:
|
|
|
|
|
read_unlock(&xp->lock);
|
2005-06-19 05:43:22 +00:00
|
|
|
if (!xfrm_policy_delete(xp, dir))
|
2006-03-21 03:17:25 +00:00
|
|
|
km_policy_expired(xp, dir, 1, 0);
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_pol_put(xp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
|
|
|
|
|
* SPD calls.
|
|
|
|
|
*/
|
|
|
|
|
|
2008-11-26 01:21:45 +00:00
|
|
|
struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_policy *policy;
|
|
|
|
|
|
2006-07-21 21:51:30 +00:00
|
|
|
policy = kzalloc(sizeof(struct xfrm_policy), gfp);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (policy) {
|
2008-11-26 01:21:45 +00:00
|
|
|
write_pnet(&policy->xp_net, net);
|
2008-10-01 14:03:24 +00:00
|
|
|
INIT_LIST_HEAD(&policy->walk.all);
|
2018-11-07 22:00:35 +00:00
|
|
|
INIT_HLIST_NODE(&policy->bydst_inexact_list);
|
2006-08-24 11:45:07 +00:00
|
|
|
INIT_HLIST_NODE(&policy->bydst);
|
|
|
|
|
INIT_HLIST_NODE(&policy->byidx);
|
2005-04-16 22:20:36 +00:00
|
|
|
rwlock_init(&policy->lock);
|
2017-07-04 12:53:22 +00:00
|
|
|
refcount_set(&policy->refcnt, 1);
|
2013-02-05 11:52:55 +00:00
|
|
|
skb_queue_head_init(&policy->polq.hold_queue);
|
2017-10-17 00:28:56 +00:00
|
|
|
timer_setup(&policy->timer, xfrm_policy_timer, 0);
|
|
|
|
|
timer_setup(&policy->polq.hold_timer,
|
|
|
|
|
xfrm_policy_queue_process, 0);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
return policy;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_alloc);
|
|
|
|
|
|
2015-12-08 15:22:01 +00:00
|
|
|
static void xfrm_policy_destroy_rcu(struct rcu_head *head)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
|
|
|
|
|
|
|
|
|
|
security_xfrm_policy_free(policy->security);
|
|
|
|
|
kfree(policy);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Destroy xfrm_policy: descendant resources must be released to this moment. */
|
|
|
|
|
|
2008-01-08 06:34:29 +00:00
|
|
|
void xfrm_policy_destroy(struct xfrm_policy *policy)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-10-01 14:03:24 +00:00
|
|
|
BUG_ON(!policy->walk.dead);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-08-01 10:08:36 +00:00
|
|
|
if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
|
2022-12-02 18:41:29 +00:00
|
|
|
xfrm_dev_policy_free(policy);
|
2015-12-08 15:22:01 +00:00
|
|
|
call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2008-01-08 06:34:29 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_policy_destroy);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-01-03 16:13:20 +00:00
|
|
|
/* Rule must be locked. Release descendant resources, announce
|
2005-04-16 22:20:36 +00:00
|
|
|
* entry dead. The rule must be unlinked from lists to the moment.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static void xfrm_policy_kill(struct xfrm_policy *policy)
|
|
|
|
|
{
|
2020-03-23 07:32:39 +00:00
|
|
|
write_lock_bh(&policy->lock);
|
2008-10-01 14:03:24 +00:00
|
|
|
policy->walk.dead = 1;
|
2020-03-23 07:32:39 +00:00
|
|
|
write_unlock_bh(&policy->lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:06 +00:00
|
|
|
atomic_inc(&policy->genid);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-10-08 08:49:45 +00:00
|
|
|
if (del_timer(&policy->polq.hold_timer))
|
|
|
|
|
xfrm_pol_put(policy);
|
2015-04-22 07:51:16 +00:00
|
|
|
skb_queue_purge(&policy->polq.hold_queue);
|
2013-02-05 11:52:55 +00:00
|
|
|
|
2010-04-07 00:30:06 +00:00
|
|
|
if (del_timer(&policy->timer))
|
|
|
|
|
xfrm_pol_put(policy);
|
|
|
|
|
|
|
|
|
|
xfrm_pol_put(policy);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
|
|
|
|
|
|
2008-11-26 01:32:41 +00:00
|
|
|
static inline unsigned int idx_hash(struct net *net, u32 index)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:32:41 +00:00
|
|
|
return __idx_hash(index, net->xfrm.policy_idx_hmask);
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
/* calculate policy hash thresholds */
|
|
|
|
|
static void __get_hash_thresh(struct net *net,
|
|
|
|
|
unsigned short family, int dir,
|
|
|
|
|
u8 *dbits, u8 *sbits)
|
|
|
|
|
{
|
|
|
|
|
switch (family) {
|
|
|
|
|
case AF_INET:
|
|
|
|
|
*dbits = net->xfrm.policy_bydst[dir].dbits4;
|
|
|
|
|
*sbits = net->xfrm.policy_bydst[dir].sbits4;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
*dbits = net->xfrm.policy_bydst[dir].dbits6;
|
|
|
|
|
*sbits = net->xfrm.policy_bydst[dir].sbits6;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
*dbits = 0;
|
|
|
|
|
*sbits = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-24 05:33:19 +00:00
|
|
|
static struct hlist_head *policy_hash_bysel(struct net *net,
|
|
|
|
|
const struct xfrm_selector *sel,
|
|
|
|
|
unsigned short family, int dir)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:33:06 +00:00
|
|
|
unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
unsigned int hash;
|
|
|
|
|
u8 dbits;
|
|
|
|
|
u8 sbits;
|
|
|
|
|
|
|
|
|
|
__get_hash_thresh(net, family, dir, &dbits, &sbits);
|
|
|
|
|
hash = __sel_hash(sel, family, hmask, dbits, sbits);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2016-08-11 13:17:53 +00:00
|
|
|
if (hash == hmask + 1)
|
2018-11-07 22:00:34 +00:00
|
|
|
return NULL;
|
2016-08-11 13:17:53 +00:00
|
|
|
|
|
|
|
|
return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
|
|
|
|
|
lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
2011-02-24 05:33:19 +00:00
|
|
|
static struct hlist_head *policy_hash_direct(struct net *net,
|
|
|
|
|
const xfrm_address_t *daddr,
|
|
|
|
|
const xfrm_address_t *saddr,
|
|
|
|
|
unsigned short family, int dir)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:33:06 +00:00
|
|
|
unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
unsigned int hash;
|
|
|
|
|
u8 dbits;
|
|
|
|
|
u8 sbits;
|
|
|
|
|
|
|
|
|
|
__get_hash_thresh(net, family, dir, &dbits, &sbits);
|
|
|
|
|
hash = __addr_hash(daddr, saddr, family, hmask, dbits, sbits);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2016-08-11 13:17:53 +00:00
|
|
|
return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
|
|
|
|
|
lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
static void xfrm_dst_hash_transfer(struct net *net,
|
|
|
|
|
struct hlist_head *list,
|
2006-08-24 11:45:07 +00:00
|
|
|
struct hlist_head *ndsttable,
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
unsigned int nhashmask,
|
|
|
|
|
int dir)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
struct hlist_node *tmp, *entry0 = NULL;
|
2006-08-24 11:45:07 +00:00
|
|
|
struct xfrm_policy *pol;
|
2008-02-18 07:29:30 +00:00
|
|
|
unsigned int h0 = 0;
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
u8 dbits;
|
|
|
|
|
u8 sbits;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2008-02-18 07:29:30 +00:00
|
|
|
redo:
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry_safe(pol, tmp, list, bydst) {
|
2006-08-24 11:45:07 +00:00
|
|
|
unsigned int h;
|
|
|
|
|
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
__get_hash_thresh(net, pol->family, dir, &dbits, &sbits);
|
2006-08-24 11:45:07 +00:00
|
|
|
h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
pol->family, nhashmask, dbits, sbits);
|
2022-12-02 18:41:32 +00:00
|
|
|
if (!entry0 || pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
|
2016-08-11 13:17:52 +00:00
|
|
|
hlist_del_rcu(&pol->bydst);
|
|
|
|
|
hlist_add_head_rcu(&pol->bydst, ndsttable + h);
|
2008-02-18 07:29:30 +00:00
|
|
|
h0 = h;
|
|
|
|
|
} else {
|
|
|
|
|
if (h != h0)
|
|
|
|
|
continue;
|
2016-08-11 13:17:52 +00:00
|
|
|
hlist_del_rcu(&pol->bydst);
|
|
|
|
|
hlist_add_behind_rcu(&pol->bydst, entry0);
|
2008-02-18 07:29:30 +00:00
|
|
|
}
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
entry0 = &pol->bydst;
|
2008-02-18 07:29:30 +00:00
|
|
|
}
|
|
|
|
|
if (!hlist_empty(list)) {
|
|
|
|
|
entry0 = NULL;
|
|
|
|
|
goto redo;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_idx_hash_transfer(struct hlist_head *list,
|
|
|
|
|
struct hlist_head *nidxtable,
|
|
|
|
|
unsigned int nhashmask)
|
|
|
|
|
{
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
struct hlist_node *tmp;
|
2006-08-24 11:45:07 +00:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry_safe(pol, tmp, list, byidx) {
|
2006-08-24 11:45:07 +00:00
|
|
|
unsigned int h;
|
|
|
|
|
|
|
|
|
|
h = __idx_hash(pol->index, nhashmask);
|
|
|
|
|
hlist_add_head(&pol->byidx, nidxtable+h);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
|
|
|
|
|
{
|
|
|
|
|
return ((old_hmask + 1) << 1) - 1;
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:28:57 +00:00
|
|
|
static void xfrm_bydst_resize(struct net *net, int dir)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:28:57 +00:00
|
|
|
unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
|
|
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
2006-08-24 11:50:50 +00:00
|
|
|
struct hlist_head *ndst = xfrm_hash_alloc(nsize);
|
2016-08-11 13:17:53 +00:00
|
|
|
struct hlist_head *odst;
|
2006-08-24 11:45:07 +00:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (!ndst)
|
|
|
|
|
return;
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2021-06-28 13:34:28 +00:00
|
|
|
write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
|
2016-08-11 13:17:54 +00:00
|
|
|
|
2016-08-11 13:17:53 +00:00
|
|
|
odst = rcu_dereference_protected(net->xfrm.policy_bydst[dir].table,
|
|
|
|
|
lockdep_is_held(&net->xfrm.xfrm_policy_lock));
|
|
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
for (i = hmask; i >= 0; i--)
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
xfrm_dst_hash_transfer(net, odst + i, ndst, nhashmask, dir);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2016-08-11 13:17:53 +00:00
|
|
|
rcu_assign_pointer(net->xfrm.policy_bydst[dir].table, ndst);
|
2008-11-26 01:28:57 +00:00
|
|
|
net->xfrm.policy_bydst[dir].hmask = nhashmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2021-06-28 13:34:28 +00:00
|
|
|
write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2016-08-11 13:17:53 +00:00
|
|
|
synchronize_rcu();
|
|
|
|
|
|
2006-08-24 11:50:50 +00:00
|
|
|
xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
2022-10-24 17:19:31 +00:00
|
|
|
static void xfrm_byidx_resize(struct net *net)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:28:57 +00:00
|
|
|
unsigned int hmask = net->xfrm.policy_idx_hmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
unsigned int nhashmask = xfrm_new_hash_mask(hmask);
|
|
|
|
|
unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);
|
2008-11-26 01:28:57 +00:00
|
|
|
struct hlist_head *oidx = net->xfrm.policy_byidx;
|
2006-08-24 11:50:50 +00:00
|
|
|
struct hlist_head *nidx = xfrm_hash_alloc(nsize);
|
2006-08-24 11:45:07 +00:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (!nidx)
|
|
|
|
|
return;
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
|
|
|
|
for (i = hmask; i >= 0; i--)
|
|
|
|
|
xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
|
|
|
|
|
|
2008-11-26 01:28:57 +00:00
|
|
|
net->xfrm.policy_byidx = nidx;
|
|
|
|
|
net->xfrm.policy_idx_hmask = nhashmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2006-08-24 11:50:50 +00:00
|
|
|
xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:28:57 +00:00
|
|
|
static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:28:57 +00:00
|
|
|
unsigned int cnt = net->xfrm.policy_count[dir];
|
|
|
|
|
unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
|
|
|
|
if (total)
|
|
|
|
|
*total += cnt;
|
|
|
|
|
|
|
|
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
|
|
|
|
cnt > hmask)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:28:57 +00:00
|
|
|
static inline int xfrm_byidx_should_resize(struct net *net, int total)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:28:57 +00:00
|
|
|
unsigned int hmask = net->xfrm.policy_idx_hmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
|
|
|
|
if ((hmask + 1) < xfrm_policy_hashmax &&
|
|
|
|
|
total > hmask)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-23 13:37:10 +00:00
|
|
|
void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
|
2007-04-29 04:20:32 +00:00
|
|
|
{
|
2010-01-23 13:37:10 +00:00
|
|
|
si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
|
|
|
|
|
si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
|
|
|
|
|
si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
|
|
|
|
|
si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
|
|
|
|
|
si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
|
|
|
|
|
si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
|
|
|
|
|
si->spdhcnt = net->xfrm.policy_idx_hmask;
|
2007-04-29 04:20:32 +00:00
|
|
|
si->spdhmcnt = xfrm_policy_hashmax;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_spd_getinfo);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2007-04-29 04:20:32 +00:00
|
|
|
static DEFINE_MUTEX(hash_resize_mutex);
|
2008-11-26 01:28:57 +00:00
|
|
|
static void xfrm_hash_resize(struct work_struct *work)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2008-11-26 01:28:57 +00:00
|
|
|
struct net *net = container_of(work, struct net, xfrm.policy_hash_work);
|
2006-08-24 11:45:07 +00:00
|
|
|
int dir, total;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&hash_resize_mutex);
|
|
|
|
|
|
|
|
|
|
total = 0;
|
2014-11-13 09:09:49 +00:00
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
2008-11-26 01:28:57 +00:00
|
|
|
if (xfrm_bydst_should_resize(net, dir, &total))
|
|
|
|
|
xfrm_bydst_resize(net, dir);
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
2008-11-26 01:28:57 +00:00
|
|
|
if (xfrm_byidx_should_resize(net, total))
|
2022-10-24 17:19:31 +00:00
|
|
|
xfrm_byidx_resize(net);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
|
|
|
|
mutex_unlock(&hash_resize_mutex);
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
/* Make sure *pol can be inserted into fastbin.
|
2021-03-26 23:12:53 +00:00
|
|
|
* Useful to check that later insert requests will be successful
|
2018-11-07 22:00:35 +00:00
|
|
|
* (provided xfrm_policy_lock is held throughout).
|
|
|
|
|
*/
|
|
|
|
|
static struct xfrm_pol_inexact_bin *
|
|
|
|
|
xfrm_policy_inexact_alloc_bin(const struct xfrm_policy *pol, u8 dir)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_bin *bin, *prev;
|
|
|
|
|
struct xfrm_pol_inexact_key k = {
|
|
|
|
|
.family = pol->family,
|
|
|
|
|
.type = pol->type,
|
|
|
|
|
.dir = dir,
|
2018-11-07 22:00:36 +00:00
|
|
|
.if_id = pol->if_id,
|
2018-11-07 22:00:35 +00:00
|
|
|
};
|
|
|
|
|
struct net *net = xp_net(pol);
|
|
|
|
|
|
|
|
|
|
lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
|
|
|
|
write_pnet(&k.net, net);
|
|
|
|
|
bin = rhashtable_lookup_fast(&xfrm_policy_inexact_table, &k,
|
|
|
|
|
xfrm_pol_inexact_params);
|
|
|
|
|
if (bin)
|
|
|
|
|
return bin;
|
|
|
|
|
|
|
|
|
|
bin = kzalloc(sizeof(*bin), GFP_ATOMIC);
|
|
|
|
|
if (!bin)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
bin->k = k;
|
|
|
|
|
INIT_HLIST_HEAD(&bin->hhead);
|
2018-11-07 22:00:38 +00:00
|
|
|
bin->root_d = RB_ROOT;
|
2018-11-07 22:00:40 +00:00
|
|
|
bin->root_s = RB_ROOT;
|
2020-07-20 15:55:22 +00:00
|
|
|
seqcount_spinlock_init(&bin->count, &net->xfrm.xfrm_policy_lock);
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
prev = rhashtable_lookup_get_insert_key(&xfrm_policy_inexact_table,
|
|
|
|
|
&bin->k, &bin->head,
|
|
|
|
|
xfrm_pol_inexact_params);
|
|
|
|
|
if (!prev) {
|
|
|
|
|
list_add(&bin->inexact_bins, &net->xfrm.inexact_bins);
|
|
|
|
|
return bin;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
kfree(bin);
|
|
|
|
|
|
|
|
|
|
return IS_ERR(prev) ? NULL : prev;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static bool xfrm_pol_inexact_addr_use_any_list(const xfrm_address_t *addr,
|
|
|
|
|
int family, u8 prefixlen)
|
2018-11-07 22:00:35 +00:00
|
|
|
{
|
2018-11-07 22:00:37 +00:00
|
|
|
if (xfrm_addr_any(addr, family))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
if (family == AF_INET6 && prefixlen < INEXACT_PREFIXLEN_IPV6)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
if (family == AF_INET && prefixlen < INEXACT_PREFIXLEN_IPV4)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool
|
|
|
|
|
xfrm_policy_inexact_insert_use_any_list(const struct xfrm_policy *policy)
|
|
|
|
|
{
|
|
|
|
|
const xfrm_address_t *addr;
|
|
|
|
|
bool saddr_any, daddr_any;
|
|
|
|
|
u8 prefixlen;
|
|
|
|
|
|
|
|
|
|
addr = &policy->selector.saddr;
|
|
|
|
|
prefixlen = policy->selector.prefixlen_s;
|
2018-11-07 22:00:35 +00:00
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
saddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
|
|
|
|
|
policy->family,
|
|
|
|
|
prefixlen);
|
|
|
|
|
addr = &policy->selector.daddr;
|
|
|
|
|
prefixlen = policy->selector.prefixlen_d;
|
|
|
|
|
daddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
|
|
|
|
|
policy->family,
|
|
|
|
|
prefixlen);
|
|
|
|
|
return saddr_any && daddr_any;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
static void xfrm_pol_inexact_node_init(struct xfrm_pol_inexact_node *node,
|
|
|
|
|
const xfrm_address_t *addr, u8 prefixlen)
|
|
|
|
|
{
|
|
|
|
|
node->addr = *addr;
|
|
|
|
|
node->prefixlen = prefixlen;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_pol_inexact_node *
|
|
|
|
|
xfrm_pol_inexact_node_alloc(const xfrm_address_t *addr, u8 prefixlen)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_node *node;
|
|
|
|
|
|
|
|
|
|
node = kzalloc(sizeof(*node), GFP_ATOMIC);
|
|
|
|
|
if (node)
|
|
|
|
|
xfrm_pol_inexact_node_init(node, addr, prefixlen);
|
|
|
|
|
|
|
|
|
|
return node;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int xfrm_policy_addr_delta(const xfrm_address_t *a,
|
|
|
|
|
const xfrm_address_t *b,
|
|
|
|
|
u8 prefixlen, u16 family)
|
|
|
|
|
{
|
2020-12-30 16:15:53 +00:00
|
|
|
u32 ma, mb, mask;
|
2018-11-07 22:00:38 +00:00
|
|
|
unsigned int pdw, pbi;
|
|
|
|
|
int delta = 0;
|
|
|
|
|
|
|
|
|
|
switch (family) {
|
|
|
|
|
case AF_INET:
|
2020-12-30 16:15:53 +00:00
|
|
|
if (prefixlen == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
mask = ~0U << (32 - prefixlen);
|
|
|
|
|
ma = ntohl(a->a4) & mask;
|
|
|
|
|
mb = ntohl(b->a4) & mask;
|
|
|
|
|
if (ma < mb)
|
|
|
|
|
delta = -1;
|
|
|
|
|
else if (ma > mb)
|
|
|
|
|
delta = 1;
|
|
|
|
|
break;
|
2018-11-07 22:00:38 +00:00
|
|
|
case AF_INET6:
|
|
|
|
|
pdw = prefixlen >> 5;
|
|
|
|
|
pbi = prefixlen & 0x1f;
|
|
|
|
|
|
|
|
|
|
if (pdw) {
|
|
|
|
|
delta = memcmp(a->a6, b->a6, pdw << 2);
|
|
|
|
|
if (delta)
|
|
|
|
|
return delta;
|
|
|
|
|
}
|
|
|
|
|
if (pbi) {
|
2020-12-30 16:15:53 +00:00
|
|
|
mask = ~0U << (32 - pbi);
|
|
|
|
|
ma = ntohl(a->a6[pdw]) & mask;
|
|
|
|
|
mb = ntohl(b->a6[pdw]) & mask;
|
|
|
|
|
if (ma < mb)
|
|
|
|
|
delta = -1;
|
|
|
|
|
else if (ma > mb)
|
|
|
|
|
delta = 1;
|
2018-11-07 22:00:38 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return delta;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_policy_inexact_list_reinsert(struct net *net,
|
|
|
|
|
struct xfrm_pol_inexact_node *n,
|
|
|
|
|
u16 family)
|
|
|
|
|
{
|
2018-11-07 22:00:39 +00:00
|
|
|
unsigned int matched_s, matched_d;
|
2018-11-07 22:00:38 +00:00
|
|
|
struct xfrm_policy *policy, *p;
|
|
|
|
|
|
2018-11-07 22:00:39 +00:00
|
|
|
matched_s = 0;
|
|
|
|
|
matched_d = 0;
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
|
2019-01-04 13:17:03 +00:00
|
|
|
struct hlist_node *newpos = NULL;
|
2018-11-07 22:00:39 +00:00
|
|
|
bool matches_s, matches_d;
|
|
|
|
|
|
2023-08-15 14:18:34 +00:00
|
|
|
if (policy->walk.dead || !policy->bydst_reinsert)
|
2018-11-07 22:00:38 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
WARN_ON_ONCE(policy->family != family);
|
|
|
|
|
|
|
|
|
|
policy->bydst_reinsert = false;
|
|
|
|
|
hlist_for_each_entry(p, &n->hhead, bydst) {
|
2019-01-04 13:17:03 +00:00
|
|
|
if (policy->priority > p->priority)
|
|
|
|
|
newpos = &p->bydst;
|
|
|
|
|
else if (policy->priority == p->priority &&
|
|
|
|
|
policy->pos > p->pos)
|
2018-11-07 22:00:38 +00:00
|
|
|
newpos = &p->bydst;
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 18:41:32 +00:00
|
|
|
if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
|
2019-01-04 13:17:00 +00:00
|
|
|
hlist_add_behind_rcu(&policy->bydst, newpos);
|
2018-11-07 22:00:38 +00:00
|
|
|
else
|
2019-01-04 13:17:00 +00:00
|
|
|
hlist_add_head_rcu(&policy->bydst, &n->hhead);
|
2018-11-07 22:00:39 +00:00
|
|
|
|
|
|
|
|
/* paranoia checks follow.
|
|
|
|
|
* Check that the reinserted policy matches at least
|
|
|
|
|
* saddr or daddr for current node prefix.
|
|
|
|
|
*
|
|
|
|
|
* Matching both is fine, matching saddr in one policy
|
|
|
|
|
* (but not daddr) and then matching only daddr in another
|
|
|
|
|
* is a bug.
|
|
|
|
|
*/
|
|
|
|
|
matches_s = xfrm_policy_addr_delta(&policy->selector.saddr,
|
|
|
|
|
&n->addr,
|
|
|
|
|
n->prefixlen,
|
|
|
|
|
family) == 0;
|
|
|
|
|
matches_d = xfrm_policy_addr_delta(&policy->selector.daddr,
|
|
|
|
|
&n->addr,
|
|
|
|
|
n->prefixlen,
|
|
|
|
|
family) == 0;
|
|
|
|
|
if (matches_s && matches_d)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
WARN_ON_ONCE(!matches_s && !matches_d);
|
|
|
|
|
if (matches_s)
|
|
|
|
|
matched_s++;
|
|
|
|
|
if (matches_d)
|
|
|
|
|
matched_d++;
|
|
|
|
|
WARN_ON_ONCE(matched_s && matched_d);
|
2018-11-07 22:00:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
static void xfrm_policy_inexact_node_reinsert(struct net *net,
|
|
|
|
|
struct xfrm_pol_inexact_node *n,
|
|
|
|
|
struct rb_root *new,
|
|
|
|
|
u16 family)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_node *node;
|
2019-01-04 13:17:05 +00:00
|
|
|
struct rb_node **p, *parent;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
|
|
|
|
|
/* we should not have another subtree here */
|
|
|
|
|
WARN_ON_ONCE(!RB_EMPTY_ROOT(&n->root));
|
2019-01-04 13:17:05 +00:00
|
|
|
restart:
|
|
|
|
|
parent = NULL;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
p = &new->rb_node;
|
|
|
|
|
while (*p) {
|
|
|
|
|
u8 prefixlen;
|
|
|
|
|
int delta;
|
|
|
|
|
|
|
|
|
|
parent = *p;
|
|
|
|
|
node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
|
|
|
|
|
|
|
|
|
|
prefixlen = min(node->prefixlen, n->prefixlen);
|
|
|
|
|
|
|
|
|
|
delta = xfrm_policy_addr_delta(&n->addr, &node->addr,
|
|
|
|
|
prefixlen, family);
|
|
|
|
|
if (delta < 0) {
|
|
|
|
|
p = &parent->rb_left;
|
|
|
|
|
} else if (delta > 0) {
|
|
|
|
|
p = &parent->rb_right;
|
|
|
|
|
} else {
|
2019-08-12 08:32:13 +00:00
|
|
|
bool same_prefixlen = node->prefixlen == n->prefixlen;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
struct xfrm_policy *tmp;
|
|
|
|
|
|
2019-01-04 13:17:05 +00:00
|
|
|
hlist_for_each_entry(tmp, &n->hhead, bydst) {
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
tmp->bydst_reinsert = true;
|
2019-01-04 13:17:05 +00:00
|
|
|
hlist_del_rcu(&tmp->bydst);
|
|
|
|
|
}
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
|
2019-08-12 08:32:13 +00:00
|
|
|
node->prefixlen = prefixlen;
|
|
|
|
|
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
xfrm_policy_inexact_list_reinsert(net, node, family);
|
|
|
|
|
|
2019-08-12 08:32:13 +00:00
|
|
|
if (same_prefixlen) {
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
kfree_rcu(n, rcu);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rb_erase(*p, new);
|
|
|
|
|
kfree_rcu(n, rcu);
|
|
|
|
|
n = node;
|
2019-01-04 13:17:05 +00:00
|
|
|
goto restart;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rb_link_node_rcu(&n->node, parent, p);
|
|
|
|
|
rb_insert_color(&n->node, new);
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
/* merge nodes v and n */
|
|
|
|
|
static void xfrm_policy_inexact_node_merge(struct net *net,
|
|
|
|
|
struct xfrm_pol_inexact_node *v,
|
|
|
|
|
struct xfrm_pol_inexact_node *n,
|
|
|
|
|
u16 family)
|
|
|
|
|
{
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
struct xfrm_pol_inexact_node *node;
|
2018-11-07 22:00:38 +00:00
|
|
|
struct xfrm_policy *tmp;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
struct rb_node *rnode;
|
|
|
|
|
|
|
|
|
|
/* To-be-merged node v has a subtree.
|
|
|
|
|
*
|
|
|
|
|
* Dismantle it and insert its nodes to n->root.
