xfrm_interface.c (23531B)
1// SPDX-License-Identifier: GPL-2.0 2/* 3 * XFRM virtual interface 4 * 5 * Copyright (C) 2018 secunet Security Networks AG 6 * 7 * Author: 8 * Steffen Klassert <steffen.klassert@secunet.com> 9 */ 10 11#include <linux/module.h> 12#include <linux/capability.h> 13#include <linux/errno.h> 14#include <linux/types.h> 15#include <linux/sockios.h> 16#include <linux/icmp.h> 17#include <linux/if.h> 18#include <linux/in.h> 19#include <linux/ip.h> 20#include <linux/net.h> 21#include <linux/in6.h> 22#include <linux/netdevice.h> 23#include <linux/if_link.h> 24#include <linux/if_arp.h> 25#include <linux/icmpv6.h> 26#include <linux/init.h> 27#include <linux/route.h> 28#include <linux/rtnetlink.h> 29#include <linux/netfilter_ipv6.h> 30#include <linux/slab.h> 31#include <linux/hash.h> 32 33#include <linux/uaccess.h> 34#include <linux/atomic.h> 35 36#include <net/icmp.h> 37#include <net/ip.h> 38#include <net/ipv6.h> 39#include <net/ip6_route.h> 40#include <net/ip_tunnels.h> 41#include <net/addrconf.h> 42#include <net/xfrm.h> 43#include <net/net_namespace.h> 44#include <net/netns/generic.h> 45#include <linux/etherdevice.h> 46 47static int xfrmi_dev_init(struct net_device *dev); 48static void xfrmi_dev_setup(struct net_device *dev); 49static struct rtnl_link_ops xfrmi_link_ops __read_mostly; 50static unsigned int xfrmi_net_id __read_mostly; 51static const struct net_device_ops xfrmi_netdev_ops; 52 53#define XFRMI_HASH_BITS 8 54#define XFRMI_HASH_SIZE BIT(XFRMI_HASH_BITS) 55 56struct xfrmi_net { 57 /* lists for storing interfaces in use */ 58 struct xfrm_if __rcu *xfrmi[XFRMI_HASH_SIZE]; 59}; 60 61#define for_each_xfrmi_rcu(start, xi) \ 62 for (xi = rcu_dereference(start); xi; xi = rcu_dereference(xi->next)) 63 64static u32 xfrmi_hash(u32 if_id) 65{ 66 return hash_32(if_id, XFRMI_HASH_BITS); 67} 68 69static struct xfrm_if *xfrmi_lookup(struct net *net, struct xfrm_state *x) 70{ 71 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id); 72 struct xfrm_if *xi; 73 74 for_each_xfrmi_rcu(xfrmn->xfrmi[xfrmi_hash(x->if_id)], xi) { 75 if (x->if_id == xi->p.if_id && 76 (xi->dev->flags & IFF_UP)) 77 return xi; 78 } 79 80 return NULL; 81} 82 83static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb, 84 unsigned short family) 85{ 86 struct net_device *dev; 87 int ifindex = 0; 88 89 if (!secpath_exists(skb) || !skb->dev) 90 return NULL; 91 92 switch (family) { 93 case AF_INET6: 94 ifindex = inet6_sdif(skb); 95 break; 96 case AF_INET: 97 ifindex = inet_sdif(skb); 98 break; 99 } 100 101 if (ifindex) { 102 struct net *net = xs_net(xfrm_input_state(skb)); 103 104 dev = dev_get_by_index_rcu(net, ifindex); 105 } else { 106 dev = skb->dev; 107 } 108 109 if (!dev || !(dev->flags & IFF_UP)) 110 return NULL; 111 if (dev->netdev_ops != &xfrmi_netdev_ops) 112 return NULL; 113 114 return netdev_priv(dev); 115} 116 117static void xfrmi_link(struct xfrmi_net *xfrmn, struct xfrm_if *xi) 118{ 119 struct xfrm_if __rcu **xip = &xfrmn->xfrmi[xfrmi_hash(xi->p.if_id)]; 120 121 rcu_assign_pointer(xi->next , rtnl_dereference(*xip)); 122 rcu_assign_pointer(*xip, xi); 123} 124 125static void xfrmi_unlink(struct xfrmi_net *xfrmn, struct xfrm_if *xi) 126{ 127 struct xfrm_if __rcu **xip; 128 struct xfrm_if *iter; 129 130 for (xip = &xfrmn->xfrmi[xfrmi_hash(xi->p.if_id)]; 131 (iter = rtnl_dereference(*xip)) != NULL; 132 xip = &iter->next) { 133 if (xi == iter) { 134 rcu_assign_pointer(*xip, xi->next); 135 break; 136 } 137 } 138} 139 140static void xfrmi_dev_free(struct net_device *dev) 141{ 142 struct xfrm_if *xi = netdev_priv(dev); 143 144 gro_cells_destroy(&xi->gro_cells); 