|
|
|
|
|
*/
|
|
|
|
|
while ((rnode = rb_first(&v->root)) != NULL) {
|
|
|
|
|
node = rb_entry(rnode, struct xfrm_pol_inexact_node, node);
|
|
|
|
|
rb_erase(&node->node, &v->root);
|
|
|
|
|
xfrm_policy_inexact_node_reinsert(net, node, &n->root,
|
|
|
|
|
family);
|
|
|
|
|
}
|
2018-11-07 22:00:38 +00:00
|
|
|
|
2019-01-04 13:17:03 +00:00
|
|
|
hlist_for_each_entry(tmp, &v->hhead, bydst) {
|
2018-11-07 22:00:38 +00:00
|
|
|
tmp->bydst_reinsert = true;
|
2019-01-04 13:17:03 +00:00
|
|
|
hlist_del_rcu(&tmp->bydst);
|
|
|
|
|
}
|
2018-11-07 22:00:38 +00:00
|
|
|
|
|
|
|
|
xfrm_policy_inexact_list_reinsert(net, n, family);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_pol_inexact_node *
|
|
|
|
|
xfrm_policy_inexact_insert_node(struct net *net,
|
|
|
|
|
struct rb_root *root,
|
|
|
|
|
xfrm_address_t *addr,
|
|
|
|
|
u16 family, u8 prefixlen, u8 dir)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_node *cached = NULL;
|
|
|
|
|
struct rb_node **p, *parent = NULL;
|
|
|
|
|
struct xfrm_pol_inexact_node *node;
|
|
|
|
|
|
|
|
|
|
p = &root->rb_node;
|
|
|
|
|
while (*p) {
|
|
|
|
|
int delta;
|
|
|
|
|
|
|
|
|
|
parent = *p;
|
|
|
|
|
node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
|
|
|
|
|
|
|
|
|
|
delta = xfrm_policy_addr_delta(addr, &node->addr,
|
|
|
|
|
node->prefixlen,
|
|
|
|
|
family);
|
|
|
|
|
if (delta == 0 && prefixlen >= node->prefixlen) {
|
|
|
|
|
WARN_ON_ONCE(cached); /* ipsec policies got lost */
|
|
|
|
|
return node;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (delta < 0)
|
|
|
|
|
p = &parent->rb_left;
|
|
|
|
|
else
|
|
|
|
|
p = &parent->rb_right;
|
|
|
|
|
|
|
|
|
|
if (prefixlen < node->prefixlen) {
|
|
|
|
|
delta = xfrm_policy_addr_delta(addr, &node->addr,
|
|
|
|
|
prefixlen,
|
|
|
|
|
family);
|
|
|
|
|
if (delta)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* This node is a subnet of the new prefix. It needs
|
|
|
|
|
* to be removed and re-inserted with the smaller
|
|
|
|
|
* prefix and all nodes that are now also covered
|
|
|
|
|
* by the reduced prefixlen.
|
|
|
|
|
*/
|
|
|
|
|
rb_erase(&node->node, root);
|
|
|
|
|
|
|
|
|
|
if (!cached) {
|
|
|
|
|
xfrm_pol_inexact_node_init(node, addr,
|
|
|
|
|
prefixlen);
|
|
|
|
|
cached = node;
|
|
|
|
|
} else {
|
|
|
|
|
/* This node also falls within the new
|
|
|
|
|
* prefixlen. Merge the to-be-reinserted
|
|
|
|
|
* node and this one.
|
|
|
|
|
*/
|
|
|
|
|
xfrm_policy_inexact_node_merge(net, node,
|
|
|
|
|
cached, family);
|
|
|
|
|
kfree_rcu(node, rcu);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* restart */
|
|
|
|
|
p = &root->rb_node;
|
|
|
|
|
parent = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
node = cached;
|
|
|
|
|
if (!node) {
|
|
|
|
|
node = xfrm_pol_inexact_node_alloc(addr, prefixlen);
|
|
|
|
|
if (!node)
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rb_link_node_rcu(&node->node, parent, p);
|
|
|
|
|
rb_insert_color(&node->node, root);
|
|
|
|
|
|
|
|
|
|
return node;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_policy_inexact_gc_tree(struct rb_root *r, bool rm)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_node *node;
|
|
|
|
|
struct rb_node *rn = rb_first(r);
|
|
|
|
|
|
|
|
|
|
while (rn) {
|
|
|
|
|
node = rb_entry(rn, struct xfrm_pol_inexact_node, node);
|
|
|
|
|
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
xfrm_policy_inexact_gc_tree(&node->root, rm);
|
2018-11-07 22:00:38 +00:00
|
|
|
rn = rb_next(rn);
|
|
|
|
|
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
if (!hlist_empty(&node->hhead) || !RB_EMPTY_ROOT(&node->root)) {
|
2018-11-07 22:00:38 +00:00
|
|
|
WARN_ON_ONCE(rm);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rb_erase(&node->node, r);
|
|
|
|
|
kfree_rcu(node, rcu);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool net_exit)
|
|
|
|
|
{
|
2018-11-07 22:00:38 +00:00
|
|
|
write_seqcount_begin(&b->count);
|
|
|
|
|
xfrm_policy_inexact_gc_tree(&b->root_d, net_exit);
|
2018-11-07 22:00:40 +00:00
|
|
|
xfrm_policy_inexact_gc_tree(&b->root_s, net_exit);
|
2018-11-07 22:00:38 +00:00
|
|
|
write_seqcount_end(&b->count);
|
|
|
|
|
|
2018-11-07 22:00:40 +00:00
|
|
|
if (!RB_EMPTY_ROOT(&b->root_d) || !RB_EMPTY_ROOT(&b->root_s) ||
|
2018-11-07 22:00:38 +00:00
|
|
|
!hlist_empty(&b->hhead)) {
|
2018-11-07 22:00:37 +00:00
|
|
|
WARN_ON_ONCE(net_exit);
|
2018-11-07 22:00:35 +00:00
|
|
|
return;
|
2018-11-07 22:00:37 +00:00
|
|
|
}
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
if (rhashtable_remove_fast(&xfrm_policy_inexact_table, &b->head,
|
|
|
|
|
xfrm_pol_inexact_params) == 0) {
|
|
|
|
|
list_del(&b->inexact_bins);
|
|
|
|
|
kfree_rcu(b, rcu);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
|
|
|
|
|
{
|
|
|
|
|
struct net *net = read_pnet(&b->k.net);
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(b, false);
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static void __xfrm_policy_inexact_flush(struct net *net)
|
|
|
|
|
{
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_pol_inexact_bin *bin, *t;
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
list_for_each_entry_safe(bin, t, &net->xfrm.inexact_bins, inexact_bins)
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(bin, false);
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
static struct hlist_head *
|
|
|
|
|
xfrm_policy_inexact_alloc_chain(struct xfrm_pol_inexact_bin *bin,
|
|
|
|
|
struct xfrm_policy *policy, u8 dir)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_node *n;
|
|
|
|
|
struct net *net;
|
|
|
|
|
|
|
|
|
|
net = xp_net(policy);
|
|
|
|
|
lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
|
|
|
|
if (xfrm_policy_inexact_insert_use_any_list(policy))
|
|
|
|
|
return &bin->hhead;
|
|
|
|
|
|
2018-11-07 22:00:40 +00:00
|
|
|
if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.daddr,
|
|
|
|
|
policy->family,
|
|
|
|
|
policy->selector.prefixlen_d)) {
|
|
|
|
|
write_seqcount_begin(&bin->count);
|
|
|
|
|
n = xfrm_policy_inexact_insert_node(net,
|
|
|
|
|
&bin->root_s,
|
|
|
|
|
&policy->selector.saddr,
|
|
|
|
|
policy->family,
|
|
|
|
|
policy->selector.prefixlen_s,
|
|
|
|
|
dir);
|
|
|
|
|
write_seqcount_end(&bin->count);
|
|
|
|
|
if (!n)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return &n->hhead;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
/* daddr is fixed */
|
|
|
|
|
write_seqcount_begin(&bin->count);
|
|
|
|
|
n = xfrm_policy_inexact_insert_node(net,
|
|
|
|
|
&bin->root_d,
|
|
|
|
|
&policy->selector.daddr,
|
|
|
|
|
policy->family,
|
|
|
|
|
policy->selector.prefixlen_d, dir);
|
|
|
|
|
write_seqcount_end(&bin->count);
|
|
|
|
|
if (!n)
|
|
|
|
|
return NULL;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
|
|
|
|
|
/* saddr is wildcard */
|
|
|
|
|
if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.saddr,
|
|
|
|
|
policy->family,
|
|
|
|
|
policy->selector.prefixlen_s))
|
|
|
|
|
return &n->hhead;
|
|
|
|
|
|
|
|
|
|
write_seqcount_begin(&bin->count);
|
|
|
|
|
n = xfrm_policy_inexact_insert_node(net,
|
|
|
|
|
&n->root,
|
|
|
|
|
&policy->selector.saddr,
|
|
|
|
|
policy->family,
|
|
|
|
|
policy->selector.prefixlen_s, dir);
|
|
|
|
|
write_seqcount_end(&bin->count);
|
|
|
|
|
if (!n)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
return &n->hhead;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static struct xfrm_policy *
|
|
|
|
|
xfrm_policy_inexact_insert(struct xfrm_policy *policy, u8 dir, int excl)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_bin *bin;
|
|
|
|
|
struct xfrm_policy *delpol;
|
|
|
|
|
struct hlist_head *chain;
|
|
|
|
|
struct net *net;
|
|
|
|
|
|
|
|
|
|
bin = xfrm_policy_inexact_alloc_bin(policy, dir);
|
|
|
|
|
if (!bin)
|
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
net = xp_net(policy);
|
|
|
|
|
lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
chain = xfrm_policy_inexact_alloc_chain(bin, policy, dir);
|
|
|
|
|
if (!chain) {
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(bin, false);
|
|
|
|
|
return ERR_PTR(-ENOMEM);
|
2018-11-07 22:00:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delpol = xfrm_policy_insert_list(chain, policy, excl);
|
|
|
|
|
if (delpol && excl) {
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(bin, false);
|
2018-11-07 22:00:35 +00:00
|
|
|
return ERR_PTR(-EEXIST);
|
2018-11-07 22:00:37 +00:00
|
|
|
}
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
chain = &net->xfrm.policy_inexact[dir];
|
|
|
|
|
xfrm_policy_insert_inexact_list(chain, policy);
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
if (delpol)
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(bin, false);
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
return delpol;
|
|
|
|
|
}
|
|
|
|
|
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
static void xfrm_hash_rebuild(struct work_struct *work)
|
|
|
|
|
{
|
|
|
|
|
struct net *net = container_of(work, struct net,
|
|
|
|
|
xfrm.policy_hthresh.work);
|
|
|
|
|
unsigned int hmask;
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
struct xfrm_policy *policy;
|
|
|
|
|
struct hlist_head *chain;
|
|
|
|
|
struct hlist_head *odst;
|
|
|
|
|
struct hlist_node *newpos;
|
|
|
|
|
int i;
|
|
|
|
|
int dir;
|
|
|
|
|
unsigned seq;
|
|
|
|
|
u8 lbits4, rbits4, lbits6, rbits6;
|
|
|
|
|
|
|
|
|
|
mutex_lock(&hash_resize_mutex);
|
|
|
|
|
|
|
|
|
|
/* read selector prefixlen thresholds */
|
|
|
|
|
do {
|
|
|
|
|
seq = read_seqbegin(&net->xfrm.policy_hthresh.lock);
|
|
|
|
|
|
|
|
|
|
lbits4 = net->xfrm.policy_hthresh.lbits4;
|
|
|
|
|
rbits4 = net->xfrm.policy_hthresh.rbits4;
|
|
|
|
|
lbits6 = net->xfrm.policy_hthresh.lbits6;
|
|
|
|
|
rbits6 = net->xfrm.policy_hthresh.rbits6;
|
|
|
|
|
} while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2021-06-28 13:34:28 +00:00
|
|
|
write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
/* make sure that we can insert the indirect policies again before
|
|
|
|
|
* we start with destructive action.
|
|
|
|
|
*/
|
|
|
|
|
list_for_each_entry(policy, &net->xfrm.policy_all, walk.all) {
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_pol_inexact_bin *bin;
|
2018-11-07 22:00:35 +00:00
|
|
|
u8 dbits, sbits;
|
|
|
|
|
|
2023-08-15 14:18:34 +00:00
|
|
|
if (policy->walk.dead)
|
|
|
|
|
continue;
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
dir = xfrm_policy_id2dir(policy->index);
|
2023-08-15 14:18:34 +00:00
|
|
|
if (dir >= XFRM_POLICY_MAX)
|
2018-11-07 22:00:35 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
|
|
|
|
|
if (policy->family == AF_INET) {
|
|
|
|
|
dbits = rbits4;
|
|
|
|
|
sbits = lbits4;
|
|
|
|
|
} else {
|
|
|
|
|
dbits = rbits6;
|
|
|
|
|
sbits = lbits6;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (policy->family == AF_INET) {
|
|
|
|
|
dbits = lbits4;
|
|
|
|
|
sbits = rbits4;
|
|
|
|
|
} else {
|
|
|
|
|
dbits = lbits6;
|
|
|
|
|
sbits = rbits6;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (policy->selector.prefixlen_d < dbits ||
|
|
|
|
|
policy->selector.prefixlen_s < sbits)
|
|
|
|
|
continue;
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
bin = xfrm_policy_inexact_alloc_bin(policy, dir);
|
|
|
|
|
if (!bin)
|
2018-11-07 22:00:35 +00:00
|
|
|
goto out_unlock;
|
2018-11-07 22:00:38 +00:00
|
|
|
|
|
|
|
|
if (!xfrm_policy_inexact_alloc_chain(bin, policy, dir))
|
|
|
|
|
goto out_unlock;
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
/* reset the bydst and inexact table in all directions */
|
2014-11-13 09:09:49 +00:00
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
2019-01-04 13:17:02 +00:00
|
|
|
struct hlist_node *n;
|
|
|
|
|
|
|
|
|
|
hlist_for_each_entry_safe(policy, n,
|
|
|
|
|
&net->xfrm.policy_inexact[dir],
|
2019-07-02 10:46:00 +00:00
|
|
|
bydst_inexact_list) {
|
|
|
|
|
hlist_del_rcu(&policy->bydst);
|
2019-01-04 13:17:02 +00:00
|
|
|
hlist_del_init(&policy->bydst_inexact_list);
|
2019-07-02 10:46:00 +00:00
|
|
|
}
|
2019-01-04 13:17:02 +00:00
|
|
|
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
hmask = net->xfrm.policy_bydst[dir].hmask;
|
|
|
|
|
odst = net->xfrm.policy_bydst[dir].table;
|
2019-07-02 10:46:00 +00:00
|
|
|
for (i = hmask; i >= 0; i--) {
|
|
|
|
|
hlist_for_each_entry_safe(policy, n, odst + i, bydst)
|
|
|
|
|
hlist_del_rcu(&policy->bydst);
|
|
|
|
|
}
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
|
|
|
|
|
/* dir out => dst = remote, src = local */
|
|
|
|
|
net->xfrm.policy_bydst[dir].dbits4 = rbits4;
|
|
|
|
|
net->xfrm.policy_bydst[dir].sbits4 = lbits4;
|
|
|
|
|
net->xfrm.policy_bydst[dir].dbits6 = rbits6;
|
|
|
|
|
net->xfrm.policy_bydst[dir].sbits6 = lbits6;
|
|
|
|
|
} else {
|
|
|
|
|
/* dir in/fwd => dst = local, src = remote */
|
|
|
|
|
net->xfrm.policy_bydst[dir].dbits4 = lbits4;
|
|
|
|
|
net->xfrm.policy_bydst[dir].sbits4 = rbits4;
|
|
|
|
|
net->xfrm.policy_bydst[dir].dbits6 = lbits6;
|
|
|
|
|
net->xfrm.policy_bydst[dir].sbits6 = rbits6;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* re-insert all policies by order of creation */
|
|
|
|
|
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
|
2018-11-27 12:28:54 +00:00
|
|
|
if (policy->walk.dead)
|
|
|
|
|
continue;
|
|
|
|
|
dir = xfrm_policy_id2dir(policy->index);
|
|
|
|
|
if (dir >= XFRM_POLICY_MAX) {
|
2016-07-29 07:57:32 +00:00
|
|
|
/* skip socket policies */
|
|
|
|
|
continue;
|
|
|
|
|
}
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
newpos = NULL;
|
|
|
|
|
chain = policy_hash_bysel(net, &policy->selector,
|
2018-11-27 12:28:54 +00:00
|
|
|
policy->family, dir);
|
2019-01-04 13:17:02 +00:00
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
if (!chain) {
|
|
|
|
|
void *p = xfrm_policy_inexact_insert(policy, dir, 0);
|
|
|
|
|
|
|
|
|
|
WARN_ONCE(IS_ERR(p), "reinsert: %ld\n", PTR_ERR(p));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
hlist_for_each_entry(pol, chain, bydst) {
|
|
|
|
|
if (policy->priority >= pol->priority)
|
|
|
|
|
newpos = &pol->bydst;
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
2022-12-02 18:41:32 +00:00
|
|
|
if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
|
2018-10-10 16:02:21 +00:00
|
|
|
hlist_add_behind_rcu(&policy->bydst, newpos);
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
else
|
2018-10-10 16:02:21 +00:00
|
|
|
hlist_add_head_rcu(&policy->bydst, chain);
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
out_unlock:
|
2018-11-07 22:00:37 +00:00
|
|
|
__xfrm_policy_inexact_flush(net);
|
2021-06-28 13:34:28 +00:00
|
|
|
write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
|
|
|
|
|
mutex_unlock(&hash_resize_mutex);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void xfrm_policy_hash_rebuild(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
schedule_work(&net->xfrm.policy_hthresh.work);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Generate new index... KAME seems to generate them ordered by cost
|
|
|
|
|
* of an absolute inpredictability of ordering of rules. This will not pass. */
|
2013-11-07 09:47:48 +00:00
|
|
|
static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
for (;;) {
|
2006-08-24 11:45:07 +00:00
|
|
|
struct hlist_head *list;
|
|
|
|
|
struct xfrm_policy *p;
|
|
|
|
|
u32 idx;
|
|
|
|
|
int found;
|
|
|
|
|
|
2013-11-07 09:47:48 +00:00
|
|
|
if (!index) {
|
2023-09-08 18:13:59 +00:00
|
|
|
idx = (net->xfrm.idx_generator | dir);
|
|
|
|
|
net->xfrm.idx_generator += 8;
|
2013-11-07 09:47:48 +00:00
|
|
|
} else {
|
|
|
|
|
idx = index;
|
|
|
|
|
index = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (idx == 0)
|
|
|
|
|
idx = 8;
|
2008-11-26 01:33:06 +00:00
|
|
|
list = net->xfrm.policy_byidx + idx_hash(net, idx);
|
2006-08-24 11:45:07 +00:00
|
|
|
found = 0;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry(p, list, byidx) {
|
2006-08-24 11:45:07 +00:00
|
|
|
if (p->index == idx) {
|
|
|
|
|
found = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-08-24 11:45:07 +00:00
|
|
|
if (!found)
|
2005-04-16 22:20:36 +00:00
|
|
|
return idx;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
|
|
|
|
|
{
|
|
|
|
|
u32 *p1 = (u32 *) s1;
|
|
|
|
|
u32 *p2 = (u32 *) s2;
|
|
|
|
|
int len = sizeof(struct xfrm_selector) / sizeof(u32);
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < len; i++) {
|
|
|
|
|
if (p1[i] != p2[i])
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-02-05 11:52:55 +00:00
|
|
|
static void xfrm_policy_requeue(struct xfrm_policy *old,
|
|
|
|
|
struct xfrm_policy *new)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy_queue *pq = &old->polq;
|
|
|
|
|
struct sk_buff_head list;
|
|
|
|
|
|
2015-04-30 09:25:19 +00:00
|
|
|
if (skb_queue_empty(&pq->hold_queue))
|
|
|
|
|
return;
|
|
|
|
|
|
2013-02-05 11:52:55 +00:00
|
|
|
__skb_queue_head_init(&list);
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&pq->hold_queue.lock);
|
|
|
|
|
skb_queue_splice_init(&pq->hold_queue, &list);
|
2013-10-08 08:49:45 +00:00
|
|
|
if (del_timer(&pq->hold_timer))
|
|
|
|
|
xfrm_pol_put(old);
|
2013-02-05 11:52:55 +00:00
|
|
|
spin_unlock_bh(&pq->hold_queue.lock);
|
|
|
|
|
|
|
|
|
|
pq = &new->polq;
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&pq->hold_queue.lock);
|
|
|
|
|
skb_queue_splice(&list, &pq->hold_queue);
|
|
|
|
|
pq->timeout = XFRM_QUEUE_TMO_MIN;
|
2013-10-08 08:49:45 +00:00
|
|
|
if (!mod_timer(&pq->hold_timer, jiffies))
|
|
|
|
|
xfrm_pol_hold(new);
|
2013-02-05 11:52:55 +00:00
|
|
|
spin_unlock_bh(&pq->hold_queue.lock);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-22 08:40:29 +00:00
|
|
|
static inline bool xfrm_policy_mark_match(const struct xfrm_mark *mark,
|
|
|
|
|
struct xfrm_policy *pol)
|
2013-02-11 06:02:36 +00:00
|
|
|
{
|
2020-06-22 08:40:29 +00:00
|
|
|
return mark->v == pol->mark.v && mark->m == pol->mark.m;
|
2013-02-11 06:02:36 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static u32 xfrm_pol_bin_key(const void *data, u32 len, u32 seed)
|
|
|
|
|
{
|
|
|
|
|
const struct xfrm_pol_inexact_key *k = data;
|
|
|
|
|
u32 a = k->type << 24 | k->dir << 16 | k->family;
|
|
|
|
|
|
2018-11-07 22:00:36 +00:00
|
|
|
return jhash_3words(a, k->if_id, net_hash_mix(read_pnet(&k->net)),
|
|
|
|
|
seed);
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static u32 xfrm_pol_bin_obj(const void *data, u32 len, u32 seed)
|
|
|
|
|
{
|
|
|
|
|
const struct xfrm_pol_inexact_bin *b = data;
|
|
|
|
|
|
|
|
|
|
return xfrm_pol_bin_key(&b->k, 0, seed);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int xfrm_pol_bin_cmp(struct rhashtable_compare_arg *arg,
|
|
|
|
|
const void *ptr)
|
|
|
|
|
{
|
|
|
|
|
const struct xfrm_pol_inexact_key *key = arg->key;
|
|
|
|
|
const struct xfrm_pol_inexact_bin *b = ptr;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!net_eq(read_pnet(&b->k.net), read_pnet(&key->net)))
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
ret = b->k.dir ^ key->dir;
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
ret = b->k.type ^ key->type;
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
ret = b->k.family ^ key->family;
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2018-11-07 22:00:36 +00:00
|
|
|
return b->k.if_id ^ key->if_id;
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct rhashtable_params xfrm_pol_inexact_params = {
|
|
|
|
|
.head_offset = offsetof(struct xfrm_pol_inexact_bin, head),
|
|
|
|
|
.hashfn = xfrm_pol_bin_key,
|
|
|
|
|
.obj_hashfn = xfrm_pol_bin_obj,
|
|
|
|
|
.obj_cmpfn = xfrm_pol_bin_cmp,
|
|
|
|
|
.automatic_shrinking = true,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
|
|
|
|
|
struct xfrm_policy *policy)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol, *delpol = NULL;
|
|
|
|
|
struct hlist_node *newpos = NULL;
|
2018-11-07 22:00:37 +00:00
|
|
|
int i = 0;
|
2018-11-07 22:00:35 +00:00
|
|
|
|
|
|
|
|
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
|
|
|
|
|
if (pol->type == policy->type &&
|
|
|
|
|
pol->if_id == policy->if_id &&
|
|
|
|
|
!selector_cmp(&pol->selector, &policy->selector) &&
|
2020-06-22 08:40:29 +00:00
|
|
|
xfrm_policy_mark_match(&policy->mark, pol) &&
|
2018-11-07 22:00:35 +00:00
|
|
|
xfrm_sec_ctx_match(pol->security, policy->security) &&
|
|
|
|
|
!WARN_ON(delpol)) {
|
|
|
|
|
delpol = pol;
|
|
|
|
|
if (policy->priority > pol->priority)
|
|
|
|
|
continue;
|
|
|
|
|
} else if (policy->priority >= pol->priority) {
|
|
|
|
|
newpos = &pol->bydst_inexact_list;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (delpol)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 18:41:32 +00:00
|
|
|
if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
|
2018-11-07 22:00:35 +00:00
|
|
|
hlist_add_behind_rcu(&policy->bydst_inexact_list, newpos);
|
|
|
|
|
else
|
|
|
|
|
hlist_add_head_rcu(&policy->bydst_inexact_list, chain);
|
2018-11-07 22:00:37 +00:00
|
|
|
|
|
|
|
|
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
|
|
|
|
|
pol->pos = i;
|
|
|
|
|
i++;
|
|
|
|
|
}
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:33 +00:00
|
|
|
static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain,
|
|
|
|
|
struct xfrm_policy *policy,
|
|
|
|
|
bool excl)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2018-11-07 22:00:33 +00:00
|
|
|
struct xfrm_policy *pol, *newpos = NULL, *delpol = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry(pol, chain, bydst) {
|
2007-01-17 00:52:02 +00:00
|
|
|
if (pol->type == policy->type &&
|
2018-06-12 12:07:07 +00:00
|
|
|
pol->if_id == policy->if_id &&
|
2006-08-24 11:45:07 +00:00
|
|
|
!selector_cmp(&pol->selector, &policy->selector) &&
|
2020-06-22 08:40:29 +00:00
|
|
|
xfrm_policy_mark_match(&policy->mark, pol) &&
|
2007-01-17 00:52:02 +00:00
|
|
|
xfrm_sec_ctx_match(pol->security, policy->security) &&
|
|
|
|
|
!WARN_ON(delpol)) {
|
2018-11-07 22:00:33 +00:00
|
|
|
if (excl)
|
|
|
|
|
return ERR_PTR(-EEXIST);
|
2005-04-16 22:20:36 +00:00
|
|
|
delpol = pol;
|
|
|
|
|
if (policy->priority > pol->priority)
|
|
|
|
|
continue;
|
|
|
|
|
} else if (policy->priority >= pol->priority) {
|
2018-11-07 22:00:33 +00:00
|
|
|
newpos = pol;
|
2005-04-16 22:20:36 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (delpol)
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-11-07 22:00:35 +00:00
|
|
|
|
2022-12-02 18:41:32 +00:00
|
|
|
if (newpos && policy->xdo.type != XFRM_DEV_OFFLOAD_PACKET)
|
2018-11-07 22:00:33 +00:00
|
|
|
hlist_add_behind_rcu(&policy->bydst, &newpos->bydst);
|
2006-08-24 11:45:07 +00:00
|
|
|
else
|
2022-12-02 18:41:32 +00:00
|
|
|
/* Packet offload policies enter to the head
|
|
|
|
|
* to speed-up lookups.
|
|
|
|
|
*/
|
2018-10-10 16:02:21 +00:00
|
|
|
hlist_add_head_rcu(&policy->bydst, chain);
|
2018-11-07 22:00:33 +00:00
|
|
|
|
|
|
|
|
return delpol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
|
|
|
|
{
|
|
|
|
|
struct net *net = xp_net(policy);
|
|
|
|
|
struct xfrm_policy *delpol;
|
|
|
|
|
struct hlist_head *chain;
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
|
2018-11-07 22:00:35 +00:00
|
|
|
if (chain)
|
2018-11-07 22:00:34 +00:00
|
|
|
delpol = xfrm_policy_insert_list(chain, policy, excl);
|
2018-11-07 22:00:35 +00:00
|
|
|
else
|
|
|
|
|
delpol = xfrm_policy_inexact_insert(policy, dir, excl);
|
2018-11-07 22:00:33 +00:00
|
|
|
|
|
|
|
|
if (IS_ERR(delpol)) {
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
return PTR_ERR(delpol);
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-13 09:09:50 +00:00
|
|
|
__xfrm_policy_link(policy, dir);
|
2013-07-30 00:33:53 +00:00
|
|
|
|
|
|
|
|
/* After previous checking, family can either be AF_INET or AF_INET6 */
|
|
|
|
|
if (policy->family == AF_INET)
|
|
|
|
|
rt_genid_bump_ipv4(net);
|
|
|
|
|
else
|
|
|
|
|
rt_genid_bump_ipv6(net);
|
|
|
|
|
|
2013-02-05 11:52:55 +00:00
|
|
|
if (delpol) {
|
|
|
|
|
xfrm_policy_requeue(delpol, policy);
|
2008-12-03 08:33:09 +00:00
|
|
|
__xfrm_policy_unlink(delpol, dir);
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
2013-11-07 09:47:48 +00:00
|
|
|
policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index);
|
2008-11-26 01:33:06 +00:00
|
|
|
hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));
|
2018-07-11 10:19:13 +00:00
|
|
|
policy->curlft.add_time = ktime_get_real_seconds();
|
2005-04-16 22:20:36 +00:00
|
|
|
policy->curlft.use_time = 0;
|
|
|
|
|
if (!mod_timer(&policy->timer, jiffies + HZ))
|
|
|
|
|
xfrm_pol_hold(policy);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-12-22 15:39:48 +00:00
|
|
|
if (delpol)
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_policy_kill(delpol);
|
2008-11-26 01:33:06 +00:00
|
|
|
else if (xfrm_bydst_should_resize(net, dir, NULL))
|
|
|
|
|
schedule_work(&net->xfrm.policy_hash_work);
|
2005-12-22 15:39:48 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_insert);
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static struct xfrm_policy *
|
2020-06-22 08:40:29 +00:00
|
|
|
__xfrm_policy_bysel_ctx(struct hlist_head *chain, const struct xfrm_mark *mark,
|
|
|
|
|
u32 if_id, u8 type, int dir, struct xfrm_selector *sel,
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_sec_ctx *ctx)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
|
|
if (!chain)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
hlist_for_each_entry(pol, chain, bydst) {
|
|
|
|
|
if (pol->type == type &&
|
|
|
|
|
pol->if_id == if_id &&
|
2020-06-22 08:40:29 +00:00
|
|
|
xfrm_policy_mark_match(mark, pol) &&
|
2018-11-07 22:00:37 +00:00
|
|
|
!selector_cmp(sel, &pol->selector) &&
|
|
|
|
|
xfrm_sec_ctx_match(ctx, pol->security))
|
|
|
|
|
return pol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-22 08:40:29 +00:00
|
|
|
struct xfrm_policy *
|
|
|
|
|
xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
|
|
|
|
|
u8 type, int dir, struct xfrm_selector *sel,
|
|
|
|
|
struct xfrm_sec_ctx *ctx, int delete, int *err)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2018-11-07 22:00:35 +00:00
|
|
|
struct xfrm_pol_inexact_bin *bin = NULL;
|
|
|
|
|
struct xfrm_policy *pol, *ret = NULL;
|
2006-08-24 11:45:07 +00:00
|
|
|
struct hlist_head *chain;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-03-07 23:37:58 +00:00
|
|
|
*err = 0;
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2008-11-26 01:34:20 +00:00
|
|
|
chain = policy_hash_bysel(net, sel, sel->family, dir);
|
2018-11-07 22:00:35 +00:00
|
|
|
if (!chain) {
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_pol_inexact_candidates cand;
|
|
|
|
|
int i;
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
bin = xfrm_policy_inexact_lookup(net, type,
|
2018-11-07 22:00:36 +00:00
|
|
|
sel->family, dir, if_id);
|
2018-11-07 22:00:35 +00:00
|
|
|
if (!bin) {
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
if (!xfrm_policy_find_inexact_candidates(&cand, bin,
|
|
|
|
|
&sel->saddr,
|
|
|
|
|
&sel->daddr)) {
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pol = NULL;
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(cand.res); i++) {
|
|
|
|
|
struct xfrm_policy *tmp;
|
|
|
|
|
|
|
|
|
|
tmp = __xfrm_policy_bysel_ctx(cand.res[i], mark,
|
|
|
|
|
if_id, type, dir,
|
|
|
|
|
sel, ctx);
|
2018-11-15 01:51:57 +00:00
|
|
|
if (!tmp)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (!pol || tmp->pos < pol->pos)
|
2018-11-07 22:00:37 +00:00
|
|
|
pol = tmp;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
pol = __xfrm_policy_bysel_ctx(chain, mark, if_id, type, dir,
|
|
|
|
|
sel, ctx);
|
2018-11-07 22:00:35 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
if (pol) {
|
|
|
|
|
xfrm_pol_hold(pol);
|
|
|
|
|
if (delete) {
|
|
|
|
|
*err = security_xfrm_policy_delete(pol->security);
|
|
|
|
|
if (*err) {
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
return pol;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
2018-11-07 22:00:37 +00:00
|
|
|
__xfrm_policy_unlink(pol, dir);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2018-11-07 22:00:37 +00:00
|
|
|
ret = pol;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:04 +00:00
|
|
|
if (ret && delete)
|
2006-08-24 11:45:07 +00:00
|
|
|
xfrm_policy_kill(ret);
|
2018-11-07 22:00:37 +00:00
|
|
|
if (bin && delete)
|
|
|
|
|
xfrm_policy_inexact_prune_bin(bin);
|
2006-08-24 11:45:07 +00:00
|
|
|
return ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2020-06-22 08:40:29 +00:00
|
|
|
struct xfrm_policy *
|
|
|
|
|
xfrm_policy_byid(struct net *net, const struct xfrm_mark *mark, u32 if_id,
|
|
|
|
|
u8 type, int dir, u32 id, int delete, int *err)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-08-24 11:45:07 +00:00
|
|
|
struct xfrm_policy *pol, *ret;
|
|
|
|
|
struct hlist_head *chain;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-05-14 09:15:47 +00:00
|
|
|
*err = -ENOENT;
|
|
|
|
|
if (xfrm_policy_id2dir(id) != dir)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2007-03-07 23:37:58 +00:00
|
|
|
*err = 0;
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2008-11-26 01:34:20 +00:00
|
|
|
chain = net->xfrm.policy_byidx + idx_hash(net, id);
|
2006-08-24 11:45:07 +00:00
|
|
|
ret = NULL;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry(pol, chain, byidx) {
|
2010-02-22 11:32:58 +00:00
|
|
|
if (pol->type == type && pol->index == id &&
|
2020-06-22 08:40:29 +00:00
|
|
|
pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_pol_hold(pol);
|
2006-08-24 11:45:07 +00:00
|
|
|
if (delete) {
|
2008-04-13 02:07:52 +00:00
|
|
|
*err = security_xfrm_policy_delete(
|
|
|
|
|
pol->security);
|
2007-03-07 23:37:58 +00:00
|
|
|
if (*err) {
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2007-03-07 23:37:58 +00:00
|
|
|
return pol;
|
|
|
|
|
}
|
2008-12-03 08:33:09 +00:00
|
|
|
__xfrm_policy_unlink(pol, dir);
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
|
|
|
|
ret = pol;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:04 +00:00
|
|
|
if (ret && delete)
|
2006-08-24 11:45:07 +00:00
|
|
|
xfrm_policy_kill(ret);
|
|
|
|
|
return ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_byid);
|
|
|
|
|
|
2007-06-04 23:05:57 +00:00
|
|
|
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
|
|
|
|
static inline int
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2018-11-07 22:00:32 +00:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
int err = 0;
|
2007-06-04 23:05:57 +00:00
|
|
|
|
2018-11-07 22:00:32 +00:00
|
|
|
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
|
|
|
|
|
if (pol->walk.dead ||
|
|
|
|
|
xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
|
|
|
|
|
pol->type != type)
|
|
|
|
|
continue;
|
2007-06-04 23:05:57 +00:00
|
|
|
|
2018-11-07 22:00:32 +00:00
|
|
|
err = security_xfrm_policy_delete(pol->security);
|
|
|
|
|
if (err) {
|
|
|
|
|
xfrm_audit_policy_delete(pol, 0, task_valid);
|
|
|
|
|
return err;
|
2007-06-04 23:05:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2022-12-02 18:41:29 +00:00
|
|
|
|
|
|
|
|
static inline int xfrm_dev_policy_flush_secctx_check(struct net *net,
|
|
|
|
|
struct net_device *dev,
|
|
|
|
|
bool task_valid)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
|
|
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
|
|
|
|
|
if (pol->walk.dead ||
|
|
|
|
|
xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
|
|
|
|
|
pol->xdo.dev != dev)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
err = security_xfrm_policy_delete(pol->security);
|
|
|
|
|
if (err) {
|
|
|
|
|
xfrm_audit_policy_delete(pol, 0, task_valid);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2007-06-04 23:05:57 +00:00
|
|
|
#else
|
|
|
|
|
static inline int
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
|
2007-06-04 23:05:57 +00:00
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2022-12-02 18:41:29 +00:00
|
|
|
|
|
|
|
|
static inline int xfrm_dev_policy_flush_secctx_check(struct net *net,
|
|
|
|
|
struct net_device *dev,
|
|
|
|
|
bool task_valid)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2007-06-04 23:05:57 +00:00
|
|
|
#endif
|
|
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
|
2007-06-04 23:05:57 +00:00
|
|
|
{
|
2010-02-19 02:00:42 +00:00
|
|
|
int dir, err = 0, cnt = 0;
|
2018-11-07 22:00:32 +00:00
|
|
|
struct xfrm_policy *pol;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2007-06-04 23:05:57 +00:00
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
err = xfrm_policy_flush_secctx_check(net, type, task_valid);
|
2007-06-04 23:05:57 +00:00
|
|
|
if (err)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2018-11-07 22:00:32 +00:00
|
|
|
again:
|
|
|
|
|
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
|
2023-08-15 14:18:34 +00:00
|
|
|
if (pol->walk.dead)
|
|
|
|
|
continue;
|
|
|
|
|
|
2018-11-07 22:00:32 +00:00
|
|
|
dir = xfrm_policy_id2dir(pol->index);
|
2023-08-15 14:18:34 +00:00
|
|
|
if (dir >= XFRM_POLICY_MAX ||
|
2018-11-07 22:00:32 +00:00
|
|
|
pol->type != type)
|
|
|
|
|
continue;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2018-11-07 22:00:32 +00:00
|
|
|
__xfrm_policy_unlink(pol, dir);
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2023-06-05 07:36:15 +00:00
|
|
|
xfrm_dev_policy_delete(pol);
|
2018-11-07 22:00:32 +00:00
|
|
|
cnt++;
|
|
|
|
|
xfrm_audit_policy_delete(pol, 1, task_valid);
|
|
|
|
|
xfrm_policy_kill(pol);
|
|
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
goto again;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2018-11-07 22:00:35 +00:00
|
|
|
if (cnt)
|
|
|
|
|
__xfrm_policy_inexact_flush(net);
|
|
|
|
|
else
|
2010-02-19 02:00:42 +00:00
|
|
|
err = -ESRCH;
|
2007-06-04 23:05:57 +00:00
|
|
|
out:
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2007-06-04 23:05:57 +00:00
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_flush);
|
|
|
|
|
|
2022-12-02 18:41:29 +00:00
|
|
|
int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
|
|
|
|
|
bool task_valid)
|
|
|
|
|
{
|
|
|
|
|
int dir, err = 0, cnt = 0;
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
|
|
|
|
err = xfrm_dev_policy_flush_secctx_check(net, dev, task_valid);
|
|
|
|
|
if (err)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
again:
|
|
|
|
|
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
|
2023-08-15 14:18:34 +00:00
|
|
|
if (pol->walk.dead)
|
|
|
|
|
continue;
|
|
|
|
|
|
2022-12-02 18:41:29 +00:00
|
|
|
dir = xfrm_policy_id2dir(pol->index);
|
2023-08-15 14:18:34 +00:00
|
|
|
if (dir >= XFRM_POLICY_MAX ||
|
2022-12-02 18:41:29 +00:00
|
|
|
pol->xdo.dev != dev)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
__xfrm_policy_unlink(pol, dir);
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2023-06-05 07:36:15 +00:00
|
|
|
xfrm_dev_policy_delete(pol);
|
2022-12-02 18:41:29 +00:00
|
|
|
cnt++;
|
|
|
|
|
xfrm_audit_policy_delete(pol, 1, task_valid);
|
|
|
|
|
xfrm_policy_kill(pol);
|
|
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
goto again;
|
|
|
|
|
}
|
|
|
|
|
if (cnt)
|
|
|
|
|
__xfrm_policy_inexact_flush(net);
|
|
|
|
|
else
|
|
|
|
|
err = -ESRCH;
|
|
|
|
|
out:
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_dev_policy_flush);
|
|
|
|
|
|
2008-11-26 01:34:49 +00:00
|
|
|
int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
|
2008-02-29 05:31:08 +00:00
|
|
|
int (*func)(struct xfrm_policy *, int, int, void*),
|
2005-04-16 22:20:36 +00:00
|
|
|
void *data)
|
|
|
|
|
{
|
2008-10-01 14:03:24 +00:00
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
struct xfrm_policy_walk_entry *x;
|
2008-02-29 05:31:08 +00:00
|
|
|
int error = 0;
|
|
|
|
|
|
|
|
|
|
if (walk->type >= XFRM_POLICY_TYPE_MAX &&
|
|
|
|
|
walk->type != XFRM_POLICY_TYPE_ANY)
|
|
|
|
|
return -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-10-01 14:03:24 +00:00
|
|
|
if (list_empty(&walk->walk.all) && walk->seq != 0)
|
2008-02-29 05:31:08 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2008-10-01 14:03:24 +00:00
|
|
|
if (list_empty(&walk->walk.all))
|
2008-11-26 01:34:49 +00:00
|
|
|
x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
|
2008-10-01 14:03:24 +00:00
|
|
|
else
|
2015-04-22 09:09:54 +00:00
|
|
|
x = list_first_entry(&walk->walk.all,
|
|
|
|
|
struct xfrm_policy_walk_entry, all);
|
|
|
|
|
|
2008-11-26 01:34:49 +00:00
|
|
|
list_for_each_entry_from(x, &net->xfrm.policy_all, all) {
|
2008-10-01 14:03:24 +00:00
|
|
|
if (x->dead)
|
2008-02-29 05:31:08 +00:00
|
|
|
continue;
|
2008-10-01 14:03:24 +00:00
|
|
|
pol = container_of(x, struct xfrm_policy, walk);
|
|
|
|
|
if (walk->type != XFRM_POLICY_TYPE_ANY &&
|
|
|
|
|
walk->type != pol->type)
|
|
|
|
|
continue;
|
|
|
|
|
error = func(pol, xfrm_policy_id2dir(pol->index),
|
|
|
|
|
walk->seq, data);
|
|
|
|
|
if (error) {
|
|
|
|
|
list_move_tail(&walk->walk.all, &x->all);
|
|
|
|
|
goto out;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
2008-10-01 14:03:24 +00:00
|
|
|
walk->seq++;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2008-10-01 14:03:24 +00:00
|
|
|
if (walk->seq == 0) {
|
2006-12-05 04:02:37 +00:00
|
|
|
error = -ENOENT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2008-10-01 14:03:24 +00:00
|
|
|
list_del_init(&walk->walk.all);
|
2005-04-16 22:20:36 +00:00
|
|
|
out:
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_walk);
|
|
|
|
|
|
2008-10-01 14:03:24 +00:00
|
|
|
void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
|
|
|
|
|
{
|
|
|
|
|
INIT_LIST_HEAD(&walk->walk.all);
|
|
|
|
|
walk->walk.dead = 1;
|
|
|
|
|
walk->type = type;
|
|
|
|
|
walk->seq = 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_walk_init);
|
|
|
|
|
|
2013-11-07 09:47:50 +00:00
|
|
|
void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)
|
2008-10-01 14:03:24 +00:00
|
|
|
{
|
|
|
|
|
if (list_empty(&walk->walk.all))
|
|
|
|
|
return;
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */
|
2008-10-01 14:03:24 +00:00
|
|
|
list_del(&walk->walk.all);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2008-10-01 14:03:24 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_walk_done);
|
|
|
|
|
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
/*
|
|
|
|
|
* Find policy to apply to this flow.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 if policy found, else an -errno.
|
|
|
|
|
*/
|
2011-02-24 06:23:30 +00:00
|
|
|
static int xfrm_policy_match(const struct xfrm_policy *pol,
|
|
|
|
|
const struct flowi *fl,
|
2022-08-22 03:41:47 +00:00
|
|
|
u8 type, u16 family, u32 if_id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-24 06:23:30 +00:00
|
|
|
const struct xfrm_selector *sel = &pol->selector;
|
2012-05-15 19:04:57 +00:00
|
|
|
int ret = -ESRCH;
|
|
|
|
|
bool match;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
if (pol->family != family ||
|
2018-07-19 17:50:44 +00:00
|
|
|
pol->if_id != if_id ||
|
2011-03-12 05:29:39 +00:00
|
|
|
(fl->flowi_mark & pol->mark.m) != pol->mark.v ||
|
2006-08-24 11:45:07 +00:00
|
|
|
pol->type != type)
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
return ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
match = xfrm_selector_match(sel, fl, family);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
if (match)
|
2021-04-09 05:48:41 +00:00
|
|
|
ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
return ret;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
static struct xfrm_pol_inexact_node *
|
|
|
|
|
xfrm_policy_lookup_inexact_addr(const struct rb_root *r,
|
2020-07-20 15:55:22 +00:00
|
|
|
seqcount_spinlock_t *count,
|
2018-11-07 22:00:38 +00:00
|
|
|
const xfrm_address_t *addr, u16 family)
|
|
|
|
|
{
|
|
|
|
|
const struct rb_node *parent;
|
|
|
|
|
int seq;
|
|
|
|
|
|
|
|
|
|
again:
|
|
|
|
|
seq = read_seqcount_begin(count);
|
|
|
|
|
|
|
|
|
|
parent = rcu_dereference_raw(r->rb_node);
|
|
|
|
|
while (parent) {
|
|
|
|
|
struct xfrm_pol_inexact_node *node;
|
|
|
|
|
int delta;
|
|
|
|
|
|
|
|
|
|
node = rb_entry(parent, struct xfrm_pol_inexact_node, node);
|
|
|
|
|
|
|
|
|
|
delta = xfrm_policy_addr_delta(addr, &node->addr,
|
|
|
|
|
node->prefixlen, family);
|
|
|
|
|
if (delta < 0) {
|
|
|
|
|
parent = rcu_dereference_raw(parent->rb_left);
|
|
|
|
|
continue;
|
|
|
|
|
} else if (delta > 0) {
|
|
|
|
|
parent = rcu_dereference_raw(parent->rb_right);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return node;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (read_seqcount_retry(count, seq))
|
|
|
|
|
goto again;
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static bool
|
|
|
|
|
xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
|
|
|
|
|
struct xfrm_pol_inexact_bin *b,
|
|
|
|
|
const xfrm_address_t *saddr,
|
|
|
|
|
const xfrm_address_t *daddr)
|
|
|
|
|
{
|
2018-11-07 22:00:38 +00:00
|
|
|
struct xfrm_pol_inexact_node *n;
|
|
|
|
|
u16 family;
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
if (!b)
|
|
|
|
|
return false;
|
|
|
|
|
|
2018-11-07 22:00:38 +00:00
|
|
|
family = b->k.family;
|
2018-11-07 22:00:37 +00:00
|
|
|
memset(cand, 0, sizeof(*cand));
|
|
|
|
|
cand->res[XFRM_POL_CAND_ANY] = &b->hhead;
|
2018-11-07 22:00:38 +00:00
|
|
|
|
|
|
|
|
n = xfrm_policy_lookup_inexact_addr(&b->root_d, &b->count, daddr,
|
|
|
|
|
family);
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
if (n) {
|
2018-11-07 22:00:38 +00:00
|
|
|
cand->res[XFRM_POL_CAND_DADDR] = &n->hhead;
|
xfrm: policy: add 2nd-level saddr trees for inexact policies
This adds the fourth and final search class, containing policies
where both saddr and daddr have prefix lengths (i.e., not wildcards).
Inexact policies now end up in one of the following four search classes:
1. "Any:Any" list, containing policies where both saddr and daddr are
wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like.
2. "saddr:any" list, containing policies with a fixed saddr/prefixlen,
but without destination restrictions.
These lists are stored in rbtree nodes; each node contains those
policies matching saddr/prefixlen.
3. "Any:daddr" list. Similar to 2), except for policies where only the
destinations are specified.
4. "saddr:daddr" lists, containing only those policies that
match the given source/destination network.
The root of the saddr/daddr nodes gets stored in the nodes of the
'daddr' tree.
This diagram illustrates the list classes, and their
placement in the lookup hierarchy:
xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
|
+---- root_d: sorted by daddr:prefix
| |
| xfrm_pol_inexact_node
| |
| +- root: sorted by saddr/prefix
| | |
| | xfrm_pol_inexact_node
| | |
| | + root: unused
| | |
| | + hhead: saddr:daddr policies
| |
| +- coarse policies and all any:daddr policies
|
+---- root_s: sorted by saddr:prefix
| |
| xfrm_pol_inexact_node
| |
| + root: unused
| |
| + hhead: saddr:any policies
|
+---- coarse policies and all any:any policies
lookup for an inexact policy returns pointers to the four relevant list
classes, after which each of the lists needs to be searched for the policy
with the higher priority.
This will only speed up lookups in case we have many policies and a
sizeable portion of these have disjunct saddr/daddr addresses.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-11-07 22:00:41 +00:00
|
|
|
n = xfrm_policy_lookup_inexact_addr(&n->root, &b->count, saddr,
|
|
|
|
|
family);
|
|
|
|
|
if (n)
|
|
|
|
|
cand->res[XFRM_POL_CAND_BOTH] = &n->hhead;
|
|
|
|
|
}
|
2018-11-07 22:00:38 +00:00
|
|
|
|
2018-11-07 22:00:40 +00:00
|
|
|
n = xfrm_policy_lookup_inexact_addr(&b->root_s, &b->count, saddr,
|
|
|
|
|
family);
|
|
|
|
|
if (n)
|
|
|
|
|
cand->res[XFRM_POL_CAND_SADDR] = &n->hhead;
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
static struct xfrm_pol_inexact_bin *
|
2018-11-07 22:00:36 +00:00
|
|
|
xfrm_policy_inexact_lookup_rcu(struct net *net, u8 type, u16 family,
|
|
|
|
|
u8 dir, u32 if_id)
|
2018-11-07 22:00:35 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_key k = {
|
|
|
|
|
.family = family,
|
|
|
|
|
.type = type,
|
|
|
|
|
.dir = dir,
|
2018-11-07 22:00:36 +00:00
|
|
|
.if_id = if_id,
|
2018-11-07 22:00:35 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
write_pnet(&k.net, net);
|
|
|
|
|
|
|
|
|
|
return rhashtable_lookup(&xfrm_policy_inexact_table, &k,
|
|
|
|
|
xfrm_pol_inexact_params);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_pol_inexact_bin *
|
2018-11-07 22:00:36 +00:00
|
|
|
xfrm_policy_inexact_lookup(struct net *net, u8 type, u16 family,
|
|
|
|
|
u8 dir, u32 if_id)
|
2018-11-07 22:00:35 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_pol_inexact_bin *bin;
|
|
|
|
|
|
|
|
|
|
lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2018-11-07 22:00:36 +00:00
|
|
|
bin = xfrm_policy_inexact_lookup_rcu(net, type, family, dir, if_id);
|
2018-11-07 22:00:35 +00:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
|
|
return bin;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
static struct xfrm_policy *
|
|
|
|
|
__xfrm_policy_eval_candidates(struct hlist_head *chain,
|
|
|
|
|
struct xfrm_policy *prefer,
|
|
|
|
|
const struct flowi *fl,
|
2022-08-22 03:41:47 +00:00
|
|
|
u8 type, u16 family, u32 if_id)
|
2018-11-07 22:00:37 +00:00
|
|
|
{
|
|
|
|
|
u32 priority = prefer ? prefer->priority : ~0u;
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
|
|
|
|
if (!chain)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
hlist_for_each_entry_rcu(pol, chain, bydst) {
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
if (pol->priority > priority)
|
|
|
|
|
break;
|
|
|
|
|
|
2022-08-22 03:41:47 +00:00
|
|
|
err = xfrm_policy_match(pol, fl, type, family, if_id);
|
2018-11-07 22:00:37 +00:00
|
|
|
if (err) {
|
|
|
|
|
if (err != -ESRCH)
|
|
|
|
|
return ERR_PTR(err);
|
|
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (prefer) {
|
|
|
|
|
/* matches. Is it older than *prefer? */
|
|
|
|
|
if (pol->priority == priority &&
|
|
|
|
|
prefer->pos < pol->pos)
|
|
|
|
|
return prefer;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_policy *
|
|
|
|
|
xfrm_policy_eval_candidates(struct xfrm_pol_inexact_candidates *cand,
|
|
|
|
|
struct xfrm_policy *prefer,
|
|
|
|
|
const struct flowi *fl,
|
2022-08-22 03:41:47 +00:00
|
|
|
u8 type, u16 family, u32 if_id)
|
2018-11-07 22:00:37 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_policy *tmp;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(cand->res); i++) {
|
|
|
|
|
tmp = __xfrm_policy_eval_candidates(cand->res[i],
|
|
|
|
|
prefer,
|
2022-08-22 03:41:47 +00:00
|
|
|
fl, type, family, if_id);
|
2018-11-07 22:00:37 +00:00
|
|
|
if (!tmp)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(tmp))
|
|
|
|
|
return tmp;
|
|
|
|
|
prefer = tmp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return prefer;
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:35:18 +00:00
|
|
|
static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
|
2011-02-23 02:31:08 +00:00
|
|
|
const struct flowi *fl,
|
2018-07-19 17:50:44 +00:00
|
|
|
u16 family, u8 dir,
|
|
|
|
|
u32 if_id)
|
2006-08-24 11:45:07 +00:00
|
|
|
{
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_pol_inexact_candidates cand;
|
2011-02-24 06:22:48 +00:00
|
|
|
const xfrm_address_t *daddr, *saddr;
|
2018-11-07 22:00:35 +00:00
|
|
|
struct xfrm_pol_inexact_bin *bin;
|
|
|
|
|
struct xfrm_policy *pol, *ret;
|
2006-08-24 11:45:07 +00:00
|
|
|
struct hlist_head *chain;
|
2016-08-11 13:17:54 +00:00
|
|
|
unsigned int sequence;
|
2018-11-07 22:00:35 +00:00
|
|
|
int err;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
daddr = xfrm_flowi_daddr(fl, family);
|
|
|
|
|
saddr = xfrm_flowi_saddr(fl, family);
|
|
|
|
|
if (unlikely(!daddr || !saddr))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype
xfrm_policy_lookup_bytype loops on seqcount mutex xfrm_policy_hash_generation
within an RCU read side critical section. Although ill advised, this is fine if
the loop is bounded.
xfrm_policy_hash_generation wraps mutex hash_resize_mutex, which is used to
serialize writers (xfrm_hash_resize, xfrm_hash_rebuild). This is fine too.
On PREEMPT_RT=y, the read_seqcount_begin call within xfrm_policy_lookup_bytype
emits a mutex lock/unlock for hash_resize_mutex. Mutex locking is fine, since
RCU read side critical sections are allowed to sleep with PREEMPT_RT.
xfrm_hash_resize can, however, block on synchronize_rcu while holding
hash_resize_mutex.
This leads to the following situation on PREEMPT_RT, where the writer is
blocked on RCU grace period expiry, while the reader is blocked on a lock held
by the writer:
Thead 1 (xfrm_hash_resize) Thread 2 (xfrm_policy_lookup_bytype)
rcu_read_lock();
mutex_lock(&hash_resize_mutex);
read_seqcount_begin(&xfrm_policy_hash_generation);
mutex_lock(&hash_resize_mutex); // block
xfrm_bydst_resize();
synchronize_rcu(); // block
<RCU stalls in xfrm_policy_lookup_bytype>
Move the read_seqcount_begin call outside of the RCU read side critical section,
and do an rcu_read_unlock/retry if we got stale data within the critical section.
On non-PREEMPT_RT, this shortens the time spent within RCU read side critical
section in case the seqcount needs a retry, and avoids unbounded looping.
Fixes: 77cc278f7b20 ("xfrm: policy: Use sequence counters with associated lock")
Signed-off-by: Varad Gautam <varad.gautam@suse.com>
Cc: linux-rt-users <linux-rt-users@vger.kernel.org>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org # v4.9
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Cc: "Ahmed S. Darwish" <a.darwish@linutronix.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Ahmed S. Darwish <a.darwish@linutronix.de>
2021-05-28 16:04:06 +00:00
|
|
|
rcu_read_lock();
|
2021-07-02 07:20:22 +00:00
|
|
|
retry:
|
|
|
|
|
do {
|
2021-06-28 13:34:28 +00:00
|
|
|
sequence = read_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
|
2021-07-02 07:20:22 +00:00
|
|
|
chain = policy_hash_direct(net, daddr, saddr, family, dir);
|
2021-06-28 13:34:28 +00:00
|
|
|
} while (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence));
|
2016-08-11 13:17:54 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
ret = NULL;
|
2016-08-11 13:17:52 +00:00
|
|
|
hlist_for_each_entry_rcu(pol, chain, bydst) {
|
2022-08-22 03:41:47 +00:00
|
|
|
err = xfrm_policy_match(pol, fl, type, family, if_id);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
if (err) {
|
|
|
|
|
if (err == -ESRCH)
|
|
|
|
|
continue;
|
|
|
|
|
else {
|
|
|
|
|
ret = ERR_PTR(err);
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2006-08-24 11:45:07 +00:00
|
|
|
ret = pol;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-12-02 18:41:32 +00:00
|
|
|
if (ret && ret->xdo.type == XFRM_DEV_OFFLOAD_PACKET)
|
|
|
|
|
goto skip_inexact;
|
|
|
|
|
|
2018-11-07 22:00:36 +00:00
|
|
|
bin = xfrm_policy_inexact_lookup_rcu(net, type, family, dir, if_id);
|
2018-11-07 22:00:37 +00:00
|
|
|
if (!bin || !xfrm_policy_find_inexact_candidates(&cand, bin, saddr,
|
|
|
|
|
daddr))
|
2018-11-07 22:00:35 +00:00
|
|
|
goto skip_inexact;
|
2015-05-14 03:16:59 +00:00
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
pol = xfrm_policy_eval_candidates(&cand, ret, fl, type,
|
2022-08-22 03:41:47 +00:00
|
|
|
family, if_id);
|
2018-11-07 22:00:37 +00:00
|
|
|
if (pol) {
|
|
|
|
|
ret = pol;
|
|
|
|
|
if (IS_ERR(pol))
|
|
|
|
|
goto fail;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2015-04-30 09:13:41 +00:00
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
skip_inexact:
|
2021-06-28 13:34:28 +00:00
|
|
|
if (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence))
|
2016-08-11 13:17:54 +00:00
|
|
|
goto retry;
|
|
|
|
|
|
2021-07-02 07:20:22 +00:00
|
|
|
if (ret && !xfrm_pol_hold_rcu(ret))
|
2016-08-11 13:17:55 +00:00
|
|
|
goto retry;
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
fail:
|
2016-08-11 13:17:56 +00:00
|
|
|
rcu_read_unlock();
|
2006-08-24 05:43:30 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
return ret;
|
2006-08-24 05:43:30 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
static struct xfrm_policy *xfrm_policy_lookup(struct net *net,
|
|
|
|
|
const struct flowi *fl,
|
|
|
|
|
u16 family, u8 dir, u32 if_id)
|
2010-04-07 00:30:05 +00:00
|
|
|
{
|
|
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family,
|
|
|
|
|
dir, if_id);
|
2010-04-07 00:30:05 +00:00
|
|
|
if (pol != NULL)
|
|
|
|
|
return pol;
|
|
|
|
|
#endif
|
2018-07-19 17:50:44 +00:00
|
|
|
return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family,
|
|
|
|
|
dir, if_id);
|
2010-04-07 00:30:05 +00:00
|
|
|
}
|
|
|
|
|
|
2015-09-25 14:39:10 +00:00
|
|
|
static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
|
2018-07-19 17:50:44 +00:00
|
|
|
const struct flowi *fl,
|
|
|
|
|
u16 family, u32 if_id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol;
|
|
|
|
|
|
2015-12-08 15:22:02 +00:00
|
|
|
rcu_read_lock();
|
2016-08-11 13:17:57 +00:00
|
|
|
again:
|
2015-12-08 15:22:02 +00:00
|
|
|
pol = rcu_dereference(sk->sk_policy[dir]);
|
|
|
|
|
if (pol != NULL) {
|
2017-11-29 05:53:55 +00:00
|
|
|
bool match;
|
2007-02-09 14:25:29 +00:00
|
|
|
int err = 0;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
2017-11-29 05:53:55 +00:00
|
|
|
if (pol->family != family) {
|
|
|
|
|
pol = NULL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
match = xfrm_selector_match(&pol->selector, fl, family);
|
2006-10-05 20:42:35 +00:00
|
|
|
if (match) {
|
2023-07-28 15:03:15 +00:00
|
|
|
if ((READ_ONCE(sk->sk_mark) & pol->mark.m) != pol->mark.v ||
|
2018-07-19 17:50:44 +00:00
|
|
|
pol->if_id != if_id) {
|
2010-02-22 11:32:58 +00:00
|
|
|
pol = NULL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2008-04-13 02:07:52 +00:00
|
|
|
err = security_xfrm_policy_lookup(pol->security,
|
2021-04-09 05:48:41 +00:00
|
|
|
fl->flowi_secid);
|
2016-11-17 12:21:46 +00:00
|
|
|
if (!err) {
|
|
|
|
|
if (!xfrm_pol_hold_rcu(pol))
|
|
|
|
|
goto again;
|
|
|
|
|
} else if (err == -ESRCH) {
|
2006-10-05 20:42:35 +00:00
|
|
|
pol = NULL;
|
2016-11-17 12:21:46 +00:00
|
|
|
} else {
|
2006-10-05 20:42:35 +00:00
|
|
|
pol = ERR_PTR(err);
|
2016-11-17 12:21:46 +00:00
|
|
|
}
|
2006-10-05 20:42:35 +00:00
|
|
|
} else
|
2005-04-16 22:20:36 +00:00
|
|
|
pol = NULL;
|
|
|
|
|
}
|
2010-02-22 11:32:58 +00:00
|
|
|
out:
|
2015-12-08 15:22:02 +00:00
|
|
|
rcu_read_unlock();
|
2005-04-16 22:20:36 +00:00
|
|
|
return pol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
|
|
|
|
|
{
|
2008-11-26 01:29:47 +00:00
|
|
|
struct net *net = xp_net(pol);
|
2006-08-24 05:43:30 +00:00
|
|
|
|
2008-11-26 01:29:47 +00:00
|
|
|
list_add(&pol->walk.all, &net->xfrm.policy_all);
|
|
|
|
|
net->xfrm.policy_count[dir]++;
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_pol_hold(pol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
|
|
|
|
|
int dir)
|
|
|
|
|
{
|
2008-11-26 01:29:47 +00:00
|
|
|
struct net *net = xp_net(pol);
|
|
|
|
|
|
2014-11-13 09:09:49 +00:00
|
|
|
if (list_empty(&pol->walk.all))
|
2006-08-24 11:45:07 +00:00
|
|
|
return NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-11-13 09:09:49 +00:00
|
|
|
/* Socket policies are not hashed. */
|
|
|
|
|
if (!hlist_unhashed(&pol->bydst)) {
|
2016-08-11 13:17:52 +00:00
|
|
|
hlist_del_rcu(&pol->bydst);
|
2018-11-07 22:00:35 +00:00
|
|
|
hlist_del_init(&pol->bydst_inexact_list);
|
2014-11-13 09:09:49 +00:00
|
|
|
hlist_del(&pol->byidx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
list_del_init(&pol->walk.all);
|
2008-11-26 01:29:47 +00:00
|
|
|
net->xfrm.policy_count[dir]--;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
|
|
|
|
return pol;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2014-11-13 09:09:49 +00:00
|
|
|
static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir)
|
|
|
|
|
{
|
|
|
|
|
__xfrm_policy_link(pol, XFRM_POLICY_MAX + dir);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir)
|
|
|
|
|
{
|
|
|
|
|
__xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir);
|
|
|
|
|
}
|
|
|
|
|
|
2005-06-19 05:43:22 +00:00
|
|
|
int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2013-11-07 09:47:50 +00:00
|
|
|
struct net *net = xp_net(pol);
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
pol = __xfrm_policy_unlink(pol, dir);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (pol) {
|
2022-12-02 18:41:29 +00:00
|
|
|
xfrm_dev_policy_delete(pol);
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_policy_kill(pol);
|
2005-06-19 05:43:22 +00:00
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2005-06-19 05:43:22 +00:00
|
|
|
return -ENOENT;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-03-21 03:18:52 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_policy_delete);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
|
|
|
|
|
{
|
2017-11-20 10:26:02 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_policy *old_pol;
|
|
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
|
if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2015-12-08 15:22:02 +00:00
|
|
|
old_pol = rcu_dereference_protected(sk->sk_policy[dir],
|
|
|
|
|
lockdep_is_held(&net->xfrm.xfrm_policy_lock));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (pol) {
|
2018-07-11 10:19:13 +00:00
|
|
|
pol->curlft.add_time = ktime_get_real_seconds();
|
2013-11-07 09:47:48 +00:00
|
|
|
pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
|
2014-11-13 09:09:49 +00:00
|
|
|
xfrm_sk_policy_link(pol, dir);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2015-12-08 15:22:02 +00:00
|
|
|
rcu_assign_pointer(sk->sk_policy[dir], pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
if (old_pol) {
|
|
|
|
|
if (pol)
|
|
|
|
|
xfrm_policy_requeue(old_pol, pol);
|
|
|
|
|
|
2010-03-31 00:17:05 +00:00
|
|
|
/* Unlinking succeeds always. This is the only function
|
|
|
|
|
* allowed to delete or replace socket policy.
|
|
|
|
|
*/
|
2014-11-13 09:09:49 +00:00
|
|
|
xfrm_sk_policy_unlink(old_pol, dir);
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (old_pol) {
|
|
|
|
|
xfrm_policy_kill(old_pol);
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-24 06:25:41 +00:00
|
|
|
static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:21:45 +00:00
|
|
|
struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
|
2013-11-07 09:47:50 +00:00
|
|
|
struct net *net = xp_net(old);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (newp) {
|
|
|
|
|
newp->selector = old->selector;
|
2008-04-13 02:07:52 +00:00
|
|
|
if (security_xfrm_policy_clone(old->security,
|
|
|
|
|
&newp->security)) {
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
kfree(newp);
|
|
|
|
|
return NULL; /* ENOMEM */
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
newp->lft = old->lft;
|
|
|
|
|
newp->curlft = old->curlft;
|
2010-02-23 23:09:53 +00:00
|
|
|
newp->mark = old->mark;
|
2018-06-12 12:07:07 +00:00
|
|
|
newp->if_id = old->if_id;
|
2005-04-16 22:20:36 +00:00
|
|
|
newp->action = old->action;
|
|
|
|
|
newp->flags = old->flags;
|
|
|
|
|
newp->xfrm_nr = old->xfrm_nr;
|
|
|
|
|
newp->index = old->index;
|
2006-08-24 05:43:30 +00:00
|
|
|
newp->type = old->type;
|
2017-11-10 03:14:06 +00:00
|
|
|
newp->family = old->family;
|
2005-04-16 22:20:36 +00:00
|
|
|
memcpy(newp->xfrm_vec, old->xfrm_vec,
|
|
|
|
|
newp->xfrm_nr*sizeof(struct xfrm_tmpl));
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2014-11-13 09:09:49 +00:00
|
|
|
xfrm_sk_policy_link(newp, dir);
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_pol_put(newp);
|
|
|
|
|
}
|
|
|
|
|
return newp;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-08 15:22:02 +00:00
|
|
|
int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2015-12-08 15:22:02 +00:00
|
|
|
const struct xfrm_policy *p;
|
|
|
|
|
struct xfrm_policy *np;
|
|
|
|
|
int i, ret = 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
|
|
|
p = rcu_dereference(osk->sk_policy[i]);
|
|
|
|
|
if (p) {
|
|
|
|
|
np = clone_policy(p, i);
|
|
|
|
|
if (unlikely(!np)) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
rcu_assign_pointer(sk->sk_policy[i], np);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return ret;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-09-19 19:57:34 +00:00
|
|
|
static int
|
2015-08-10 22:58:11 +00:00
|
|
|
xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local,
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
xfrm_address_t *remote, unsigned short family, u32 mark)
|
2006-09-19 19:57:34 +00:00
|
|
|
{
|
|
|
|
|
int err;
|
2017-02-07 14:00:19 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
2006-09-19 19:57:34 +00:00
|
|
|
|
|
|
|
|
if (unlikely(afinfo == NULL))
|
|
|
|
|
return -EINVAL;
|
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for
routing lookups to use marks in order for packets to be routed
correctly. An example of such a system is Android, which uses
socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of
zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and
a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output
mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while
the xfrm output mark is used to set the mark (and influence
the routing) of the packets emitted by those states.
2. The existing mark is constrained to be a subset of the bits of
the originating socket or transformed packet, but the output
mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For
example:
- A packet subject to two transforms (e.g., transport mode inside
tunnel mode) can have two different output marks applied to it,
one for the transport mode SA and one for the tunnel mode SA.
- On a system where socket marks determine routing, the packets
emitted by an IPsec tunnel can be routed based on a mark that
is determined by the tunnel, not by the marks of the
unencrypted packets.
- Support for setting the output marks can be introduced without
breaking any existing setups that employ both mark-based
routing and xfrm tunnel mode. Simply changing the code to use
the xfrm mark for routing output packets could xfrm mark could
change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not
set or changed.
Tested: make allyesconfig; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-08-10 17:11:33 +00:00
|
|
|
err = afinfo->get_saddr(net, oif, local, remote, mark);
|
2017-02-07 14:00:18 +00:00
|
|
|
rcu_read_unlock();
|
2006-09-19 19:57:34 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Resolve list of templates for the flow, given policy. */
|
|
|
|
|
|
|
|
|
|
static int
|
2011-02-23 02:35:39 +00:00
|
|
|
xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
|
|
|
|
|
struct xfrm_state **xfrm, unsigned short family)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:56:49 +00:00
|
|
|
struct net *net = xp_net(policy);
|
2005-04-16 22:20:36 +00:00
|
|
|
int nx;
|
|
|
|
|
int i, error;
|
2017-11-15 05:40:57 +00:00
|
|
|
xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
|
|
|
|
|
xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
|
2006-09-19 19:57:34 +00:00
|
|
|
xfrm_address_t tmp;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-12-24 01:43:46 +00:00
|
|
|
for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_state *x;
|
2017-11-15 05:40:57 +00:00
|
|
|
xfrm_address_t *remote = daddr;
|
|
|
|
|
xfrm_address_t *local = saddr;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
|
|
|
|
|
|
2017-11-15 05:40:57 +00:00
|
|
|
if (tmpl->mode == XFRM_MODE_TUNNEL ||
|
|
|
|
|
tmpl->mode == XFRM_MODE_BEET) {
|
|
|
|
|
remote = &tmpl->id.daddr;
|
|
|
|
|
local = &tmpl->saddr;
|
|
|
|
|
if (xfrm_addr_any(local, tmpl->encap_family)) {
|
|
|
|
|
error = xfrm_get_saddr(net, fl->flowi_oif,
|
|
|
|
|
&tmp, remote,
|
|
|
|
|
tmpl->encap_family, 0);
|
|
|
|
|
if (error)
|
|
|
|
|
goto fail;
|
|
|
|
|
local = &tmp;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
|
|
|
|
|
family, policy->if_id);
|
2024-04-30 07:09:09 +00:00
|
|
|
if (x && x->dir && x->dir != XFRM_SA_DIR_OUT) {
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEDIRERROR);
|
|
|
|
|
xfrm_state_put(x);
|
|
|
|
|
error = -EINVAL;
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (x && x->km.state == XFRM_STATE_VALID) {
|
|
|
|
|
xfrm[nx++] = x;
|
2017-11-15 05:40:57 +00:00
|
|
|
daddr = remote;
|
|
|
|
|
saddr = local;
|
2005-04-16 22:20:36 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (x) {
|
|
|
|
|
error = (x->km.state == XFRM_STATE_ERROR ?
|
|
|
|
|
-EINVAL : -EAGAIN);
|
|
|
|
|
xfrm_state_put(x);
|
2013-12-24 01:43:49 +00:00
|
|
|
} else if (error == -ESRCH) {
|
2008-10-23 04:27:19 +00:00
|
|
|
error = -EAGAIN;
|
2013-12-24 01:43:49 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
if (!tmpl->optional)
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
return nx;
|
|
|
|
|
|
|
|
|
|
fail:
|
2013-12-24 01:43:46 +00:00
|
|
|
for (nx--; nx >= 0; nx--)
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_state_put(xfrm[nx]);
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
static int
|
2011-02-23 02:35:39 +00:00
|
|
|
xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
|
|
|
|
|
struct xfrm_state **xfrm, unsigned short family)
|
2006-08-24 05:43:30 +00:00
|
|
|
{
|
2006-08-24 05:48:31 +00:00
|
|
|
struct xfrm_state *tp[XFRM_MAX_DEPTH];
|
|
|
|
|
struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
|
2006-08-24 05:43:30 +00:00
|
|
|
int cnx = 0;
|
|
|
|
|
int error;
|
|
|
|
|
int ret;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < npols; i++) {
|
|
|
|
|
if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) {
|
|
|
|
|
error = -ENOBUFS;
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
2006-08-24 05:48:31 +00:00
|
|
|
|
|
|
|
|
ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family);
|
2006-08-24 05:43:30 +00:00
|
|
|
if (ret < 0) {
|
|
|
|
|
error = ret;
|
|
|
|
|
goto fail;
|
|
|
|
|
} else
|
|
|
|
|
cnx += ret;
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-24 05:48:31 +00:00
|
|
|
/* found states are sorted for outbound processing */
|
|
|
|
|
if (npols > 1)
|
|
|
|
|
xfrm_state_sort(xfrm, tpp, cnx, family);
|
|
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
return cnx;
|
|
|
|
|
|
|
|
|
|
fail:
|
2013-12-24 01:43:46 +00:00
|
|
|
for (cnx--; cnx >= 0; cnx--)
|
2006-08-24 05:48:31 +00:00
|
|
|
xfrm_state_put(tpp[cnx]);
|
2006-08-24 05:43:30 +00:00
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-07 14:00:14 +00:00
|
|
|
static int xfrm_get_tos(const struct flowi *fl, int family)
|
2007-12-11 17:32:34 +00:00
|
|
|
{
|
2019-04-16 14:44:37 +00:00
|
|
|
if (family == AF_INET)
|
|
|
|
|
return IPTOS_RT_MASK & fl->u.ip4.flowi4_tos;
|
2018-02-17 07:16:22 +00:00
|
|
|
|
2019-04-16 14:44:37 +00:00
|
|
|
return 0;
|
2007-12-11 17:32:34 +00:00
|
|
|
}
|
|
|
|
|
|
2010-01-25 06:47:53 +00:00
|
|
|
static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-02-07 14:00:19 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
2010-01-25 06:47:53 +00:00
|
|
|
struct dst_ops *dst_ops;
|
2007-12-11 17:32:34 +00:00
|
|
|
struct xfrm_dst *xdst;
|
|
|
|
|
|
|
|
|
|
if (!afinfo)
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
2010-01-25 06:47:53 +00:00
|
|
|
switch (family) {
|
|
|
|
|
case AF_INET:
|
|
|
|
|
dst_ops = &net->xfrm.xfrm4_dst_ops;
|
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2010-01-25 06:47:53 +00:00
|
|
|
case AF_INET6:
|
|
|
|
|
dst_ops = &net->xfrm.xfrm6_dst_ops;
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
BUG();
|
|
|
|
|
}
|
2023-09-11 12:50:45 +00:00
|
|
|
xdst = dst_alloc(dst_ops, NULL, DST_OBSOLETE_NONE, 0);
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2011-09-26 07:04:36 +00:00
|
|
|
if (likely(xdst)) {
|
2021-06-17 15:34:19 +00:00
|
|
|
memset_after(xdst, 0, u.dst);
|
2011-09-26 07:04:36 +00:00
|
|
|
} else
|
2011-02-11 07:08:33 +00:00
|
|
|
xdst = ERR_PTR(-ENOBUFS);
|
2010-04-07 00:30:05 +00:00
|
|
|
|
2017-02-07 14:00:18 +00:00
|
|
|
rcu_read_unlock();
|
2011-09-26 07:04:36 +00:00
|
|
|
|
2007-12-11 17:32:34 +00:00
|
|
|
return xdst;
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-16 14:44:38 +00:00
|
|
|
static void xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
|
|
|
|
|
int nfheader_len)
|
2007-12-21 04:41:12 +00:00
|
|
|
{
|
2019-04-16 14:44:38 +00:00
|
|
|
if (dst->ops->family == AF_INET6) {
|
2024-04-26 15:19:52 +00:00
|
|
|
path->path_cookie = rt6_get_cookie(dst_rt6_info(dst));
|
2019-04-16 14:44:38 +00:00
|
|
|
path->u.rt6.rt6i_nfheader_len = nfheader_len;
|
|
|
|
|
}
|
2007-12-21 04:41:12 +00:00
|
|
|
}
|
|
|
|
|
|
2010-03-02 02:51:56 +00:00
|
|
|
static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
|
2011-02-23 01:48:57 +00:00
|
|
|
const struct flowi *fl)
|
2007-12-11 17:32:34 +00:00
|
|
|
{
|
2017-02-07 14:00:19 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo =
|
2007-12-11 17:32:34 +00:00
|
|
|
xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
if (!afinfo)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2010-03-02 02:51:56 +00:00
|
|
|
err = afinfo->fill_dst(xdst, dev, fl);
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2017-02-07 14:00:18 +00:00
|
|
|
rcu_read_unlock();
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
|
2007-12-11 17:32:34 +00:00
|
|
|
/* Allocate chain of dst_entry's, attach known xfrm's, calculate
|
|
|
|
|
* all the metrics... Shortly, bundle a bundle.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
|
2017-11-28 20:41:01 +00:00
|
|
|
struct xfrm_state **xfrm,
|
|
|
|
|
struct xfrm_dst **bundle,
|
|
|
|
|
int nx,
|
2011-02-23 02:36:50 +00:00
|
|
|
const struct flowi *fl,
|
2007-12-11 17:32:34 +00:00
|
|
|
struct dst_entry *dst)
|
|
|
|
|
{
|
2019-03-29 20:16:30 +00:00
|
|
|
const struct xfrm_state_afinfo *afinfo;
|
2019-03-29 20:16:31 +00:00
|
|
|
const struct xfrm_mode *inner_mode;
|
2010-01-25 06:47:53 +00:00
|
|
|
struct net *net = xp_net(policy);
|
2007-12-11 17:32:34 +00:00
|
|
|
unsigned long now = jiffies;
|
|
|
|
|
struct net_device *dev;
|
2017-11-28 20:40:28 +00:00
|
|
|
struct xfrm_dst *xdst_prev = NULL;
|
|
|
|
|
struct xfrm_dst *xdst0 = NULL;
|
2007-12-11 17:32:34 +00:00
|
|
|
int i = 0;
|
|
|
|
|
int err;
|
|
|
|
|
int header_len = 0;
|
2007-12-21 04:41:12 +00:00
|
|
|
int nfheader_len = 0;
|
2007-12-11 17:32:34 +00:00
|
|
|
int trailer_len = 0;
|
|
|
|
|
int tos;
|
|
|
|
|
int family = policy->selector.family;
|
2008-02-22 05:48:22 +00:00
|
|
|
xfrm_address_t saddr, daddr;
|
|
|
|
|
|
|
|
|
|
xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
|
2007-12-11 17:32:34 +00:00
|
|
|
|
|
|
|
|
tos = xfrm_get_tos(fl, family);
|
|
|
|
|
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
|
|
|
|
|
for (; i < nx; i++) {
|
2010-01-25 06:47:53 +00:00
|
|
|
struct xfrm_dst *xdst = xfrm_alloc_dst(net, family);
|
2007-12-11 17:32:34 +00:00
|
|
|
struct dst_entry *dst1 = &xdst->u.dst;
|
|
|
|
|
|
|
|
|
|
err = PTR_ERR(xdst);
|
|
|
|
|
if (IS_ERR(xdst)) {
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
goto put_states;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
bundle[i] = xdst;
|
2017-11-28 20:40:28 +00:00
|
|
|
if (!xdst_prev)
|
|
|
|
|
xdst0 = xdst;
|
2017-10-11 03:59:38 +00:00
|
|
|
else
|
|
|
|
|
/* Ref count is taken during xfrm_alloc_dst()
|
|
|
|
|
* No need to do dst_clone() on dst1
|
|
|
|
|
*/
|
2017-11-28 20:40:28 +00:00
|
|
|
xfrm_dst_set_child(xdst_prev, &xdst->u.dst);
|
2017-10-11 03:59:38 +00:00
|
|
|
|
2011-05-09 19:36:38 +00:00
|
|
|
if (xfrm[i]->sel.family == AF_UNSPEC) {
|
|
|
|
|
inner_mode = xfrm_ip2inner_mode(xfrm[i],
|
|
|
|
|
xfrm_af2proto(family));
|
|
|
|
|
if (!inner_mode) {
|
|
|
|
|
err = -EAFNOSUPPORT;
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
goto put_states;
|
|
|
|
|
}
|
|
|
|
|
} else
|
2019-03-29 20:16:32 +00:00
|
|
|
inner_mode = &xfrm[i]->inner_mode;
|
2011-05-09 19:36:38 +00:00
|
|
|
|
2007-12-11 17:32:34 +00:00
|
|
|
xdst->route = dst;
|
2010-12-09 05:16:57 +00:00
|
|
|
dst_copy_metrics(dst1, dst);
|
2007-12-11 17:32:34 +00:00
|
|
|
|
|
|
|
|
if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
|
2019-01-14 19:24:38 +00:00
|
|
|
__u32 mark = 0;
|
2022-04-01 18:58:37 +00:00
|
|
|
int oif;
|
2019-01-14 19:24:38 +00:00
|
|
|
|
|
|
|
|
if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m)
|
|
|
|
|
mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
|
2018-06-12 10:44:26 +00:00
|
|
|
|
2024-03-04 12:24:08 +00:00
|
|
|
if (xfrm[i]->xso.type != XFRM_DEV_OFFLOAD_PACKET)
|
|
|
|
|
family = xfrm[i]->props.family;
|
|
|
|
|
|
2022-04-01 18:58:37 +00:00
|
|
|
oif = fl->flowi_oif ? : fl->flowi_l3mdev;
|
|
|
|
|
dst = xfrm_dst_lookup(xfrm[i], tos, oif,
|
2018-06-12 10:44:26 +00:00
|
|
|
&saddr, &daddr, family, mark);
|
2007-12-11 17:32:34 +00:00
|
|
|
err = PTR_ERR(dst);
|
|
|
|
|
if (IS_ERR(dst))
|
|
|
|
|
goto put_states;
|
|
|
|
|
} else
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
|
|
|
|
|
dst1->xfrm = xfrm[i];
|
2010-04-07 00:30:05 +00:00
|
|
|
xdst->xfrm_genid = xfrm[i]->genid;
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2012-07-19 19:31:33 +00:00
|
|
|
dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
|
2007-12-11 17:32:34 +00:00
|
|
|
dst1->lastuse = now;
|
|
|
|
|
|
|
|
|
|
dst1->input = dst_discard;
|
2019-03-29 20:16:30 +00:00
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
afinfo = xfrm_state_afinfo_get_rcu(inner_mode->family);
|
|
|
|
|
if (likely(afinfo))
|
|
|
|
|
dst1->output = afinfo->output;
|
|
|
|
|
else
|
|
|
|
|
dst1->output = dst_discard_out;
|
|
|
|
|
rcu_read_unlock();
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
xdst_prev = xdst;
|
2007-12-11 17:32:34 +00:00
|
|
|
|
|
|
|
|
header_len += xfrm[i]->props.header_len;
|
2007-12-21 04:41:12 +00:00
|
|
|
if (xfrm[i]->type->flags & XFRM_TYPE_NON_FRAGMENT)
|
|
|
|
|
nfheader_len += xfrm[i]->props.header_len;
|
2007-12-11 17:32:34 +00:00
|
|
|
trailer_len += xfrm[i]->props.trailer_len;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
xfrm_dst_set_child(xdst_prev, dst);
|
2017-11-28 20:40:46 +00:00
|
|
|
xdst0->path = dst;
|
2007-12-11 17:32:34 +00:00
|
|
|
|
|
|
|
|
err = -ENODEV;
|
|
|
|
|
dev = dst->dev;
|
|
|
|
|
if (!dev)
|
|
|
|
|
goto free_dst;
|
|
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
xfrm_init_path(xdst0, dst, nfheader_len);
|
2017-11-28 20:41:01 +00:00
|
|
|
xfrm_init_pmtu(bundle, nx);
|
2007-12-11 17:32:34 +00:00
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
for (xdst_prev = xdst0; xdst_prev != (struct xfrm_dst *)dst;
|
|
|
|
|
xdst_prev = (struct xfrm_dst *) xfrm_dst_child(&xdst_prev->u.dst)) {
|
|
|
|
|
err = xfrm_fill_dst(xdst_prev, dev, fl);
|
2007-12-11 17:32:34 +00:00
|
|
|
if (err)
|
|
|
|
|
goto free_dst;
|
|
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
xdst_prev->u.dst.header_len = header_len;
|
|
|
|
|
xdst_prev->u.dst.trailer_len = trailer_len;
|
|
|
|
|
header_len -= xdst_prev->u.dst.xfrm->props.header_len;
|
|
|
|
|
trailer_len -= xdst_prev->u.dst.xfrm->props.trailer_len;
|
2007-12-11 17:32:34 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:40:28 +00:00
|
|
|
return &xdst0->u.dst;
|
2007-12-11 17:32:34 +00:00
|
|
|
|
|
|
|
|
put_states:
|
|
|
|
|
for (; i < nx; i++)
|
|
|
|
|
xfrm_state_put(xfrm[i]);
|
|
|
|
|
free_dst:
|
2017-11-28 20:40:28 +00:00
|
|
|
if (xdst0)
|
|
|
|
|
dst_release_immediate(&xdst0->u.dst);
|
2018-05-31 07:45:18 +00:00
|
|
|
|
|
|
|
|
return ERR_PTR(err);
|
2007-12-11 17:32:34 +00:00
|
|
|
}
|
|
|
|
|
|
2011-02-23 02:33:42 +00:00
|
|
|
static int xfrm_expand_policies(const struct flowi *fl, u16 family,
|
2010-04-07 00:30:05 +00:00
|
|
|
struct xfrm_policy **pols,
|
|
|
|
|
int *num_pols, int *num_xfrms)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (*num_pols == 0 || !pols[0]) {
|
|
|
|
|
*num_pols = 0;
|
|
|
|
|
*num_xfrms = 0;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2022-06-01 06:46:25 +00:00
|
|
|
if (IS_ERR(pols[0])) {
|
|
|
|
|
*num_pols = 0;
|
2010-04-07 00:30:05 +00:00
|
|
|
return PTR_ERR(pols[0]);
|
2022-06-01 06:46:25 +00:00
|
|
|
}
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
*num_xfrms = pols[0]->xfrm_nr;
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
2021-11-30 07:03:12 +00:00
|
|
|
if (pols[0]->action == XFRM_POLICY_ALLOW &&
|
2010-04-07 00:30:05 +00:00
|
|
|
pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
|
|
|
|
pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
|
|
|
|
|
XFRM_POLICY_TYPE_MAIN,
|
|
|
|
|
fl, family,
|
2018-07-19 17:50:44 +00:00
|
|
|
XFRM_POLICY_OUT,
|
|
|
|
|
pols[0]->if_id);
|
2010-04-07 00:30:05 +00:00
|
|
|
if (pols[1]) {
|
|
|
|
|
if (IS_ERR(pols[1])) {
|
|
|
|
|
xfrm_pols_put(pols, *num_pols);
|
2022-06-01 06:46:25 +00:00
|
|
|
*num_pols = 0;
|
2010-04-07 00:30:05 +00:00
|
|
|
return PTR_ERR(pols[1]);
|
|
|
|
|
}
|
2013-12-24 01:43:48 +00:00
|
|
|
(*num_pols)++;
|
2010-04-07 00:30:05 +00:00
|
|
|
(*num_xfrms) += pols[1]->xfrm_nr;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
for (i = 0; i < *num_pols; i++) {
|
|
|
|
|
if (pols[i]->action != XFRM_POLICY_ALLOW) {
|
|
|
|
|
*num_xfrms = -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_dst *
|
|
|
|
|
xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
|
2011-02-23 02:38:51 +00:00
|
|
|
const struct flowi *fl, u16 family,
|
2010-04-07 00:30:05 +00:00
|
|
|
struct dst_entry *dst_orig)
|
|
|
|
|
{
|
|
|
|
|
struct net *net = xp_net(pols[0]);
|
|
|
|
|
struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
|
2017-11-28 20:41:01 +00:00
|
|
|
struct xfrm_dst *bundle[XFRM_MAX_DEPTH];
|
xfrm: policy: remove pcpu policy cache
Kristian Evensen says:
In a project I am involved in, we are running ipsec (Strongswan) on
different mt7621-based routers. Each router is configured as an
initiator and has around ~30 tunnels to different responders (running
on misc. devices). Before the flow cache was removed (kernel 4.9), we
got a combined throughput of around 70Mbit/s for all tunnels on one
router. However, we recently switched to kernel 4.14 (4.14.48), and
the total throughput is somewhere around 57Mbit/s (best-case). I.e., a
drop of around 20%. Reverting the flow cache removal restores, as
expected, performance levels to that of kernel 4.9.
When pcpu xdst exists, it has to be validated first before it can be
used.
A negative hit thus increases cost vs. no-cache.
As number of tunnels increases, hit rate decreases so this pcpu caching
isn't a viable strategy.
Furthermore, the xdst cache also needs to run with BH off, so when
removing this the bh disable/enable pairs can be removed too.
Kristian tested a 4.14.y backport of this change and reported
increased performance:
In our tests, the throughput reduction has been reduced from around -20%
to -5%. We also see that the overall throughput is independent of the
number of tunnels, while before the throughput was reduced as the number
of tunnels increased.
Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2018-06-25 15:26:02 +00:00
|
|
|
struct xfrm_dst *xdst;
|
2010-04-07 00:30:05 +00:00
|
|
|
struct dst_entry *dst;
|
|
|
|
|
int err;
|
|
|
|
|
|
2017-11-02 15:46:01 +00:00
|
|
|
/* Try to instantiate a bundle */
|
|
|
|
|
err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
|
|
|
|
|
if (err <= 0) {
|
2018-07-25 08:54:33 +00:00
|
|
|
if (err == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (err != -EAGAIN)
|
2017-11-02 15:46:01 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
|
|
|
|
|
return ERR_PTR(err);
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
dst = xfrm_bundle_create(pols[0], xfrm, bundle, err, fl, dst_orig);
|
2010-04-07 00:30:05 +00:00
|
|
|
if (IS_ERR(dst)) {
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
|
|
|
|
|
return ERR_CAST(dst);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
xdst->num_xfrms = err;
|
|
|
|
|
xdst->num_pols = num_pols;
|
2013-12-24 01:43:47 +00:00
|
|
|
memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
|
2010-04-07 00:30:05 +00:00
|
|
|
xdst->policy_genid = atomic_read(&pols[0]->genid);
|
|
|
|
|
|
|
|
|
|
return xdst;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-17 00:28:56 +00:00
|
|
|
static void xfrm_policy_queue_process(struct timer_list *t)
|
2013-02-05 11:52:55 +00:00
|
|
|
{
|
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
struct sock *sk;
|
|
|
|
|
struct dst_entry *dst;
|
2017-10-17 00:28:56 +00:00
|
|
|
struct xfrm_policy *pol = from_timer(pol, t, polq.hold_timer);
|
2015-10-07 21:48:34 +00:00
|
|
|
struct net *net = xp_net(pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
struct xfrm_policy_queue *pq = &pol->polq;
|
|
|
|
|
struct flowi fl;
|
|
|
|
|
struct sk_buff_head list;
|
2020-07-17 08:35:32 +00:00
|
|
|
__u32 skb_mark;
|
2013-02-05 11:52:55 +00:00
|
|
|
|
|
|
|
|
spin_lock(&pq->hold_queue.lock);
|
|
|
|
|
skb = skb_peek(&pq->hold_queue);
|
2013-10-08 08:49:51 +00:00
|
|
|
if (!skb) {
|
|
|
|
|
spin_unlock(&pq->hold_queue.lock);
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2013-02-05 11:52:55 +00:00
|
|
|
dst = skb_dst(skb);
|
|
|
|
|
sk = skb->sk;
|
2020-07-17 08:35:32 +00:00
|
|
|
|
|
|
|
|
/* Fixup the mark to support VTI. */
|
|
|
|
|
skb_mark = skb->mark;
|
|
|
|
|
skb->mark = pol->mark.v;
|
2023-10-04 16:09:51 +00:00
|
|
|
xfrm_decode_session(net, skb, &fl, dst->ops->family);
|
2020-07-17 08:35:32 +00:00
|
|
|
skb->mark = skb_mark;
|
2013-02-05 11:52:55 +00:00
|
|
|
spin_unlock(&pq->hold_queue.lock);
|
|
|
|
|
|
2017-11-28 20:40:46 +00:00
|
|
|
dst_hold(xfrm_dst_path(dst));
|
2018-02-01 10:26:12 +00:00
|
|
|
dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, XFRM_LOOKUP_QUEUE);
|
2013-02-05 11:52:55 +00:00
|
|
|
if (IS_ERR(dst))
|
|
|
|
|
goto purge_queue;
|
|
|
|
|
|
|
|
|
|
if (dst->flags & DST_XFRM_QUEUE) {
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
|
|
|
|
|
if (pq->timeout >= XFRM_QUEUE_TMO_MAX)
|
|
|
|
|
goto purge_queue;
|
|
|
|
|
|
|
|
|
|
pq->timeout = pq->timeout << 1;
|
2013-10-08 08:49:45 +00:00
|
|
|
if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
|
|
|
|
|
xfrm_pol_hold(pol);
|
2018-11-13 14:28:42 +00:00
|
|
|
goto out;
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
|
|
|
|
|
__skb_queue_head_init(&list);
|
|
|
|
|
|
|
|
|
|
spin_lock(&pq->hold_queue.lock);
|
|
|
|
|
pq->timeout = 0;
|
|
|
|
|
skb_queue_splice_init(&pq->hold_queue, &list);
|
|
|
|
|
spin_unlock(&pq->hold_queue.lock);
|
|
|
|
|
|
|
|
|
|
while (!skb_queue_empty(&list)) {
|
|
|
|
|
skb = __skb_dequeue(&list);
|
|
|
|
|
|
2020-07-17 08:35:32 +00:00
|
|
|
/* Fixup the mark to support VTI. */
|
|
|
|
|
skb_mark = skb->mark;
|
|
|
|
|
skb->mark = pol->mark.v;
|
2023-10-04 16:09:51 +00:00
|
|
|
xfrm_decode_session(net, skb, &fl, skb_dst(skb)->ops->family);
|
2020-07-17 08:35:32 +00:00
|
|
|
skb->mark = skb_mark;
|
|
|
|
|
|
2017-11-28 20:40:46 +00:00
|
|
|
dst_hold(xfrm_dst_path(skb_dst(skb)));
|
|
|
|
|
dst = xfrm_lookup(net, xfrm_dst_path(skb_dst(skb)), &fl, skb->sk, 0);
|
2013-02-05 11:52:55 +00:00
|
|
|
if (IS_ERR(dst)) {
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-29 18:54:03 +00:00
|
|
|
nf_reset_ct(skb);
|
2013-02-05 11:52:55 +00:00
|
|
|
skb_dst_drop(skb);
|
|
|
|
|
skb_dst_set(skb, dst);
|
|
|
|
|
|
2015-10-07 21:48:35 +00:00
|
|
|
dst_output(net, skb->sk, skb);
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
|
|
|
|
|
2013-10-08 08:49:45 +00:00
|
|
|
out:
|
|
|
|
|
xfrm_pol_put(pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
purge_queue:
|
|
|
|
|
pq->timeout = 0;
|
2015-04-22 07:51:16 +00:00
|
|
|
skb_queue_purge(&pq->hold_queue);
|
2013-10-08 08:49:45 +00:00
|
|
|
xfrm_pol_put(pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
|
|
|
|
|
2015-10-07 21:48:47 +00:00
|
|
|
static int xdst_queue_output(struct net *net, struct sock *sk, struct sk_buff *skb)
|
2013-02-05 11:52:55 +00:00
|
|
|
{
|
|
|
|
|
unsigned long sched_next;
|
|
|
|
|
struct dst_entry *dst = skb_dst(skb);
|
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
|
2013-10-08 08:49:45 +00:00
|
|
|
struct xfrm_policy *pol = xdst->pols[0];
|
|
|
|
|
struct xfrm_policy_queue *pq = &pol->polq;
|
2013-10-16 11:42:46 +00:00
|
|
|
|
2014-10-30 17:32:34 +00:00
|
|
|
if (unlikely(skb_fclone_busy(sk, skb))) {
|
2013-10-16 11:42:46 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2013-02-05 11:52:55 +00:00
|
|
|
|
|
|
|
|
if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
return -EAGAIN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
skb_dst_force(skb);
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&pq->hold_queue.lock);
|
|
|
|
|
|
|
|
|
|
if (!pq->timeout)
|
|
|
|
|
pq->timeout = XFRM_QUEUE_TMO_MIN;
|
|
|
|
|
|
|
|
|
|
sched_next = jiffies + pq->timeout;
|
|
|
|
|
|
|
|
|
|
if (del_timer(&pq->hold_timer)) {
|
|
|
|
|
if (time_before(pq->hold_timer.expires, sched_next))
|
|
|
|
|
sched_next = pq->hold_timer.expires;
|
2013-10-08 08:49:45 +00:00
|
|
|
xfrm_pol_put(pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
__skb_queue_tail(&pq->hold_queue, skb);
|
2013-10-08 08:49:45 +00:00
|
|
|
if (!mod_timer(&pq->hold_timer, sched_next))
|
|
|
|
|
xfrm_pol_hold(pol);
|
2013-02-05 11:52:55 +00:00
|
|
|
|
|
|
|
|
spin_unlock_bh(&pq->hold_queue.lock);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct xfrm_dst *xfrm_create_dummy_bundle(struct net *net,
|
2014-09-16 08:08:49 +00:00
|
|
|
struct xfrm_flo *xflo,
|
2013-02-05 11:52:55 +00:00
|
|
|
const struct flowi *fl,
|
|
|
|
|
int num_xfrms,
|
|
|
|
|
u16 family)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
struct net_device *dev;
|
2014-09-16 08:08:49 +00:00
|
|
|
struct dst_entry *dst;
|
2013-02-05 11:52:55 +00:00
|
|
|
struct dst_entry *dst1;
|
|
|
|
|
struct xfrm_dst *xdst;
|
|
|
|
|
|
|
|
|
|
xdst = xfrm_alloc_dst(net, family);
|
|
|
|
|
if (IS_ERR(xdst))
|
|
|
|
|
return xdst;
|
|
|
|
|
|
2014-09-16 08:08:49 +00:00
|
|
|
if (!(xflo->flags & XFRM_LOOKUP_QUEUE) ||
|
|
|
|
|
net->xfrm.sysctl_larval_drop ||
|
|
|
|
|
num_xfrms <= 0)
|
2013-02-05 11:52:55 +00:00
|
|
|
return xdst;
|
|
|
|
|
|
2014-09-16 08:08:49 +00:00
|
|
|
dst = xflo->dst_orig;
|
2013-02-05 11:52:55 +00:00
|
|
|
dst1 = &xdst->u.dst;
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
xdst->route = dst;
|
|
|
|
|
|
|
|
|
|
dst_copy_metrics(dst1, dst);
|
|
|
|
|
|
|
|
|
|
dst1->obsolete = DST_OBSOLETE_FORCE_CHK;
|
2020-03-23 14:31:19 +00:00
|
|
|
dst1->flags |= DST_XFRM_QUEUE;
|
2013-02-05 11:52:55 +00:00
|
|
|
dst1->lastuse = jiffies;
|
|
|
|
|
|
|
|
|
|
dst1->input = dst_discard;
|
|
|
|
|
dst1->output = xdst_queue_output;
|
|
|
|
|
|
|
|
|
|
dst_hold(dst);
|
2017-11-28 20:40:28 +00:00
|
|
|
xfrm_dst_set_child(xdst, dst);
|
2017-11-28 20:40:46 +00:00
|
|
|
xdst->path = dst;
|
2013-02-05 11:52:55 +00:00
|
|
|
|
|
|
|
|
xfrm_init_path((struct xfrm_dst *)dst1, dst, 0);
|
|
|
|
|
|
|
|
|
|
err = -ENODEV;
|
|
|
|
|
dev = dst->dev;
|
|
|
|
|
if (!dev)
|
|
|
|
|
goto free_dst;
|
|
|
|
|
|
|
|
|
|
err = xfrm_fill_dst(xdst, dev, fl);
|
|
|
|
|
if (err)
|
|
|
|
|
goto free_dst;
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
return xdst;
|
|
|
|
|
|
|
|
|
|
free_dst:
|
|
|
|
|
dst_release(dst1);
|
|
|
|
|
xdst = ERR_PTR(err);
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
static struct xfrm_dst *xfrm_bundle_lookup(struct net *net,
|
|
|
|
|
const struct flowi *fl,
|
|
|
|
|
u16 family, u8 dir,
|
|
|
|
|
struct xfrm_flo *xflo, u32 if_id)
|
2010-04-07 00:30:05 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
2017-07-17 11:57:22 +00:00
|
|
|
int num_pols = 0, num_xfrms = 0, err;
|
2017-07-17 11:57:25 +00:00
|
|
|
struct xfrm_dst *xdst;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
/* Resolve policies to use if we couldn't get them from
|
|
|
|
|
* previous cache entry */
|
2017-07-17 11:57:22 +00:00
|
|
|
num_pols = 1;
|
2018-07-19 17:50:44 +00:00
|
|
|
pols[0] = xfrm_policy_lookup(net, fl, family, dir, if_id);
|
2017-07-17 11:57:22 +00:00
|
|
|
err = xfrm_expand_policies(fl, family, pols,
|
2010-04-07 00:30:05 +00:00
|
|
|
&num_pols, &num_xfrms);
|
2017-07-17 11:57:22 +00:00
|
|
|
if (err < 0)
|
|
|
|
|
goto inc_error;
|
|
|
|
|
if (num_pols == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
if (num_xfrms <= 0)
|
|
|
|
|
goto make_dummy_bundle;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
2017-07-17 11:57:25 +00:00
|
|
|
xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
|
2018-01-10 11:14:28 +00:00
|
|
|
xflo->dst_orig);
|
2017-07-17 11:57:25 +00:00
|
|
|
if (IS_ERR(xdst)) {
|
|
|
|
|
err = PTR_ERR(xdst);
|
2018-06-12 12:07:12 +00:00
|
|
|
if (err == -EREMOTE) {
|
|
|
|
|
xfrm_pols_put(pols, num_pols);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
if (err != -EAGAIN)
|
|
|
|
|
goto error;
|
2017-07-17 11:57:22 +00:00
|
|
|
goto make_dummy_bundle;
|
2017-07-17 11:57:25 +00:00
|
|
|
} else if (xdst == NULL) {
|
2010-07-12 21:29:42 +00:00
|
|
|
num_xfrms = 0;
|
2017-07-17 11:57:22 +00:00
|
|
|
goto make_dummy_bundle;
|
2010-04-07 00:30:05 +00:00
|
|
|
}
|
|
|
|
|
|
2017-07-17 11:57:25 +00:00
|
|
|
return xdst;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
make_dummy_bundle:
|
|
|
|
|
/* We found policies, but there's no bundles to instantiate:
|
|
|
|
|
* either because the policy blocks, has no transformations or
|
|
|
|
|
* we could not build template (no xfrm_states).*/
|
2014-09-16 08:08:49 +00:00
|
|
|
xdst = xfrm_create_dummy_bundle(net, xflo, fl, num_xfrms, family);
|
2010-04-07 00:30:05 +00:00
|
|
|
if (IS_ERR(xdst)) {
|
|
|
|
|
xfrm_pols_put(pols, num_pols);
|
|
|
|
|
return ERR_CAST(xdst);
|
|
|
|
|
}
|
|
|
|
|
xdst->num_pols = num_pols;
|
|
|
|
|
xdst->num_xfrms = num_xfrms;
|
2013-12-24 01:43:47 +00:00
|
|
|
memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
|
2010-04-07 00:30:05 +00:00
|
|
|
|
2017-07-17 11:57:25 +00:00
|
|
|
return xdst;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
inc_error:
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
|
|
|
|
|
error:
|
2017-07-17 11:57:22 +00:00
|
|
|
xfrm_pols_put(pols, num_pols);
|
2010-04-07 00:30:05 +00:00
|
|
|
return ERR_PTR(err);
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-03-01 22:59:04 +00:00
|
|
|
static struct dst_entry *make_blackhole(struct net *net, u16 family,
|
|
|
|
|
struct dst_entry *dst_orig)
|
|
|
|
|
{
|
2017-02-07 14:00:19 +00:00
|
|
|
const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
2011-03-01 22:59:04 +00:00
|
|
|
struct dst_entry *ret;
|
|
|
|
|
|
|
|
|
|
if (!afinfo) {
|
|
|
|
|
dst_release(dst_orig);
|
2012-09-17 22:40:10 +00:00
|
|
|
return ERR_PTR(-EINVAL);
|
2011-03-01 22:59:04 +00:00
|
|
|
} else {
|
|
|
|
|
ret = afinfo->blackhole_route(net, dst_orig);
|
|
|
|
|
}
|
2017-02-07 14:00:18 +00:00
|
|
|
rcu_read_unlock();
|
2011-03-01 22:59:04 +00:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
/* Finds/creates a bundle for given flow and if_id
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
|
|
|
|
* At the moment we eat a raw IP route. Mostly to speed up lookups
|
|
|
|
|
* on interfaces with disabled IPsec.
|
2018-07-19 17:50:44 +00:00
|
|
|
*
|
|
|
|
|
* xfrm_lookup uses an if_id of 0 by default, and is provided for
|
|
|
|
|
* compatibility
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2018-07-19 17:50:44 +00:00
|
|
|
struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
|
|
|
|
|
struct dst_entry *dst_orig,
|
|
|
|
|
const struct flowi *fl,
|
|
|
|
|
const struct sock *sk,
|
|
|
|
|
int flags, u32 if_id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-08-24 05:43:30 +00:00
|
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
2010-04-07 00:30:05 +00:00
|
|
|
struct xfrm_dst *xdst;
|
2011-03-02 21:27:41 +00:00
|
|
|
struct dst_entry *dst, *route;
|
2010-04-07 00:30:05 +00:00
|
|
|
u16 family = dst_orig->ops->family;
|
2017-07-17 11:57:23 +00:00
|
|
|
u8 dir = XFRM_POLICY_OUT;
|
2010-04-27 21:20:22 +00:00
|
|
|
int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
|
2006-07-25 06:29:07 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
dst = NULL;
|
|
|
|
|
xdst = NULL;
|
|
|
|
|
route = NULL;
|
2006-08-24 05:43:30 +00:00
|
|
|
|
2015-12-07 16:53:17 +00:00
|
|
|
sk = sk_const_to_full_sk(sk);
|
2007-08-25 20:46:55 +00:00
|
|
|
if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
|
2010-04-07 00:30:05 +00:00
|
|
|
num_pols = 1;
|
2018-07-19 17:50:44 +00:00
|
|
|
pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl, family,
|
|
|
|
|
if_id);
|
2010-04-07 00:30:05 +00:00
|
|
|
err = xfrm_expand_policies(fl, family, pols,
|
|
|
|
|
&num_pols, &num_xfrms);
|
|
|
|
|
if (err < 0)
|
2007-12-11 12:38:08 +00:00
|
|
|
goto dropdst;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
if (num_pols) {
|
|
|
|
|
if (num_xfrms <= 0) {
|
|
|
|
|
drop_pols = num_pols;
|
|
|
|
|
goto no_transform;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
xdst = xfrm_resolve_and_create_bundle(
|
|
|
|
|
pols, num_pols, fl,
|
|
|
|
|
family, dst_orig);
|
2018-01-10 11:14:28 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
if (IS_ERR(xdst)) {
|
|
|
|
|
xfrm_pols_put(pols, num_pols);
|
|
|
|
|
err = PTR_ERR(xdst);
|
2018-06-12 12:07:12 +00:00
|
|
|
if (err == -EREMOTE)
|
|
|
|
|
goto nopol;
|
|
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
goto dropdst;
|
2010-07-12 21:29:42 +00:00
|
|
|
} else if (xdst == NULL) {
|
|
|
|
|
num_xfrms = 0;
|
|
|
|
|
drop_pols = num_pols;
|
|
|
|
|
goto no_transform;
|
2010-04-07 00:30:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
route = xdst->route;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2006-10-05 20:42:35 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
if (xdst == NULL) {
|
2014-09-16 08:08:49 +00:00
|
|
|
struct xfrm_flo xflo;
|
|
|
|
|
|
|
|
|
|
xflo.dst_orig = dst_orig;
|
|
|
|
|
xflo.flags = flags;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* To accelerate a bit... */
|
2020-12-23 15:00:46 +00:00
|
|
|
if (!if_id && ((dst_orig->flags & DST_NOXFRM) ||
|
|
|
|
|
!net->xfrm.policy_count[XFRM_POLICY_OUT]))
|
2007-12-12 18:44:43 +00:00
|
|
|
goto nopol;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2018-07-19 17:50:44 +00:00
|
|
|
xdst = xfrm_bundle_lookup(net, fl, family, dir, &xflo, if_id);
|
2017-07-17 11:57:25 +00:00
|
|
|
if (xdst == NULL)
|
2010-04-07 00:30:05 +00:00
|
|
|
goto nopol;
|
2017-07-17 11:57:25 +00:00
|
|
|
if (IS_ERR(xdst)) {
|
|
|
|
|
err = PTR_ERR(xdst);
|
2007-12-11 12:38:08 +00:00
|
|
|
goto dropdst;
|
2008-01-08 05:46:15 +00:00
|
|
|
}
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
num_pols = xdst->num_pols;
|
|
|
|
|
num_xfrms = xdst->num_xfrms;
|
2013-12-24 01:43:47 +00:00
|
|
|
memcpy(pols, xdst->pols, sizeof(struct xfrm_policy *) * num_pols);
|
2010-04-07 00:30:05 +00:00
|
|
|
route = xdst->route;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst = &xdst->u.dst;
|
|
|
|
|
if (route == NULL && num_xfrms > 0) {
|
|
|
|
|
/* The only case when xfrm_bundle_lookup() returns a
|
|
|
|
|
* bundle with null route, is when the template could
|
|
|
|
|
* not be resolved. It means policies are there, but
|
|
|
|
|
* bundle could not be created, since we don't yet
|
|
|
|
|
* have the xfrm_state's. We need to wait for KM to
|
|
|
|
|
* negotiate new SA's or bail out with error.*/
|
|
|
|
|
if (net->xfrm.sysctl_larval_drop) {
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
|
2015-02-11 17:10:36 +00:00
|
|
|
err = -EREMOTE;
|
|
|
|
|
goto error;
|
2010-04-07 00:30:05 +00:00
|
|
|
}
|
|
|
|
|
|
2013-08-27 11:43:30 +00:00
|
|
|
err = -EAGAIN;
|
2010-04-07 00:30:05 +00:00
|
|
|
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
|
|
|
|
|
goto error;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
no_transform:
|
|
|
|
|
if (num_pols == 0)
|
2007-12-12 18:44:43 +00:00
|
|
|
goto nopol;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
if ((flags & XFRM_LOOKUP_ICMP) &&
|
|
|
|
|
!(pols[0]->flags & XFRM_POLICY_ICMP)) {
|
|
|
|
|
err = -ENOENT;
|
2007-12-12 18:44:43 +00:00
|
|
|
goto error;
|
2010-04-07 00:30:05 +00:00
|
|
|
}
|
2007-12-12 18:44:43 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
for (i = 0; i < num_pols; i++)
|
2023-10-11 10:24:29 +00:00
|
|
|
WRITE_ONCE(pols[i]->curlft.use_time, ktime_get_real_seconds());
|
2007-12-12 18:44:43 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
if (num_xfrms < 0) {
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Prohibit the flow */
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
|
2005-09-08 22:11:55 +00:00
|
|
|
err = -EPERM;
|
|
|
|
|
goto error;
|
2010-04-07 00:30:05 +00:00
|
|
|
} else if (num_xfrms > 0) {
|
|
|
|
|
/* Flow transformed */
|
|
|
|
|
dst_release(dst_orig);
|
|
|
|
|
} else {
|
|
|
|
|
/* Flow passes untransformed */
|
|
|
|
|
dst_release(dst);
|
2011-03-02 21:27:41 +00:00
|
|
|
dst = dst_orig;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2010-04-07 00:30:05 +00:00
|
|
|
ok:
|
|
|
|
|
xfrm_pols_put(pols, drop_pols);
|
2012-05-26 01:30:53 +00:00
|
|
|
if (dst && dst->xfrm &&
|
|
|
|
|
dst->xfrm->props.mode == XFRM_MODE_TUNNEL)
|
|
|
|
|
dst->flags |= DST_XFRM_TUNNEL;
|
2011-03-02 21:27:41 +00:00
|
|
|
return dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-04-07 00:30:05 +00:00
|
|
|
nopol:
|
2022-08-16 15:30:50 +00:00
|
|
|
if ((!dst_orig->dev || !(dst_orig->dev->flags & IFF_LOOPBACK)) &&
|
2022-03-14 10:38:22 +00:00
|
|
|
net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
|
2021-07-18 07:11:06 +00:00
|
|
|
err = -EPERM;
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
2011-03-02 21:27:41 +00:00
|
|
|
if (!(flags & XFRM_LOOKUP_ICMP)) {
|
|
|
|
|
dst = dst_orig;
|
2010-04-07 00:30:05 +00:00
|
|
|
goto ok;
|
2011-03-02 21:27:41 +00:00
|
|
|
}
|
2010-04-07 00:30:05 +00:00
|
|
|
err = -ENOENT;
|
2005-04-16 22:20:36 +00:00
|
|
|
error:
|
2010-04-07 00:30:05 +00:00
|
|
|
dst_release(dst);
|
2007-12-11 12:38:08 +00:00
|
|
|
dropdst:
|
2015-02-11 17:10:36 +00:00
|
|
|
if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
|
|
|
|
|
dst_release(dst_orig);
|
2010-04-07 00:30:05 +00:00
|
|
|
xfrm_pols_put(pols, drop_pols);
|
2011-03-02 21:27:41 +00:00
|
|
|
return ERR_PTR(err);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2018-07-19 17:50:44 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_lookup_with_ifid);
|
|
|
|
|
|
|
|
|
|
/* Main function: finds/creates a bundle for given flow.
|
|
|
|
|
*
|
|
|
|
|
* At the moment we eat a raw IP route. Mostly to speed up lookups
|
|
|
|
|
* on interfaces with disabled IPsec.
|
|
|
|
|
*/
|
|
|
|
|
struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
|
|
|
|
|
const struct flowi *fl, const struct sock *sk,
|
|
|
|
|
int flags)
|
|
|
|
|
{
|
|
|
|
|
return xfrm_lookup_with_ifid(net, dst_orig, fl, sk, flags, 0);
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_lookup);
|
|
|
|
|
|
2014-09-16 08:08:40 +00:00
|
|
|
/* Callers of xfrm_lookup_route() must ensure a call to dst_output().
|
|
|
|
|
* Otherwise we may send out blackholed packets.
|
|
|
|
|
*/
|
|
|
|
|
struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
|
|
|
|
|
const struct flowi *fl,
|
2015-09-25 14:39:10 +00:00
|
|
|
const struct sock *sk, int flags)
|
2014-09-16 08:08:40 +00:00
|
|
|
{
|
2014-09-16 08:08:49 +00:00
|
|
|
struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
|
2015-02-11 17:10:36 +00:00
|
|
|
flags | XFRM_LOOKUP_QUEUE |
|
|
|
|
|
XFRM_LOOKUP_KEEP_DST_REF);
|
2014-09-16 08:08:40 +00:00
|
|
|
|
2020-02-04 01:37:45 +00:00
|
|
|
if (PTR_ERR(dst) == -EREMOTE)
|
2014-09-16 08:08:40 +00:00
|
|
|
return make_blackhole(net, dst_orig->ops->family, dst_orig);
|
|
|
|
|
|
2018-06-21 06:30:47 +00:00
|
|
|
if (IS_ERR(dst))
|
|
|
|
|
dst_release(dst_orig);
|
|
|
|
|
|
2014-09-16 08:08:40 +00:00
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_lookup_route);
|
|
|
|
|
|
2006-08-24 03:41:00 +00:00
|
|
|
static inline int
|
2011-02-23 01:59:59 +00:00
|
|
|
xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
|
2006-08-24 03:41:00 +00:00
|
|
|
{
|
2018-12-18 16:15:20 +00:00
|
|
|
struct sec_path *sp = skb_sec_path(skb);
|
2006-08-24 03:41:00 +00:00
|
|
|
struct xfrm_state *x;
|
|
|
|
|
|
2018-12-18 16:15:20 +00:00
|
|
|
if (!sp || idx < 0 || idx >= sp->len)
|
2006-08-24 03:41:00 +00:00
|
|
|
return 0;
|
2018-12-18 16:15:20 +00:00
|
|
|
x = sp->xvec[idx];
|
2006-08-24 03:41:00 +00:00
|
|
|
if (!x->type->reject)
|
|
|
|
|
return 0;
|
2007-10-09 20:24:07 +00:00
|
|
|
return x->type->reject(x, skb, fl);
|
2006-08-24 03:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* When skb is transformed back to its "native" form, we have to
|
|
|
|
|
* check policy restrictions. At the moment we make this in maximally
|
|
|
|
|
* stupid way. Shame on me. :-) Of course, connected sockets must
|
|
|
|
|
* have policy cached at them.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static inline int
|
2011-02-24 06:43:01 +00:00
|
|
|
xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
|
2023-05-10 01:14:14 +00:00
|
|
|
unsigned short family, u32 if_id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
if (xfrm_state_kern(x))
|
2007-02-13 20:57:16 +00:00
|
|
|
return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
|
2005-04-16 22:20:36 +00:00
|
|
|
return x->id.proto == tmpl->id.proto &&
|
|
|
|
|
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
|
|
|
|
|
(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
|
|
|
|
|
x->props.mode == tmpl->mode &&
|
2008-04-22 07:46:42 +00:00
|
|
|
(tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
|
2006-08-24 01:00:48 +00:00
|
|
|
!(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
|
2006-09-22 22:05:15 +00:00
|
|
|
!(x->props.mode != XFRM_MODE_TRANSPORT &&
|
2023-05-10 01:14:14 +00:00
|
|
|
xfrm_state_addr_cmp(tmpl, x, family)) &&
|
|
|
|
|
(if_id == 0 || if_id == x->if_id);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-08-24 03:41:00 +00:00
|
|
|
/*
|
|
|
|
|
* 0 or more than 0 is returned when validation is succeeded (either bypass
|
2021-06-09 02:27:46 +00:00
|
|
|
* because of optional transport mode, or next index of the matched secpath
|
2006-08-24 03:41:00 +00:00
|
|
|
* state with the template.
|
|
|
|
|
* -1 is returned when no matching template is found.
|
|
|
|
|
* Otherwise "-2 - errored_index" is returned.
|
|
|
|
|
*/
|
2005-04-16 22:20:36 +00:00
|
|
|
static inline int
|
2011-02-24 06:43:33 +00:00
|
|
|
xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
|
2023-05-10 01:14:14 +00:00
|
|
|
unsigned short family, u32 if_id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
int idx = start;
|
|
|
|
|
|
|
|
|
|
if (tmpl->optional) {
|
2006-09-22 22:05:15 +00:00
|
|
|
if (tmpl->mode == XFRM_MODE_TRANSPORT)
|
2005-04-16 22:20:36 +00:00
|
|
|
return start;
|
|
|
|
|
} else
|
|
|
|
|
start = -1;
|
|
|
|
|
for (; idx < sp->len; idx++) {
|
2023-05-10 01:14:14 +00:00
|
|
|
if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
|
2005-04-16 22:20:36 +00:00
|
|
|
return ++idx;
|
2006-08-24 03:41:00 +00:00
|
|
|
if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
|
2023-05-10 01:30:21 +00:00
|
|
|
if (idx < sp->verified_cnt) {
|
|
|
|
|
/* Secpath entry previously verified, consider optional and
|
|
|
|
|
* continue searching
|
|
|
|
|
*/
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-24 03:41:00 +00:00
|
|
|
if (start == -1)
|
|
|
|
|
start = -2-idx;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
2006-08-24 03:41:00 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
return start;
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-16 14:44:39 +00:00
|
|
|
static void
|
2023-10-04 16:09:53 +00:00
|
|
|
decode_session4(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reverse)
|
2019-04-16 14:44:39 +00:00
|
|
|
{
|
|
|
|
|
struct flowi4 *fl4 = &fl->u.ip4;
|
|
|
|
|
|
|
|
|
|
memset(fl4, 0, sizeof(struct flowi4));
|
|
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
if (reverse) {
|
|
|
|
|
fl4->saddr = flkeys->addrs.ipv4.dst;
|
|
|
|
|
fl4->daddr = flkeys->addrs.ipv4.src;
|
|
|
|
|
fl4->fl4_sport = flkeys->ports.dst;
|
|
|
|
|
fl4->fl4_dport = flkeys->ports.src;
|
|
|
|
|
} else {
|
|
|
|
|
fl4->saddr = flkeys->addrs.ipv4.src;
|
|
|
|
|
fl4->daddr = flkeys->addrs.ipv4.dst;
|
|
|
|
|
fl4->fl4_sport = flkeys->ports.src;
|
|
|
|
|
fl4->fl4_dport = flkeys->ports.dst;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
|
|
|
|
|
2023-10-26 14:45:42 +00:00
|
|
|
switch (flkeys->basic.ip_proto) {
|
|
|
|
|
case IPPROTO_GRE:
|
|
|
|
|
fl4->fl4_gre_key = flkeys->gre.keyid;
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_ICMP:
|
|
|
|
|
fl4->fl4_icmp_type = flkeys->icmp.type;
|
|
|
|
|
fl4->fl4_icmp_code = flkeys->icmp.code;
|
|
|
|
|
break;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
2023-10-26 14:45:42 +00:00
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
fl4->flowi4_proto = flkeys->basic.ip_proto;
|
2024-01-03 15:06:32 +00:00
|
|
|
fl4->flowi4_tos = flkeys->ip.tos & ~INET_ECN_MASK;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
|
static void
|
2023-10-04 16:09:53 +00:00
|
|
|
decode_session6(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reverse)
|
2019-04-16 14:44:39 +00:00
|
|
|
{
|
|
|
|
|
struct flowi6 *fl6 = &fl->u.ip6;
|
|
|
|
|
|
|
|
|
|
memset(fl6, 0, sizeof(struct flowi6));
|
2021-11-19 17:20:16 +00:00
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
if (reverse) {
|
|
|
|
|
fl6->saddr = flkeys->addrs.ipv6.dst;
|
|
|
|
|
fl6->daddr = flkeys->addrs.ipv6.src;
|
|
|
|
|
fl6->fl6_sport = flkeys->ports.dst;
|
|
|
|
|
fl6->fl6_dport = flkeys->ports.src;
|
|
|
|
|
} else {
|
|
|
|
|
fl6->saddr = flkeys->addrs.ipv6.src;
|
|
|
|
|
fl6->daddr = flkeys->addrs.ipv6.dst;
|
|
|
|
|
fl6->fl6_sport = flkeys->ports.src;
|
|
|
|
|
fl6->fl6_dport = flkeys->ports.dst;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
2023-10-04 16:09:53 +00:00
|
|
|
|
2023-10-26 14:45:42 +00:00
|
|
|
switch (flkeys->basic.ip_proto) {
|
|
|
|
|
case IPPROTO_GRE:
|
|
|
|
|
fl6->fl6_gre_key = flkeys->gre.keyid;
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
|
fl6->fl6_icmp_type = flkeys->icmp.type;
|
|
|
|
|
fl6->fl6_icmp_code = flkeys->icmp.code;
|
|
|
|
|
break;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
2023-10-26 14:45:42 +00:00
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
fl6->flowi6_proto = flkeys->basic.ip_proto;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2023-10-04 16:09:51 +00:00
|
|
|
int __xfrm_decode_session(struct net *net, struct sk_buff *skb, struct flowi *fl,
|
2007-12-12 18:44:16 +00:00
|
|
|
unsigned int family, int reverse)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2023-10-04 16:09:53 +00:00
|
|
|
struct xfrm_flow_keys flkeys;
|
|
|
|
|
|
|
|
|
|
memset(&flkeys, 0, sizeof(flkeys));
|
|
|
|
|
__skb_flow_dissect(net, skb, &xfrm_session_dissector, &flkeys,
|
|
|
|
|
NULL, 0, 0, 0, FLOW_DISSECTOR_F_STOP_AT_ENCAP);
|
|
|
|
|
|
2019-04-16 14:44:39 +00:00
|
|
|
switch (family) {
|
|
|
|
|
case AF_INET:
|
2023-10-04 16:09:53 +00:00
|
|
|
decode_session4(&flkeys, fl, reverse);
|
2019-04-16 14:44:39 +00:00
|
|
|
break;
|
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
|
case AF_INET6:
|
2023-10-04 16:09:53 +00:00
|
|
|
decode_session6(&flkeys, fl, reverse);
|
2019-04-16 14:44:39 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EAFNOSUPPORT;
|
2019-04-16 14:44:39 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2023-10-04 16:09:52 +00:00
|
|
|
fl->flowi_mark = skb->mark;
|
|
|
|
|
if (reverse) {
|
|
|
|
|
fl->flowi_oif = skb->skb_iif;
|
|
|
|
|
} else {
|
|
|
|
|
int oif = 0;
|
|
|
|
|
|
|
|
|
|
if (skb_dst(skb) && skb_dst(skb)->dev)
|
|
|
|
|
oif = skb_dst(skb)->dev->ifindex;
|
|
|
|
|
|
|
|
|
|
fl->flowi_oif = oif;
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-16 14:44:39 +00:00
|
|
|
return security_xfrm_decode_session(skb, &fl->flowi_secid);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2007-12-12 18:44:16 +00:00
|
|
|
EXPORT_SYMBOL(__xfrm_decode_session);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-02-24 06:44:12 +00:00
|
|
|
static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
for (; k < sp->len; k++) {
|
2006-08-24 03:41:00 +00:00
|
|
|
if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
|
2006-09-01 07:32:12 +00:00
|
|
|
*idxp = k;
|
2005-04-16 22:20:36 +00:00
|
|
|
return 1;
|
2006-08-24 03:41:00 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
static bool icmp_err_packet(const struct flowi *fl, unsigned short family)
|
|
|
|
|
{
|
|
|
|
|
const struct flowi4 *fl4 = &fl->u.ip4;
|
|
|
|
|
|
|
|
|
|
if (family == AF_INET &&
|
|
|
|
|
fl4->flowi4_proto == IPPROTO_ICMP &&
|
|
|
|
|
(fl4->fl4_icmp_type == ICMP_DEST_UNREACH ||
|
|
|
|
|
fl4->fl4_icmp_type == ICMP_TIME_EXCEEDED))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
|
if (family == AF_INET6) {
|
|
|
|
|
const struct flowi6 *fl6 = &fl->u.ip6;
|
|
|
|
|
|
|
|
|
|
if (fl6->flowi6_proto == IPPROTO_ICMPV6 &&
|
|
|
|
|
(fl6->fl6_icmp_type == ICMPV6_DEST_UNREACH ||
|
|
|
|
|
fl6->fl6_icmp_type == ICMPV6_PKT_TOOBIG ||
|
|
|
|
|
fl6->fl6_icmp_type == ICMPV6_TIME_EXCEED))
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool xfrm_icmp_flow_decode(struct sk_buff *skb, unsigned short family,
|
|
|
|
|
const struct flowi *fl, struct flowi *fl1)
|
|
|
|
|
{
|
|
|
|
|
bool ret = true;
|
|
|
|
|
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
int hl = family == AF_INET ? (sizeof(struct iphdr) + sizeof(struct icmphdr)) :
|
|
|
|
|
(sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr));
|
|
|
|
|
|
|
|
|
|
if (!newskb)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
if (!pskb_pull(newskb, hl))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
skb_reset_network_header(newskb);
|
|
|
|
|
|
|
|
|
|
if (xfrm_decode_session_reverse(dev_net(skb->dev), newskb, fl1, family) < 0)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
fl1->flowi_oif = fl->flowi_oif;
|
|
|
|
|
fl1->flowi_mark = fl->flowi_mark;
|
|
|
|
|
fl1->flowi_tos = fl->flowi_tos;
|
|
|
|
|
nf_nat_decode_session(newskb, fl1, family);
|
|
|
|
|
ret = false;
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
consume_skb(newskb);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool xfrm_selector_inner_icmp_match(struct sk_buff *skb, unsigned short family,
|
|
|
|
|
const struct xfrm_selector *sel,
|
|
|
|
|
const struct flowi *fl)
|
|
|
|
|
{
|
|
|
|
|
bool ret = false;
|
|
|
|
|
|
|
|
|
|
if (icmp_err_packet(fl, family)) {
|
|
|
|
|
struct flowi fl1;
|
|
|
|
|
|
|
|
|
|
if (xfrm_icmp_flow_decode(skb, family, fl, &fl1))
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
ret = xfrm_selector_match(sel, &fl1, family);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct
|
|
|
|
|
xfrm_policy *xfrm_in_fwd_icmp(struct sk_buff *skb,
|
|
|
|
|
const struct flowi *fl, unsigned short family,
|
|
|
|
|
u32 if_id)
|
|
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol = NULL;
|
|
|
|
|
|
|
|
|
|
if (icmp_err_packet(fl, family)) {
|
|
|
|
|
struct flowi fl1;
|
|
|
|
|
struct net *net = dev_net(skb->dev);
|
|
|
|
|
|
|
|
|
|
if (xfrm_icmp_flow_decode(skb, family, fl, &fl1))
|
|
|
|
|
return pol;
|
|
|
|
|
|
|
|
|
|
pol = xfrm_policy_lookup(net, &fl1, family, XFRM_POLICY_FWD, if_id);
|
2024-04-10 17:27:12 +00:00
|
|
|
if (IS_ERR(pol))
|
|
|
|
|
pol = NULL;
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pol;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct
|
|
|
|
|
dst_entry *xfrm_out_fwd_icmp(struct sk_buff *skb, struct flowi *fl,
|
|
|
|
|
unsigned short family, struct dst_entry *dst)
|
|
|
|
|
{
|
|
|
|
|
if (icmp_err_packet(fl, family)) {
|
|
|
|
|
struct net *net = dev_net(skb->dev);
|
|
|
|
|
struct dst_entry *dst2;
|
|
|
|
|
struct flowi fl1;
|
|
|
|
|
|
|
|
|
|
if (xfrm_icmp_flow_decode(skb, family, fl, &fl1))
|
|
|
|
|
return dst;
|
|
|
|
|
|
|
|
|
|
dst_hold(dst);
|
|
|
|
|
|
|
|
|
|
dst2 = xfrm_lookup(net, dst, &fl1, NULL, (XFRM_LOOKUP_QUEUE | XFRM_LOOKUP_ICMP));
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(dst2))
|
|
|
|
|
return dst;
|
|
|
|
|
|
|
|
|
|
if (dst2->xfrm) {
|
|
|
|
|
dst_release(dst);
|
|
|
|
|
dst = dst2;
|
|
|
|
|
} else {
|
|
|
|
|
dst_release(dst2);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-09 14:25:29 +00:00
|
|
|
int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned short family)
|
|
|
|
|
{
|
2008-11-26 01:35:44 +00:00
|
|
|
struct net *net = dev_net(skb->dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_policy *pol;
|
2006-08-24 05:43:30 +00:00
|
|
|
struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
|
|
|
|
|
int npols = 0;
|
|
|
|
|
int xfrm_nr;
|
|
|
|
|
int pi;
|
2007-12-12 18:44:16 +00:00
|
|
|
int reverse;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct flowi fl;
|
2006-08-24 03:41:00 +00:00
|
|
|
int xerr_idx = -1;
|
2018-07-19 17:50:44 +00:00
|
|
|
const struct xfrm_if_cb *ifcb;
|
2018-12-18 16:15:20 +00:00
|
|
|
struct sec_path *sp;
|
2018-07-19 17:50:44 +00:00
|
|
|
u32 if_id = 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
ifcb = xfrm_if_get_cb();
|
|
|
|
|
|
|
|
|
|
if (ifcb) {
|
2022-08-26 11:46:59 +00:00
|
|
|
struct xfrm_if_decode_session_result r;
|
|
|
|
|
|
|
|
|
|
if (ifcb->decode_session(skb, family, &r)) {
|
|
|
|
|
if_id = r.if_id;
|
|
|
|
|
net = r.net;
|
2019-02-18 09:49:39 +00:00
|
|
|
}
|
2018-07-19 17:50:44 +00:00
|
|
|
}
|
|
|
|
|
rcu_read_unlock();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-12-12 18:44:16 +00:00
|
|
|
reverse = dir & ~XFRM_POLICY_MASK;
|
|
|
|
|
dir &= XFRM_POLICY_MASK;
|
|
|
|
|
|
2023-10-04 16:09:51 +00:00
|
|
|
if (__xfrm_decode_session(net, skb, &fl, family, reverse) < 0) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-01-07 07:06:30 +00:00
|
|
|
nf_nat_decode_session(skb, &fl, family);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* First, check used SA against their selectors. */
|
2018-12-18 16:15:20 +00:00
|
|
|
sp = skb_sec_path(skb);
|
|
|
|
|
if (sp) {
|
2005-04-16 22:20:36 +00:00
|
|
|
int i;
|
|
|
|
|
|
2018-12-18 16:15:20 +00:00
|
|
|
for (i = sp->len - 1; i >= 0; i--) {
|
|
|
|
|
struct xfrm_state *x = sp->xvec[i];
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
int ret = 0;
|
|
|
|
|
|
2007-12-21 04:43:36 +00:00
|
|
|
if (!xfrm_selector_match(&x->sel, &fl, family)) {
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
ret = 1;
|
|
|
|
|
if (x->props.flags & XFRM_STATE_ICMP &&
|
|
|
|
|
xfrm_selector_inner_icmp_match(skb, family, &x->sel, &fl))
|
|
|
|
|
ret = 0;
|
|
|
|
|
if (ret) {
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pol = NULL;
|
2015-12-07 16:53:17 +00:00
|
|
|
sk = sk_to_full_sk(sk);
|
2006-10-05 20:42:35 +00:00
|
|
|
if (sk && sk->sk_policy[dir]) {
|
2018-07-19 17:50:44 +00:00
|
|
|
pol = xfrm_sk_policy_lookup(sk, dir, &fl, family, if_id);
|
2007-12-21 04:43:36 +00:00
|
|
|
if (IS_ERR(pol)) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
|
2006-10-05 20:42:35 +00:00
|
|
|
return 0;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2006-10-05 20:42:35 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-07-17 11:57:24 +00:00
|
|
|
if (!pol)
|
2018-07-19 17:50:44 +00:00
|
|
|
pol = xfrm_policy_lookup(net, &fl, family, dir, if_id);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-12-21 04:43:36 +00:00
|
|
|
if (IS_ERR(pol)) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
return 0;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
if (!pol && dir == XFRM_POLICY_FWD)
|
|
|
|
|
pol = xfrm_in_fwd_icmp(skb, &fl, family, if_id);
|
|
|
|
|
|
2006-08-24 03:41:00 +00:00
|
|
|
if (!pol) {
|
2022-03-14 10:38:22 +00:00
|
|
|
if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
|
2021-07-18 07:11:06 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-18 16:15:20 +00:00
|
|
|
if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
|
2006-08-24 03:41:00 +00:00
|
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
|
2006-08-24 03:41:00 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2023-01-26 11:21:30 +00:00
|
|
|
/* This lockless write can happen from different cpus. */
|
|
|
|
|
WRITE_ONCE(pol->curlft.use_time, ktime_get_real_seconds());
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
pols[0] = pol;
|
2013-12-24 01:43:48 +00:00
|
|
|
npols++;
|
2006-08-24 05:43:30 +00:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
|
if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
2008-11-26 01:35:44 +00:00
|
|
|
pols[1] = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN,
|
2006-08-24 05:43:30 +00:00
|
|
|
&fl, family,
|
2018-07-19 17:50:44 +00:00
|
|
|
XFRM_POLICY_IN, if_id);
|
2006-08-24 05:43:30 +00:00
|
|
|
if (pols[1]) {
|
2007-12-21 04:43:36 +00:00
|
|
|
if (IS_ERR(pols[1])) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
|
2022-07-24 09:55:58 +00:00
|
|
|
xfrm_pol_put(pols[0]);
|
IPsec: propagate security module errors up from flow_cache_lookup
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked, because of an uncached lookup via
flow_cache_lookup(), which would fail to resolve an xfrm policy because
the SELinux policy is checked at that point via the resolver.
However, retransmitted SYNACKs would then find a cached flow entry when
calling into flow_cache_lookup() with a null xfrm policy, which is
interpreted by xfrm_lookup() as the packet not having any associated
policy and similarly to the first case, allowing it to pass without
transformation.
The solution presented here is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-05 20:42:27 +00:00
|
|
|
return 0;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2023-01-26 11:21:30 +00:00
|
|
|
/* This write can happen from different cpus. */
|
|
|
|
|
WRITE_ONCE(pols[1]->curlft.use_time,
|
|
|
|
|
ktime_get_real_seconds());
|
2013-12-24 01:43:48 +00:00
|
|
|
npols++;
|
2006-08-24 05:43:30 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (pol->action == XFRM_POLICY_ALLOW) {
|
|
|
|
|
static struct sec_path dummy;
|
2006-08-24 05:43:30 +00:00
|
|
|
struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
|
2006-08-24 05:48:31 +00:00
|
|
|
struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
|
2006-08-24 05:43:30 +00:00
|
|
|
struct xfrm_tmpl **tpp = tp;
|
|
|
|
|
int ti = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
int i, k;
|
|
|
|
|
|
2018-12-18 16:15:20 +00:00
|
|
|
sp = skb_sec_path(skb);
|
|
|
|
|
if (!sp)
|
2005-04-16 22:20:36 +00:00
|
|
|
sp = &dummy;
|
|
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
for (pi = 0; pi < npols; pi++) {
|
|
|
|
|
if (pols[pi] != pol &&
|
2007-12-21 04:43:36 +00:00
|
|
|
pols[pi]->action != XFRM_POLICY_ALLOW) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
|
2006-08-24 05:43:30 +00:00
|
|
|
goto reject;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
|
|
|
|
if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
|
2006-08-24 05:43:30 +00:00
|
|
|
goto reject_error;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2006-08-24 05:43:30 +00:00
|
|
|
for (i = 0; i < pols[pi]->xfrm_nr; i++)
|
|
|
|
|
tpp[ti++] = &pols[pi]->xfrm_vec[i];
|
|
|
|
|
}
|
|
|
|
|
xfrm_nr = ti;
|
2021-07-18 07:11:06 +00:00
|
|
|
|
2006-08-24 05:48:31 +00:00
|
|
|
if (npols > 1) {
|
2019-05-03 15:46:17 +00:00
|
|
|
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
|
2006-08-24 05:48:31 +00:00
|
|
|
tpp = stp;
|
|
|
|
|
}
|
2006-08-24 05:43:30 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* For each tunnel xfrm, find the first matching tmpl.
|
|
|
|
|
* For each tmpl before that, find corresponding xfrm.
|
|
|
|
|
* Order is _important_. Later we will implement
|
|
|
|
|
* some barriers, but at the moment barriers
|
|
|
|
|
* are implied between each two transformations.
|
2023-05-10 01:30:21 +00:00
|
|
|
* Upon success, marks secpath entries as having been
|
|
|
|
|
* verified to allow them to be skipped in future policy
|
|
|
|
|
* checks (e.g. nested tunnels).
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2006-08-24 05:43:30 +00:00
|
|
|
for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
|
2023-05-10 01:14:14 +00:00
|
|
|
k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
|
2006-08-24 03:41:00 +00:00
|
|
|
if (k < 0) {
|
2006-09-01 07:32:12 +00:00
|
|
|
if (k < -1)
|
|
|
|
|
/* "-2 - errored_index" returned */
|
|
|
|
|
xerr_idx = -(2+k);
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto reject;
|
2006-08-24 03:41:00 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2007-12-21 04:43:36 +00:00
|
|
|
if (secpath_has_nontransport(sp, k, &xerr_idx)) {
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINTMPLMISMATCH);
|
2005-04-16 22:20:36 +00:00
|
|
|
goto reject;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 05:43:30 +00:00
|
|
|
xfrm_pols_put(pols, npols);
|
2023-05-10 01:30:21 +00:00
|
|
|
sp->verified_cnt = k;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
2008-11-26 01:59:52 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
reject:
|
2006-08-24 03:41:00 +00:00
|
|
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
2006-08-24 05:43:30 +00:00
|
|
|
reject_error:
|
|
|
|
|
xfrm_pols_put(pols, npols);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__xfrm_policy_check);
|
|
|
|
|
|
|
|
|
|
int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
|
|
|
|
{
|
2008-11-26 01:36:13 +00:00
|
|
|
struct net *net = dev_net(skb->dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct flowi fl;
|
2009-06-02 05:19:30 +00:00
|
|
|
struct dst_entry *dst;
|
2011-03-15 22:26:43 +00:00
|
|
|
int res = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2023-10-04 16:09:51 +00:00
|
|
|
if (xfrm_decode_session(net, skb, &fl, family) < 0) {
|
2010-02-18 03:35:07 +00:00
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
2007-12-21 04:43:36 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-06-01 10:04:49 +00:00
|
|
|
skb_dst_force(skb);
|
2018-09-11 08:31:15 +00:00
|
|
|
if (!skb_dst(skb)) {
|
|
|
|
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2009-06-02 05:19:30 +00:00
|
|
|
|
2014-09-16 08:08:49 +00:00
|
|
|
dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
|
2011-03-02 21:27:41 +00:00
|
|
|
if (IS_ERR(dst)) {
|
2011-03-15 22:26:43 +00:00
|
|
|
res = 0;
|
2011-03-02 21:27:41 +00:00
|
|
|
dst = NULL;
|
|
|
|
|
}
|
xfrm: introduce forwarding of ICMP Error messages
This commit aligns with RFC 4301, Section 6, and addresses the
requirement to forward unauthenticated ICMP error messages that do not
match any xfrm policies. It utilizes the ICMP payload as an skb and
performs a reverse lookup. If a policy match is found, forward
the packet.
The ICMP payload typically contains a partial IP packet that is likely
responsible for the error message.
The following error types will be forwarded:
- IPv4 ICMP error types: ICMP_DEST_UNREACH & ICMP_TIME_EXCEEDED
- IPv6 ICMPv6 error types: ICMPV6_DEST_UNREACH, ICMPV6_PKT_TOOBIG,
ICMPV6_TIME_EXCEED
To implement this feature, a reverse lookup has been added to the xfrm
forward path, making use of the ICMP payload as the skb.
To enable this functionality from user space, the XFRM_POLICY_ICMP flag
should be added to the outgoing and forward policies, and the
XFRM_STATE_ICMP flag should be set on incoming states.
e.g.
ip xfrm policy add flag icmp tmpl
ip xfrm policy
src 192.0.2.0/24 dst 192.0.1.0/25
dir out priority 2084302 ptype main flag icmp
ip xfrm state add ...flag icmp
ip xfrm state
root@west:~#ip x s
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xa7b76872 reqid 16389 mode tunnel
replay-window 32 flag icmp af-unspec
Changes since v5:
- fix return values bool->int, feedback from Steffen
Changes since v4:
- split the series to only ICMP erorr forwarding
Changes since v3: no code chage
- add missing white spaces detected by checkpatch.pl
Changes since v2: reviewed by Steffen Klassert
- user consume_skb instead of kfree_skb for the inner skb
- fixed newskb leaks in error paths
- free the newskb once inner flow is decoded with change due to
commit 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
- if xfrm_decode_session_reverse() on inner payload fails ignore.
do not increment error counter
Changes since v1:
- Move IPv6 variable declaration inside IS_ENABLED(CONFIG_IPV6)
Changes since RFC:
- Fix calculation of ICMPv6 header length
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2024-01-19 11:27:42 +00:00
|
|
|
|
|
|
|
|
if (dst && !dst->xfrm)
|
|
|
|
|
dst = xfrm_out_fwd_icmp(skb, &fl, family, dst);
|
|
|
|
|
|
2009-06-02 05:19:30 +00:00
|
|
|
skb_dst_set(skb, dst);
|
|
|
|
|
return res;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__xfrm_route_forward);
|
|
|
|
|
|
2006-08-14 01:55:53 +00:00
|
|
|
/* Optimize later using cookies and generation ids. */
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
|
|
|
|
|
{
|
2006-08-14 01:55:53 +00:00
|
|
|
/* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
|
2012-07-19 19:31:33 +00:00
|
|
|
* to DST_OBSOLETE_FORCE_CHK to force all XFRM destinations to
|
|
|
|
|
* get validated by dst_ops->check on every use. We do this
|
|
|
|
|
* because when a normal route referenced by an XFRM dst is
|
|
|
|
|
* obsoleted we do not go looking around for all parent
|
|
|
|
|
* referencing XFRM dsts so that we can invalidate them. It
|
|
|
|
|
* is just too much work. Instead we make the checks here on
|
|
|
|
|
* every use. For example:
|
2006-08-14 01:55:53 +00:00
|
|
|
*
|
|
|
|
|
* XFRM dst A --> IPv4 dst X
|
|
|
|
|
*
|
|
|
|
|
* X is the "xdst->route" of A (X is also the "dst->path" of A
|
|
|
|
|
* in this example). If X is marked obsolete, "A" will not
|
|
|
|
|
* notice. That's what we are validating here via the
|
|
|
|
|
* stale_bundle() check.
|
|
|
|
|
*
|
2017-06-17 17:42:38 +00:00
|
|
|
* When a dst is removed from the fib tree, DST_OBSOLETE_DEAD will
|
|
|
|
|
* be marked on it.
|
2017-07-17 11:57:26 +00:00
|
|
|
* This will force stale_bundle() to fail on any xdst bundle with
|
2017-06-17 17:42:38 +00:00
|
|
|
* this dst linked in it.
|
2005-12-19 22:23:23 +00:00
|
|
|
*/
|
2006-08-14 01:55:53 +00:00
|
|
|
if (dst->obsolete < 0 && !stale_bundle(dst))
|
|
|
|
|
return dst;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int stale_bundle(struct dst_entry *dst)
|
|
|
|
|
{
|
2011-06-29 23:18:20 +00:00
|
|
|
return !xfrm_bundle_ok((struct xfrm_dst *)dst);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2005-05-03 23:27:10 +00:00
|
|
|
void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-11-28 20:40:22 +00:00
|
|
|
while ((dst = xfrm_dst_child(dst)) && dst->xfrm && dst->dev == dev) {
|
2022-05-16 01:37:27 +00:00
|
|
|
dst->dev = blackhole_netdev;
|
2007-09-26 02:16:28 +00:00
|
|
|
dev_hold(dst->dev);
|
2005-04-16 22:20:36 +00:00
|
|
|
dev_put(dev);
|
|
|
|
|
}
|
|
|
|
|
}
|
2005-05-03 23:27:10 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_dst_ifdown);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
static void xfrm_link_failure(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
/* Impossible. Such dst must be popped before reaches point of failure. */
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-28 11:43:53 +00:00
|
|
|
static void xfrm_negative_advice(struct sock *sk, struct dst_entry *dst)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2024-05-28 11:43:53 +00:00
|
|
|
if (dst->obsolete)
|
|
|
|
|
sk_dst_reset(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-11-28 20:41:01 +00:00
|
|
|
while (nr--) {
|
|
|
|
|
struct xfrm_dst *xdst = bundle[nr];
|
2005-04-16 22:20:36 +00:00
|
|
|
u32 pmtu, route_mtu_cached;
|
2017-11-28 20:41:01 +00:00
|
|
|
struct dst_entry *dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
dst = &xdst->u.dst;
|
2017-11-28 20:40:22 +00:00
|
|
|
pmtu = dst_mtu(xfrm_dst_child(dst));
|
2005-04-16 22:20:36 +00:00
|
|
|
xdst->child_mtu_cached = pmtu;
|
|
|
|
|
|
|
|
|
|
pmtu = xfrm_state_mtu(dst->xfrm, pmtu);
|
|
|
|
|
|
|
|
|
|
route_mtu_cached = dst_mtu(xdst->route);
|
|
|
|
|
xdst->route_mtu_cached = route_mtu_cached;
|
|
|
|
|
|
|
|
|
|
if (pmtu > route_mtu_cached)
|
|
|
|
|
pmtu = route_mtu_cached;
|
|
|
|
|
|
2010-12-09 05:16:57 +00:00
|
|
|
dst_metric_set(dst, RTAX_MTU, pmtu);
|
2017-11-28 20:41:01 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check that the bundle accepts the flow and its components are
|
|
|
|
|
* still valid.
|
|
|
|
|
*/
|
|
|
|
|
|
2011-06-29 23:18:20 +00:00
|
|
|
static int xfrm_bundle_ok(struct xfrm_dst *first)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-11-28 20:41:01 +00:00
|
|
|
struct xfrm_dst *bundle[XFRM_MAX_DEPTH];
|
2005-04-16 22:20:36 +00:00
|
|
|
struct dst_entry *dst = &first->u.dst;
|
2017-11-28 20:41:01 +00:00
|
|
|
struct xfrm_dst *xdst;
|
|
|
|
|
int start_from, nr;
|
2005-04-16 22:20:36 +00:00
|
|
|
u32 mtu;
|
|
|
|
|
|
2017-11-28 20:40:46 +00:00
|
|
|
if (!dst_check(xfrm_dst_path(dst), ((struct xfrm_dst *)dst)->path_cookie) ||
|
2005-04-16 22:20:36 +00:00
|
|
|
(dst->dev && !netif_running(dst->dev)))
|
|
|
|
|
return 0;
|
|
|
|
|
|
2013-02-05 11:52:55 +00:00
|
|
|
if (dst->flags & DST_XFRM_QUEUE)
|
|
|
|
|
return 1;
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
start_from = nr = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
do {
|
|
|
|
|
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
|
|
|
|
|
|
|
|
|
|
if (dst->xfrm->km.state != XFRM_STATE_VALID)
|
|
|
|
|
return 0;
|
2010-04-07 00:30:05 +00:00
|
|
|
if (xdst->xfrm_genid != dst->xfrm->genid)
|
|
|
|
|
return 0;
|
2010-06-24 21:35:00 +00:00
|
|
|
if (xdst->num_pols > 0 &&
|
|
|
|
|
xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
|
2006-08-24 10:18:09 +00:00
|
|
|
return 0;
|
2006-08-24 02:12:01 +00:00
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
bundle[nr++] = xdst;
|
|
|
|
|
|
2017-11-28 20:40:22 +00:00
|
|
|
mtu = dst_mtu(xfrm_dst_child(dst));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xdst->child_mtu_cached != mtu) {
|
2017-11-28 20:41:01 +00:00
|
|
|
start_from = nr;
|
2005-04-16 22:20:36 +00:00
|
|
|
xdst->child_mtu_cached = mtu;
|
|
|
|
|
}
|
|
|
|
|
|
2005-05-26 19:58:04 +00:00
|
|
|
if (!dst_check(xdst->route, xdst->route_cookie))
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
mtu = dst_mtu(xdst->route);
|
|
|
|
|
if (xdst->route_mtu_cached != mtu) {
|
2017-11-28 20:41:01 +00:00
|
|
|
start_from = nr;
|
2005-04-16 22:20:36 +00:00
|
|
|
xdst->route_mtu_cached = mtu;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-28 20:40:22 +00:00
|
|
|
dst = xfrm_dst_child(dst);
|
2005-04-16 22:20:36 +00:00
|
|
|
} while (dst->xfrm);
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
if (likely(!start_from))
|
2005-04-16 22:20:36 +00:00
|
|
|
return 1;
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
xdst = bundle[start_from - 1];
|
|
|
|
|
mtu = xdst->child_mtu_cached;
|
|
|
|
|
while (start_from--) {
|
|
|
|
|
dst = &xdst->u.dst;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
mtu = xfrm_state_mtu(dst->xfrm, mtu);
|
2017-11-28 20:41:01 +00:00
|
|
|
if (mtu > xdst->route_mtu_cached)
|
|
|
|
|
mtu = xdst->route_mtu_cached;
|
2010-12-09 05:16:57 +00:00
|
|
|
dst_metric_set(dst, RTAX_MTU, mtu);
|
2017-11-28 20:41:01 +00:00
|
|
|
if (!start_from)
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
|
|
2017-11-28 20:41:01 +00:00
|
|
|
xdst = bundle[start_from - 1];
|
|
|
|
|
xdst->child_mtu_cached = mtu;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-13 20:52:14 +00:00
|
|
|
static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
|
|
|
|
|
{
|
2017-11-28 20:40:46 +00:00
|
|
|
return dst_metric_advmss(xfrm_dst_path(dst));
|
2010-12-13 20:52:14 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-23 02:12:51 +00:00
|
|
|
static unsigned int xfrm_mtu(const struct dst_entry *dst)
|
2010-12-14 21:01:14 +00:00
|
|
|
{
|
2011-11-23 02:13:31 +00:00
|
|
|
unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
|
|
|
|
|
|
2017-11-28 20:40:46 +00:00
|
|
|
return mtu ? : dst_mtu(xfrm_dst_path(dst));
|
2010-12-14 21:01:14 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-25 15:57:43 +00:00
|
|
|
static const void *xfrm_get_dst_nexthop(const struct dst_entry *dst,
|
|
|
|
|
const void *daddr)
|
2017-02-06 21:14:15 +00:00
|
|
|
{
|
2017-11-28 20:40:46 +00:00
|
|
|
while (dst->xfrm) {
|
2017-02-06 21:14:15 +00:00
|
|
|
const struct xfrm_state *xfrm = dst->xfrm;
|
|
|
|
|
|
2018-02-19 06:44:07 +00:00
|
|
|
dst = xfrm_dst_child(dst);
|
|
|
|
|
|
2017-02-06 21:14:15 +00:00
|
|
|
if (xfrm->props.mode == XFRM_MODE_TRANSPORT)
|
|
|
|
|
continue;
|
|
|
|
|
if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR)
|
|
|
|
|
daddr = xfrm->coaddr;
|
|
|
|
|
else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR))
|
|
|
|
|
daddr = &xfrm->id.daddr;
|
|
|
|
|
}
|
2017-02-25 15:57:43 +00:00
|
|
|
return daddr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const void *daddr)
|
|
|
|
|
{
|
2017-11-28 20:40:46 +00:00
|
|
|
const struct dst_entry *path = xfrm_dst_path(dst);
|
2017-02-25 15:57:43 +00:00
|
|
|
|
|
|
|
|
if (!skb)
|
|
|
|
|
daddr = xfrm_get_dst_nexthop(dst, daddr);
|
|
|
|
|
return path->ops->neigh_lookup(path, skb, daddr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_confirm_neigh(const struct dst_entry *dst, const void *daddr)
|
|
|
|
|
{
|
2017-11-28 20:40:46 +00:00
|
|
|
const struct dst_entry *path = xfrm_dst_path(dst);
|
2017-02-25 15:57:43 +00:00
|
|
|
|
|
|
|
|
daddr = xfrm_get_dst_nexthop(dst, daddr);
|
2017-02-06 21:14:15 +00:00
|
|
|
path->ops->confirm_neigh(path, daddr);
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-07 14:00:17 +00:00
|
|
|
int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
int err = 0;
|
2017-02-07 14:00:17 +00:00
|
|
|
|
|
|
|
|
if (WARN_ON(family >= ARRAY_SIZE(xfrm_policy_afinfo)))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EAFNOSUPPORT;
|
2017-02-07 14:00:17 +00:00
|
|
|
|
2012-08-19 10:31:48 +00:00
|
|
|
spin_lock(&xfrm_policy_afinfo_lock);
|
2017-02-07 14:00:17 +00:00
|
|
|
if (unlikely(xfrm_policy_afinfo[family] != NULL))
|
2015-04-23 03:06:53 +00:00
|
|
|
err = -EEXIST;
|
2005-04-16 22:20:36 +00:00
|
|
|
else {
|
|
|
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
|
|
|
|
if (likely(dst_ops->kmem_cachep == NULL))
|
|
|
|
|
dst_ops->kmem_cachep = xfrm_dst_cache;
|
|
|
|
|
if (likely(dst_ops->check == NULL))
|
|
|
|
|
dst_ops->check = xfrm_dst_check;
|
2010-12-13 20:52:14 +00:00
|
|
|
if (likely(dst_ops->default_advmss == NULL))
|
|
|
|
|
dst_ops->default_advmss = xfrm_default_advmss;
|
2011-11-23 02:12:51 +00:00
|
|
|
if (likely(dst_ops->mtu == NULL))
|
|
|
|
|
dst_ops->mtu = xfrm_mtu;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (likely(dst_ops->negative_advice == NULL))
|
|
|
|
|
dst_ops->negative_advice = xfrm_negative_advice;
|
|
|
|
|
if (likely(dst_ops->link_failure == NULL))
|
|
|
|
|
dst_ops->link_failure = xfrm_link_failure;
|
2011-07-18 07:40:17 +00:00
|
|
|
if (likely(dst_ops->neigh_lookup == NULL))
|
|
|
|
|
dst_ops->neigh_lookup = xfrm_neigh_lookup;
|
2017-02-06 21:14:15 +00:00
|
|
|
if (likely(!dst_ops->confirm_neigh))
|
|
|
|
|
dst_ops->confirm_neigh = xfrm_confirm_neigh;
|
2017-02-07 14:00:17 +00:00
|
|
|
rcu_assign_pointer(xfrm_policy_afinfo[family], afinfo);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2012-08-19 10:31:48 +00:00
|
|
|
spin_unlock(&xfrm_policy_afinfo_lock);
|
2010-01-25 06:47:53 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_register_afinfo);
|
|
|
|
|
|
2017-02-07 14:00:17 +00:00
|
|
|
void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-02-07 14:00:15 +00:00
|
|
|
struct dst_ops *dst_ops = afinfo->dst_ops;
|
2017-02-07 14:00:17 +00:00
|
|
|
int i;
|
2017-02-07 14:00:15 +00:00
|
|
|
|
2017-02-07 14:00:17 +00:00
|
|
|
for (i = 0; i < ARRAY_SIZE(xfrm_policy_afinfo); i++) {
|
|
|
|
|
if (xfrm_policy_afinfo[i] != afinfo)
|
|
|
|
|
continue;
|
|
|
|
|
RCU_INIT_POINTER(xfrm_policy_afinfo[i], NULL);
|
|
|
|
|
break;
|
2012-08-19 10:31:48 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-07 14:00:15 +00:00
|
|
|
synchronize_rcu();
|
2012-08-19 10:31:48 +00:00
|
|
|
|
2017-02-07 14:00:15 +00:00
|
|
|
dst_ops->kmem_cachep = NULL;
|
|
|
|
|
dst_ops->check = NULL;
|
|
|
|
|
dst_ops->negative_advice = NULL;
|
|
|
|
|
dst_ops->link_failure = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
|
|
|
|
|
|
2018-06-12 12:07:12 +00:00
|
|
|
void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb)
|
|
|
|
|
{
|
|
|
|
|
spin_lock(&xfrm_if_cb_lock);
|
|
|
|
|
rcu_assign_pointer(xfrm_if_cb, ifcb);
|
|
|
|
|
spin_unlock(&xfrm_if_cb_lock);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_if_register_cb);
|
|
|
|
|
|
|
|
|
|
void xfrm_if_unregister_cb(void)
|
|
|
|
|
{
|
|
|
|
|
RCU_INIT_POINTER(xfrm_if_cb, NULL);
|
|
|
|
|
synchronize_rcu();
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xfrm_if_unregister_cb);
|
|
|
|
|
|
2007-12-21 04:42:57 +00:00
|
|
|
#ifdef CONFIG_XFRM_STATISTICS
|
2008-11-26 01:59:52 +00:00
|
|
|
static int __net_init xfrm_statistics_init(struct net *net)
|
2007-12-21 04:42:57 +00:00
|
|
|
{
|
2008-11-26 02:00:14 +00:00
|
|
|
int rv;
|
2014-05-05 22:55:55 +00:00
|
|
|
net->mib.xfrm_statistics = alloc_percpu(struct linux_xfrm_mib);
|
|
|
|
|
if (!net->mib.xfrm_statistics)
|
2007-12-21 04:42:57 +00:00
|
|
|
return -ENOMEM;
|
2008-11-26 02:00:14 +00:00
|
|
|
rv = xfrm_proc_init(net);
|
|
|
|
|
if (rv < 0)
|
2014-05-05 22:55:55 +00:00
|
|
|
free_percpu(net->mib.xfrm_statistics);
|
2008-11-26 02:00:14 +00:00
|
|
|
return rv;
|
2007-12-21 04:42:57 +00:00
|
|
|
}
|
2008-11-26 01:59:52 +00:00
|
|
|
|
|
|
|
|
static void xfrm_statistics_fini(struct net *net)
|
|
|
|
|
{
|
2008-11-26 02:00:14 +00:00
|
|
|
xfrm_proc_fini(net);
|
2014-05-05 22:55:55 +00:00
|
|
|
free_percpu(net->mib.xfrm_statistics);
|
2008-11-26 01:59:52 +00:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
static int __net_init xfrm_statistics_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_statistics_fini(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
}
|
2007-12-21 04:42:57 +00:00
|
|
|
#endif
|
|
|
|
|
|
2008-11-26 01:14:31 +00:00
|
|
|
static int __net_init xfrm_policy_init(struct net *net)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-08-24 11:45:07 +00:00
|
|
|
unsigned int hmask, sz;
|
2018-11-07 22:00:35 +00:00
|
|
|
int dir, err;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2018-11-07 22:00:35 +00:00
|
|
|
if (net_eq(net, &init_net)) {
|
2024-01-30 08:14:11 +00:00
|
|
|
xfrm_dst_cache = KMEM_CACHE(xfrm_dst, SLAB_HWCACHE_ALIGN | SLAB_PANIC);
|
2018-11-07 22:00:35 +00:00
|
|
|
err = rhashtable_init(&xfrm_policy_inexact_table,
|
|
|
|
|
&xfrm_pol_inexact_params);
|
|
|
|
|
BUG_ON(err);
|
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-08-24 11:45:07 +00:00
|
|
|
hmask = 8 - 1;
|
|
|
|
|
sz = (hmask+1) * sizeof(struct hlist_head);
|
|
|
|
|
|
2008-11-26 01:22:35 +00:00
|
|
|
net->xfrm.policy_byidx = xfrm_hash_alloc(sz);
|
|
|
|
|
if (!net->xfrm.policy_byidx)
|
|
|
|
|
goto out_byidx;
|
2008-11-26 01:22:58 +00:00
|
|
|
net->xfrm.policy_idx_hmask = hmask;
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2014-11-13 09:09:49 +00:00
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
2006-08-24 11:45:07 +00:00
|
|
|
struct xfrm_policy_hash *htab;
|
|
|
|
|
|
2008-11-26 01:24:15 +00:00
|
|
|
net->xfrm.policy_count[dir] = 0;
|
2014-11-13 09:09:49 +00:00
|
|
|
net->xfrm.policy_count[XFRM_POLICY_MAX + dir] = 0;
|
2008-11-26 01:23:26 +00:00
|
|
|
INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2008-11-26 01:23:48 +00:00
|
|
|
htab = &net->xfrm.policy_bydst[dir];
|
2006-08-24 11:50:50 +00:00
|
|
|
htab->table = xfrm_hash_alloc(sz);
|
2006-08-24 11:45:07 +00:00
|
|
|
if (!htab->table)
|
2008-11-26 01:23:48 +00:00
|
|
|
goto out_bydst;
|
|
|
|
|
htab->hmask = hmask;
|
xfrm: hash prefixed policies based on preflen thresholds
The idea is an extension of the current policy hashing.
Today only non-prefixed policies are stored in a hash table. This
patch relaxes the constraints, and hashes policies whose prefix
lengths are greater or equal to a configurable threshold.
Each hash table (one per direction) maintains its own set of IPv4 and
IPv6 thresholds (dbits4, sbits4, dbits6, sbits6), by default (32, 32,
128, 128).
Example, if the output hash table is configured with values (16, 24,
56, 64):
ip xfrm policy add dir out src 10.22.0.0/20 dst 10.24.1.0/24 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.1.1/32 ... => hashed
ip xfrm policy add dir out src 10.22.0.0/16 dst 10.24.0.0/16 ... => unhashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2401::2/128 ... => hashed
ip xfrm policy add dir out \
src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 ... => unhashed
The high order bits of the addresses (up to the threshold) are used to
compute the hash key.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:04 +00:00
|
|
|
htab->dbits4 = 32;
|
|
|
|
|
htab->sbits4 = 32;
|
|
|
|
|
htab->dbits6 = 128;
|
|
|
|
|
htab->sbits6 = 128;
|
2006-08-24 11:45:07 +00:00
|
|
|
}
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
net->xfrm.policy_hthresh.lbits4 = 32;
|
|
|
|
|
net->xfrm.policy_hthresh.rbits4 = 32;
|
|
|
|
|
net->xfrm.policy_hthresh.lbits6 = 128;
|
|
|
|
|
net->xfrm.policy_hthresh.rbits6 = 128;
|
|
|
|
|
|
|
|
|
|
seqlock_init(&net->xfrm.policy_hthresh.lock);
|
2006-08-24 11:45:07 +00:00
|
|
|
|
2008-11-26 01:22:11 +00:00
|
|
|
INIT_LIST_HEAD(&net->xfrm.policy_all);
|
2018-11-07 22:00:35 +00:00
|
|
|
INIT_LIST_HEAD(&net->xfrm.inexact_bins);
|
2008-11-26 01:28:57 +00:00
|
|
|
INIT_WORK(&net->xfrm.policy_hash_work, xfrm_hash_resize);
|
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-08-29 14:16:05 +00:00
|
|
|
INIT_WORK(&net->xfrm.policy_hthresh.work, xfrm_hash_rebuild);
|
2008-11-26 01:14:31 +00:00
|
|
|
return 0;
|
2008-11-26 01:22:35 +00:00
|
|
|
|
2008-11-26 01:23:48 +00:00
|
|
|
out_bydst:
|
|
|
|
|
for (dir--; dir >= 0; dir--) {
|
|
|
|
|
struct xfrm_policy_hash *htab;
|
|
|
|
|
|
|
|
|
|
htab = &net->xfrm.policy_bydst[dir];
|
|
|
|
|
xfrm_hash_free(htab->table, sz);
|
|
|
|
|
}
|
|
|
|
|
xfrm_hash_free(net->xfrm.policy_byidx, sz);
|
2008-11-26 01:22:35 +00:00
|
|
|
out_byidx:
|
|
|
|
|
return -ENOMEM;
|
2008-11-26 01:14:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void xfrm_policy_fini(struct net *net)
|
|
|
|
|
{
|
2018-11-07 22:00:37 +00:00
|
|
|
struct xfrm_pol_inexact_bin *b, *t;
|
2008-11-26 01:22:35 +00:00
|
|
|
unsigned int sz;
|
2008-11-26 01:23:26 +00:00
|
|
|
int dir;
|
2008-11-26 01:22:35 +00:00
|
|
|
|
2008-11-26 01:57:44 +00:00
|
|
|
flush_work(&net->xfrm.policy_hash_work);
|
|
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
|
2008-11-26 01:57:44 +00:00
|
|
|
#endif
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
|
2008-11-26 01:57:44 +00:00
|
|
|
|
2008-11-26 01:22:11 +00:00
|
|
|
WARN_ON(!list_empty(&net->xfrm.policy_all));
|
2008-11-26 01:22:35 +00:00
|
|
|
|
2014-11-13 09:09:49 +00:00
|
|
|
for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
|
2008-11-26 01:23:48 +00:00
|
|
|
struct xfrm_policy_hash *htab;
|
|
|
|
|
|
2008-11-26 01:23:26 +00:00
|
|
|
WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
|
2008-11-26 01:23:48 +00:00
|
|
|
|
|
|
|
|
htab = &net->xfrm.policy_bydst[dir];
|
2013-01-18 15:03:48 +00:00
|
|
|
sz = (htab->hmask + 1) * sizeof(struct hlist_head);
|
2008-11-26 01:23:48 +00:00
|
|
|
WARN_ON(!hlist_empty(htab->table));
|
|
|
|
|
xfrm_hash_free(htab->table, sz);
|
2008-11-26 01:23:26 +00:00
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:22:58 +00:00
|
|
|
sz = (net->xfrm.policy_idx_hmask + 1) * sizeof(struct hlist_head);
|
2008-11-26 01:22:35 +00:00
|
|
|
WARN_ON(!hlist_empty(net->xfrm.policy_byidx));
|
|
|
|
|
xfrm_hash_free(net->xfrm.policy_byidx, sz);
|
2018-11-07 22:00:35 +00:00
|
|
|
|
2018-11-07 22:00:37 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
|
|
|
|
list_for_each_entry_safe(b, t, &net->xfrm.inexact_bins, inexact_bins)
|
|
|
|
|
__xfrm_policy_inexact_prune_bin(b, true);
|
|
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2008-11-26 01:14:31 +00:00
|
|
|
static int __net_init xfrm_net_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
int rv;
|
|
|
|
|
|
2017-02-08 10:52:29 +00:00
|
|
|
/* Initialize the per-net locks here */
|
|
|
|
|
spin_lock_init(&net->xfrm.xfrm_state_lock);
|
|
|
|
|
spin_lock_init(&net->xfrm.xfrm_policy_lock);
|
2021-06-28 13:34:28 +00:00
|
|
|
seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock);
|
2017-02-08 10:52:29 +00:00
|
|
|
mutex_init(&net->xfrm.xfrm_cfg_mutex);
|
2022-03-14 10:38:22 +00:00
|
|
|
net->xfrm.policy_default[XFRM_POLICY_IN] = XFRM_USERPOLICY_ACCEPT;
|
|
|
|
|
net->xfrm.policy_default[XFRM_POLICY_FWD] = XFRM_USERPOLICY_ACCEPT;
|
|
|
|
|
net->xfrm.policy_default[XFRM_POLICY_OUT] = XFRM_USERPOLICY_ACCEPT;
|
2017-02-08 10:52:29 +00:00
|
|
|
|
2008-11-26 01:59:52 +00:00
|
|
|
rv = xfrm_statistics_init(net);
|
|
|
|
|
if (rv < 0)
|
|
|
|
|
goto out_statistics;
|
2008-11-26 01:14:31 +00:00
|
|
|
rv = xfrm_state_init(net);
|
|
|
|
|
if (rv < 0)
|
|
|
|
|
goto out_state;
|
|
|
|
|
rv = xfrm_policy_init(net);
|
|
|
|
|
if (rv < 0)
|
|
|
|
|
goto out_policy;
|
2008-11-26 02:00:48 +00:00
|
|
|
rv = xfrm_sysctl_init(net);
|
|
|
|
|
if (rv < 0)
|
|
|
|
|
goto out_sysctl;
|
2013-11-07 09:47:50 +00:00
|
|
|
|
2008-11-26 01:14:31 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2008-11-26 02:00:48 +00:00
|
|
|
out_sysctl:
|
|
|
|
|
xfrm_policy_fini(net);
|
2008-11-26 01:14:31 +00:00
|
|
|
out_policy:
|
|
|
|
|
xfrm_state_fini(net);
|
|
|
|
|
out_state:
|
2008-11-26 01:59:52 +00:00
|
|
|
xfrm_statistics_fini(net);
|
|
|
|
|
out_statistics:
|
2008-11-26 01:14:31 +00:00
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit xfrm_net_exit(struct net *net)
|
|
|
|
|
{
|
2008-11-26 02:00:48 +00:00
|
|
|
xfrm_sysctl_fini(net);
|
2008-11-26 01:14:31 +00:00
|
|
|
xfrm_policy_fini(net);
|
|
|
|
|
xfrm_state_fini(net);
|
2008-11-26 01:59:52 +00:00
|
|
|
xfrm_statistics_fini(net);
|
2008-11-26 01:14:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations __net_initdata xfrm_net_ops = {
|
|
|
|
|
.init = xfrm_net_init,
|
|
|
|
|
.exit = xfrm_net_exit,
|
|
|
|
|
};
|
|
|
|
|
|
2023-10-04 16:09:53 +00:00
|
|
|
static const struct flow_dissector_key xfrm_flow_dissector_keys[] = {
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_CONTROL,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, control),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_BASIC,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, basic),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_IPV4_ADDRS,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, addrs.ipv4),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_IPV6_ADDRS,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, addrs.ipv6),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_PORTS,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, ports),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_GRE_KEYID,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, gre),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_IP,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, ip),
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.key_id = FLOW_DISSECTOR_KEY_ICMP,
|
|
|
|
|
.offset = offsetof(struct xfrm_flow_keys, icmp),
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
void __init xfrm_init(void)
|
|
|
|
|
{
|
2023-10-04 16:09:53 +00:00
|
|
|
skb_flow_dissector_init(&xfrm_session_dissector,
|
|
|
|
|
xfrm_flow_dissector_keys,
|
|
|
|
|
ARRAY_SIZE(xfrm_flow_dissector_keys));
|
|
|
|
|
|
2008-11-26 01:14:31 +00:00
|
|
|
register_pernet_subsys(&xfrm_net_ops);
|
2018-03-29 14:03:25 +00:00
|
|
|
xfrm_dev_init();
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_input_init();
|
2018-06-12 12:07:12 +00:00
|
|
|
|
2020-07-16 08:09:03 +00:00
|
|
|
#ifdef CONFIG_XFRM_ESPINTCP
|
2019-11-25 13:49:02 +00:00
|
|
|
espintcp_init();
|
|
|
|
|
#endif
|
2023-12-14 22:49:02 +00:00
|
|
|
|
|
|
|
|
register_xfrm_state_bpf();
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2007-09-17 18:51:22 +00:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
2008-01-12 11:20:03 +00:00
|
|
|
static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
|
|
|
|
|
struct audit_buffer *audit_buf)
|
2007-09-17 18:51:22 +00:00
|
|
|
{
|
2007-12-01 12:27:18 +00:00
|
|
|
struct xfrm_sec_ctx *ctx = xp->security;
|
|
|
|
|
struct xfrm_selector *sel = &xp->selector;
|
|
|
|
|
|
|
|
|
|
if (ctx)
|
2007-09-17 18:51:22 +00:00
|
|
|
audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
|
2007-12-01 12:27:18 +00:00
|
|
|
ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
|
2007-09-17 18:51:22 +00:00
|
|
|
|
2013-12-24 01:43:46 +00:00
|
|
|
switch (sel->family) {
|
2007-09-17 18:51:22 +00:00
|
|
|
case AF_INET:
|
2008-10-31 07:54:56 +00:00
|
|
|
audit_log_format(audit_buf, " src=%pI4", &sel->saddr.a4);
|
2007-12-01 12:27:18 +00:00
|
|
|
if (sel->prefixlen_s != 32)
|
|
|
|
|
audit_log_format(audit_buf, " src_prefixlen=%d",
|
|
|
|
|
sel->prefixlen_s);
|
2008-10-31 07:54:56 +00:00
|
|
|
audit_log_format(audit_buf, " dst=%pI4", &sel->daddr.a4);
|
2007-12-01 12:27:18 +00:00
|
|
|
if (sel->prefixlen_d != 32)
|
|
|
|
|
audit_log_format(audit_buf, " dst_prefixlen=%d",
|
|
|
|
|
sel->prefixlen_d);
|
2007-09-17 18:51:22 +00:00
|
|
|
break;
|
|
|
|
|
case AF_INET6:
|
2008-10-29 19:52:50 +00:00
|
|
|
audit_log_format(audit_buf, " src=%pI6", sel->saddr.a6);
|
2007-12-01 12:27:18 +00:00
|
|
|
if (sel->prefixlen_s != 128)
|
|
|
|
|
audit_log_format(audit_buf, " src_prefixlen=%d",
|
|
|
|
|
sel->prefixlen_s);
|
2008-10-29 19:52:50 +00:00
|
|
|
audit_log_format(audit_buf, " dst=%pI6", sel->daddr.a6);
|
2007-12-01 12:27:18 +00:00
|
|
|
if (sel->prefixlen_d != 128)
|
|
|
|
|
audit_log_format(audit_buf, " dst_prefixlen=%d",
|
|
|
|
|
sel->prefixlen_d);
|
2007-09-17 18:51:22 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
|
2007-09-17 18:51:22 +00:00
|
|
|
{
|
|
|
|
|
struct audit_buffer *audit_buf;
|
|
|
|
|
|
2007-12-21 22:58:11 +00:00
|
|
|
audit_buf = xfrm_audit_start("SPD-add");
|
2007-09-17 18:51:22 +00:00
|
|
|
if (audit_buf == NULL)
|
|
|
|
|
return;
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
|
2007-12-21 22:58:11 +00:00
|
|
|
audit_log_format(audit_buf, " res=%u", result);
|
2007-09-17 18:51:22 +00:00
|
|
|
xfrm_audit_common_policyinfo(xp, audit_buf);
|
|
|
|
|
audit_log_end(audit_buf);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
|
|
|
|
|
|
2007-12-21 04:49:33 +00:00
|
|
|
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
|
2014-04-22 12:48:30 +00:00
|
|
|
bool task_valid)
|
2007-09-17 18:51:22 +00:00
|
|
|
{
|
|
|
|
|
struct audit_buffer *audit_buf;
|
|
|
|
|
|
2007-12-21 22:58:11 +00:00
|
|
|
audit_buf = xfrm_audit_start("SPD-delete");
|
2007-09-17 18:51:22 +00:00
|
|
|
if (audit_buf == NULL)
|
|
|
|
|
return;
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
|
2007-12-21 22:58:11 +00:00
|
|
|
audit_log_format(audit_buf, " res=%u", result);
|
2007-09-17 18:51:22 +00:00
|
|
|
xfrm_audit_common_policyinfo(xp, audit_buf);
|
|
|
|
|
audit_log_end(audit_buf);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-02-08 21:11:42 +00:00
|
|
|
#ifdef CONFIG_XFRM_MIGRATE
|
2012-05-15 19:04:57 +00:00
|
|
|
static bool xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
|
|
|
|
|
const struct xfrm_selector *sel_tgt)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
|
|
|
|
|
if (sel_tgt->family == sel_cmp->family &&
|
2013-01-29 12:48:50 +00:00
|
|
|
xfrm_addr_equal(&sel_tgt->daddr, &sel_cmp->daddr,
|
|
|
|
|
sel_cmp->family) &&
|
|
|
|
|
xfrm_addr_equal(&sel_tgt->saddr, &sel_cmp->saddr,
|
|
|
|
|
sel_cmp->family) &&
|
2007-02-08 21:11:42 +00:00
|
|
|
sel_tgt->prefixlen_d == sel_cmp->prefixlen_d &&
|
|
|
|
|
sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) {
|
2012-05-15 19:04:57 +00:00
|
|
|
return true;
|
2007-02-08 21:11:42 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) {
|
2012-05-15 19:04:57 +00:00
|
|
|
return true;
|
2007-02-08 21:11:42 +00:00
|
|
|
}
|
|
|
|
|
}
|
2012-05-15 19:04:57 +00:00
|
|
|
return false;
|
2007-02-08 21:11:42 +00:00
|
|
|
}
|
|
|
|
|
|
2013-12-24 01:43:47 +00:00
|
|
|
static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector *sel,
|
xfrm: Check if_id in xfrm_migrate
This patch enables distinguishing SAs and SPs based on if_id during
the xfrm_migrate flow. This ensures support for xfrm interfaces
throughout the SA/SP lifecycle.
When there are multiple existing SPs with the same direction,
the same xfrm_selector and different endpoint addresses,
xfrm_migrate might fail with ENODATA.
Specifically, the code path for performing xfrm_migrate is:
Stage 1: find policy to migrate with
xfrm_migrate_policy_find(sel, dir, type, net)
Stage 2: find and update state(s) with
xfrm_migrate_state_find(mp, net)
Stage 3: update endpoint address(es) of template(s) with
xfrm_policy_migrate(pol, m, num_migrate)
Currently "Stage 1" always returns the first xfrm_policy that
matches, and "Stage 3" looks for the xfrm_tmpl that matches the
old endpoint address. Thus if there are multiple xfrm_policy
with same selector, direction, type and net, "Stage 1" might
rertun a wrong xfrm_policy and "Stage 3" will fail with ENODATA
because it cannot find a xfrm_tmpl with the matching endpoint
address.
The fix is to allow userspace to pass an if_id and add if_id
to the matching rule in Stage 1 and Stage 2 since if_id is a
unique ID for xfrm_policy and xfrm_state. For compatibility,
if_id will only be checked if the attribute is set.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/1668886
Signed-off-by: Yan Yan <evitayan@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2022-01-19 00:00:13 +00:00
|
|
|
u8 dir, u8 type, struct net *net, u32 if_id)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_policy *pol, *ret = NULL;
|
|
|
|
|
struct hlist_head *chain;
|
|
|
|
|
u32 priority = ~0U;
|
|
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_lock_bh(&net->xfrm.xfrm_policy_lock);
|
2013-11-07 09:47:49 +00:00
|
|
|
chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
hlist_for_each_entry(pol, chain, bydst) {
|
xfrm: Check if_id in xfrm_migrate
This patch enables distinguishing SAs and SPs based on if_id during
the xfrm_migrate flow. This ensures support for xfrm interfaces
throughout the SA/SP lifecycle.
When there are multiple existing SPs with the same direction,
the same xfrm_selector and different endpoint addresses,
xfrm_migrate might fail with ENODATA.
Specifically, the code path for performing xfrm_migrate is:
Stage 1: find policy to migrate with
xfrm_migrate_policy_find(sel, dir, type, net)
Stage 2: find and update state(s) with
xfrm_migrate_state_find(mp, net)
Stage 3: update endpoint address(es) of template(s) with
xfrm_policy_migrate(pol, m, num_migrate)
Currently "Stage 1" always returns the first xfrm_policy that
matches, and "Stage 3" looks for the xfrm_tmpl that matches the
old endpoint address. Thus if there are multiple xfrm_policy
with same selector, direction, type and net, "Stage 1" might
rertun a wrong xfrm_policy and "Stage 3" will fail with ENODATA
because it cannot find a xfrm_tmpl with the matching endpoint
address.
The fix is to allow userspace to pass an if_id and add if_id
to the matching rule in Stage 1 and Stage 2 since if_id is a
unique ID for xfrm_policy and xfrm_state. For compatibility,
if_id will only be checked if the attribute is set.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/1668886
Signed-off-by: Yan Yan <evitayan@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2022-01-19 00:00:13 +00:00
|
|
|
if ((if_id == 0 || pol->if_id == if_id) &&
|
|
|
|
|
xfrm_migrate_selector_match(sel, &pol->selector) &&
|
2007-02-08 21:11:42 +00:00
|
|
|
pol->type == type) {
|
|
|
|
|
ret = pol;
|
|
|
|
|
priority = ret->priority;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2013-11-07 09:47:49 +00:00
|
|
|
chain = &net->xfrm.policy_inexact[dir];
|
2018-11-07 22:00:35 +00:00
|
|
|
hlist_for_each_entry(pol, chain, bydst_inexact_list) {
|
2015-05-14 03:16:59 +00:00
|
|
|
if ((pol->priority >= priority) && ret)
|
|
|
|
|
break;
|
|
|
|
|
|
xfrm: Check if_id in xfrm_migrate
This patch enables distinguishing SAs and SPs based on if_id during
the xfrm_migrate flow. This ensures support for xfrm interfaces
throughout the SA/SP lifecycle.
When there are multiple existing SPs with the same direction,
the same xfrm_selector and different endpoint addresses,
xfrm_migrate might fail with ENODATA.
Specifically, the code path for performing xfrm_migrate is:
Stage 1: find policy to migrate with
xfrm_migrate_policy_find(sel, dir, type, net)
Stage 2: find and update state(s) with
xfrm_migrate_state_find(mp, net)
Stage 3: update endpoint address(es) of template(s) with
xfrm_policy_migrate(pol, m, num_migrate)
Currently "Stage 1" always returns the first xfrm_policy that
matches, and "Stage 3" looks for the xfrm_tmpl that matches the
old endpoint address. Thus if there are multiple xfrm_policy
with same selector, direction, type and net, "Stage 1" might
rertun a wrong xfrm_policy and "Stage 3" will fail with ENODATA
because it cannot find a xfrm_tmpl with the matching endpoint
address.
The fix is to allow userspace to pass an if_id and add if_id
to the matching rule in Stage 1 and Stage 2 since if_id is a
unique ID for xfrm_policy and xfrm_state. For compatibility,
if_id will only be checked if the attribute is set.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/1668886
Signed-off-by: Yan Yan <evitayan@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2022-01-19 00:00:13 +00:00
|
|
|
if ((if_id == 0 || pol->if_id == if_id) &&
|
|
|
|
|
xfrm_migrate_selector_match(sel, &pol->selector) &&
|
2015-05-14 03:16:59 +00:00
|
|
|
pol->type == type) {
|
2007-02-08 21:11:42 +00:00
|
|
|
ret = pol;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-30 09:13:41 +00:00
|
|
|
xfrm_pol_hold(ret);
|
2007-02-08 21:11:42 +00:00
|
|
|
|
2016-08-11 13:17:59 +00:00
|
|
|
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
|
2007-02-08 21:11:42 +00:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-24 05:21:08 +00:00
|
|
|
static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
int match = 0;
|
|
|
|
|
|
|
|
|
|
if (t->mode == m->mode && t->id.proto == m->proto &&
|
|
|
|
|
(m->reqid == 0 || t->reqid == m->reqid)) {
|
|
|
|
|
switch (t->mode) {
|
|
|
|
|
case XFRM_MODE_TUNNEL:
|
|
|
|
|
case XFRM_MODE_BEET:
|
2013-01-29 12:48:50 +00:00
|
|
|
if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr,
|
|
|
|
|
m->old_family) &&
|
|
|
|
|
xfrm_addr_equal(&t->saddr, &m->old_saddr,
|
|
|
|
|
m->old_family)) {
|
2007-02-08 21:11:42 +00:00
|
|
|
match = 1;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case XFRM_MODE_TRANSPORT:
|
|
|
|
|
/* in case of transport mode, template does not store
|
|
|
|
|
any IP addresses, hence we just compare mode and
|
|
|
|
|
protocol */
|
|
|
|
|
match = 1;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return match;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* update endpoint address(es) of template(s) */
|
|
|
|
|
static int xfrm_policy_migrate(struct xfrm_policy *pol,
|
2022-11-24 14:43:42 +00:00
|
|
|
struct xfrm_migrate *m, int num_migrate,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
struct xfrm_migrate *mp;
|
|
|
|
|
int i, j, n = 0;
|
|
|
|
|
|
|
|
|
|
write_lock_bh(&pol->lock);
|
2008-10-01 14:03:24 +00:00
|
|
|
if (unlikely(pol->walk.dead)) {
|
2007-02-08 21:11:42 +00:00
|
|
|
/* target policy has been deleted */
|
2022-11-24 14:43:42 +00:00
|
|
|
NL_SET_ERR_MSG(extack, "Target policy not found");
|
2007-02-08 21:11:42 +00:00
|
|
|
write_unlock_bh(&pol->lock);
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < pol->xfrm_nr; i++) {
|
|
|
|
|
for (j = 0, mp = m; j < num_migrate; j++, mp++) {
|
|
|
|
|
if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
|
|
|
|
|
continue;
|
|
|
|
|
n++;
|
2007-10-18 04:31:50 +00:00
|
|
|
if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
|
|
|
|
|
pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
|
2007-02-08 21:11:42 +00:00
|
|
|
continue;
|
|
|
|
|
/* update endpoints */
|
|
|
|
|
memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
|
|
|
|
|
sizeof(pol->xfrm_vec[i].id.daddr));
|
|
|
|
|
memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
|
|
|
|
|
sizeof(pol->xfrm_vec[i].saddr));
|
|
|
|
|
pol->xfrm_vec[i].encap_family = mp->new_family;
|
|
|
|
|
/* flush bundles */
|
2010-04-07 00:30:05 +00:00
|
|
|
atomic_inc(&pol->genid);
|
2007-02-08 21:11:42 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
write_unlock_bh(&pol->lock);
|
|
|
|
|
|
|
|
|
|
if (!n)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-24 14:43:42 +00:00
|
|
|
static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
int i, j;
|
|
|
|
|
|
2022-11-24 14:43:42 +00:00
|
|
|
if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) {
|
|
|
|
|
NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)");
|
2007-02-08 21:11:42 +00:00
|
|
|
return -EINVAL;
|
2022-11-24 14:43:42 +00:00
|
|
|
}
|
2007-02-08 21:11:42 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < num_migrate; i++) {
|
|
|
|
|
if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
|
2022-11-24 14:43:42 +00:00
|
|
|
xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) {
|
|
|
|
|
NL_SET_ERR_MSG(extack, "Addresses in the MIGRATE attribute's list cannot be null");
|
2007-02-08 21:11:42 +00:00
|
|
|
return -EINVAL;
|
2022-11-24 14:43:42 +00:00
|
|
|
}
|
2007-02-08 21:11:42 +00:00
|
|
|
|
|
|
|
|
/* check if there is any duplicated entry */
|
|
|
|
|
for (j = i + 1; j < num_migrate; j++) {
|
|
|
|
|
if (!memcmp(&m[i].old_daddr, &m[j].old_daddr,
|
|
|
|
|
sizeof(m[i].old_daddr)) &&
|
|
|
|
|
!memcmp(&m[i].old_saddr, &m[j].old_saddr,
|
|
|
|
|
sizeof(m[i].old_saddr)) &&
|
|
|
|
|
m[i].proto == m[j].proto &&
|
|
|
|
|
m[i].mode == m[j].mode &&
|
|
|
|
|
m[i].reqid == m[j].reqid &&
|
2022-11-24 14:43:42 +00:00
|
|
|
m[i].old_family == m[j].old_family) {
|
|
|
|
|
NL_SET_ERR_MSG(extack, "Entries in the MIGRATE attribute's list must be unique");
|
2007-02-08 21:11:42 +00:00
|
|
|
return -EINVAL;
|
2022-11-24 14:43:42 +00:00
|
|
|
}
|
2007-02-08 21:11:42 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-24 05:35:06 +00:00
|
|
|
int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
|
2008-10-05 20:33:42 +00:00
|
|
|
struct xfrm_migrate *m, int num_migrate,
|
2017-06-06 10:12:13 +00:00
|
|
|
struct xfrm_kmaddress *k, struct net *net,
|
2022-11-24 14:43:42 +00:00
|
|
|
struct xfrm_encap_tmpl *encap, u32 if_id,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2007-02-08 21:11:42 +00:00
|
|
|
{
|
|
|
|
|
int i, err, nx_cur = 0, nx_new = 0;
|
|
|
|
|
struct xfrm_policy *pol = NULL;
|
|
|
|
|
struct xfrm_state *x, *xc;
|
|
|
|
|
struct xfrm_state *x_cur[XFRM_MAX_DEPTH];
|
|
|
|
|
struct xfrm_state *x_new[XFRM_MAX_DEPTH];
|
|
|
|
|
struct xfrm_migrate *mp;
|
|
|
|
|
|
2017-08-02 17:50:14 +00:00
|
|
|
/* Stage 0 - sanity checks */
|
2022-11-24 14:43:42 +00:00
|
|
|
err = xfrm_migrate_check(m, num_migrate, extack);
|
2022-11-24 14:43:38 +00:00
|
|
|
if (err < 0)
|
2007-02-08 21:11:42 +00:00
|
|
|
goto out;
|
|
|
|
|
|
2017-08-02 17:50:14 +00:00
|
|
|
if (dir >= XFRM_POLICY_MAX) {
|
2022-11-24 14:43:42 +00:00
|
|
|
NL_SET_ERR_MSG(extack, "Invalid policy direction");
|
2017-08-02 17:50:14 +00:00
|
|
|
err = -EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-08 21:11:42 +00:00
|
|
|
/* Stage 1 - find policy */
|
2022-11-24 14:43:38 +00:00
|
|
|
pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id);
|
|
|
|
|
if (!pol) {
|
2022-11-24 14:43:42 +00:00
|
|
|
NL_SET_ERR_MSG(extack, "Target policy not found");
|
2007-02-08 21:11:42 +00:00
|
|
|
err = -ENOENT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Stage 2 - find and update state(s) */
|
|
|
|
|
for (i = 0, mp = m; i < num_migrate; i++, mp++) {
|
xfrm: Check if_id in xfrm_migrate
This patch enables distinguishing SAs and SPs based on if_id during
the xfrm_migrate flow. This ensures support for xfrm interfaces
throughout the SA/SP lifecycle.
When there are multiple existing SPs with the same direction,
the same xfrm_selector and different endpoint addresses,
xfrm_migrate might fail with ENODATA.
Specifically, the code path for performing xfrm_migrate is:
Stage 1: find policy to migrate with
xfrm_migrate_policy_find(sel, dir, type, net)
Stage 2: find and update state(s) with
xfrm_migrate_state_find(mp, net)
Stage 3: update endpoint address(es) of template(s) with
xfrm_policy_migrate(pol, m, num_migrate)
Currently "Stage 1" always returns the first xfrm_policy that
matches, and "Stage 3" looks for the xfrm_tmpl that matches the
old endpoint address. Thus if there are multiple xfrm_policy
with same selector, direction, type and net, "Stage 1" might
rertun a wrong xfrm_policy and "Stage 3" will fail with ENODATA
because it cannot find a xfrm_tmpl with the matching endpoint
address.
The fix is to allow userspace to pass an if_id and add if_id
to the matching rule in Stage 1 and Stage 2 since if_id is a
unique ID for xfrm_policy and xfrm_state. For compatibility,
if_id will only be checked if the attribute is set.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/1668886
Signed-off-by: Yan Yan <evitayan@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2022-01-19 00:00:13 +00:00
|
|
|
if ((x = xfrm_migrate_state_find(mp, net, if_id))) {
|
2007-02-08 21:11:42 +00:00
|
|
|
x_cur[nx_cur] = x;
|
|
|
|
|
nx_cur++;
|
2017-06-06 10:12:13 +00:00
|
|
|
xc = xfrm_state_migrate(x, mp, encap);
|
|
|
|
|
if (xc) {
|
2007-02-08 21:11:42 +00:00
|
|
|
x_new[nx_new] = xc;
|
|
|
|
|
nx_new++;
|
|
|
|
|
} else {
|
|
|
|
|
err = -ENODATA;
|
|
|
|
|
goto restore_state;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Stage 3 - update policy */
|
2022-11-24 14:43:42 +00:00
|
|
|
err = xfrm_policy_migrate(pol, m, num_migrate, extack);
|
2022-11-24 14:43:38 +00:00
|
|
|
if (err < 0)
|
2007-02-08 21:11:42 +00:00
|
|
|
goto restore_state;
|
|
|
|
|
|
|
|
|
|
/* Stage 4 - delete old state(s) */
|
|
|
|
|
if (nx_cur) {
|
|
|
|
|
xfrm_states_put(x_cur, nx_cur);
|
|
|
|
|
xfrm_states_delete(x_cur, nx_cur);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Stage 5 - announce */
|
2017-06-06 10:12:14 +00:00
|
|
|
km_migrate(sel, dir, type, m, num_migrate, k, encap);
|
2007-02-08 21:11:42 +00:00
|
|
|
|
|
|
|
|
xfrm_pol_put(pol);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
out:
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
restore_state:
|
|
|
|
|
if (pol)
|
|
|
|
|
xfrm_pol_put(pol);
|
|
|
|
|
if (nx_cur)
|
|
|
|
|
xfrm_states_put(x_cur, nx_cur);
|
|
|
|
|
if (nx_new)
|
|
|
|
|
xfrm_states_delete(x_new, nx_new);
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2007-02-08 21:29:15 +00:00
|
|
|
EXPORT_SYMBOL(xfrm_migrate);
|
2007-02-08 21:11:42 +00:00
|
|
|
#endif
|