145 free_percpu(dev->tstats); 146} 147 148static int xfrmi_create(struct net_device *dev) 149{ 150 struct xfrm_if *xi = netdev_priv(dev); 151 struct net *net = dev_net(dev); 152 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id); 153 int err; 154 155 dev->rtnl_link_ops = &xfrmi_link_ops; 156 err = register_netdevice(dev); 157 if (err < 0) 158 goto out; 159 160 xfrmi_link(xfrmn, xi); 161 162 return 0; 163 164out: 165 return err; 166} 167 168static struct xfrm_if *xfrmi_locate(struct net *net, struct xfrm_if_parms *p) 169{ 170 struct xfrm_if __rcu **xip; 171 struct xfrm_if *xi; 172 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id); 173 174 for (xip = &xfrmn->xfrmi[xfrmi_hash(p->if_id)]; 175 (xi = rtnl_dereference(*xip)) != NULL; 176 xip = &xi->next) 177 if (xi->p.if_id == p->if_id) 178 return xi; 179 180 return NULL; 181} 182 183static void xfrmi_dev_uninit(struct net_device *dev) 184{ 185 struct xfrm_if *xi = netdev_priv(dev); 186 struct xfrmi_net *xfrmn = net_generic(xi->net, xfrmi_net_id); 187 188 xfrmi_unlink(xfrmn, xi); 189} 190 191static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) 192{ 193 skb_clear_tstamp(skb); 194 skb->pkt_type = PACKET_HOST; 195 skb->skb_iif = 0; 196 skb->ignore_df = 0; 197 skb_dst_drop(skb); 198 nf_reset_ct(skb); 199 nf_reset_trace(skb); 200 201 if (!xnet) 202 return; 203 204 ipvs_reset(skb); 205 secpath_reset(skb); 206 skb_orphan(skb); 207 skb->mark = 0; 208} 209 210static int xfrmi_rcv_cb(struct sk_buff *skb, int err) 211{ 212 const struct xfrm_mode *inner_mode; 213 struct net_device *dev; 214 struct xfrm_state *x; 215 struct xfrm_if *xi; 216 bool xnet; 217 218 if (err && !secpath_exists(skb)) 219 return 0; 220 221 x = xfrm_input_state(skb); 222 223 xi = xfrmi_lookup(xs_net(x), x); 224 if (!xi) 225 return 1; 226 227 dev = xi->dev; 228 skb->dev = dev; 229 230 if (err) { 231 dev->stats.rx_errors++; 232 dev->stats.rx_dropped++; 233 234 return 0; 235 } 236 237 xnet = !net_eq(xi->net, dev_net(skb->dev)); 238 239 if (xnet) { 240 inner_mode = &x->inner_mode; 241 242 if (x->sel.family == AF_UNSPEC) { 243 inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol); 244 if (inner_mode == NULL) { 245 XFRM_INC_STATS(dev_net(skb->dev), 246 LINUX_MIB_XFRMINSTATEMODEERROR); 247 return -EINVAL; 248 } 249 } 250 251 if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, 252 inner_mode->family)) 253 return -EPERM; 254 } 255 256 xfrmi_scrub_packet(skb, xnet); 257 dev_sw_netstats_rx_add(dev, skb->len); 258 259 return 0; 260} 261 262static int 263xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) 264{ 265 struct xfrm_if *xi = netdev_priv(dev); 266 struct net_device_stats *stats = &xi->dev->stats; 267 struct dst_entry *dst = skb_dst(skb); 268 unsigned int length = skb->len; 269 struct net_device *tdev; 270 struct xfrm_state *x; 271 int err = -1; 272 int mtu; 273 274 dst_hold(dst); 275 dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id); 276 if (IS_ERR(dst)) { 277 err = PTR_ERR(dst); 278 dst = NULL; 279 goto tx_err_link_failure; 280 } 281 282 x = dst->xfrm; 283 if (!x) 284 goto tx_err_link_failure; 285 286 if (x->if_id != xi->p.if_id) 287 goto tx_err_link_failure; 288 289 tdev = dst->dev; 290 291 if (tdev == dev) { 292 stats->collisions++; 293 net_warn_ratelimited("%s: Local routing loop detected!\n", 294 dev->name); 295 goto tx_err_dst_release; 296 } 297 298 mtu = dst_mtu(dst); 299 if ((!skb_is_gso(skb) && skb->len > mtu) || 300 (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu))) { 301 skb_dst_update_pmtu_no_confirm(skb, mtu); 302 303 if (skb->protocol == htons(ETH_P_IPV6)) { 304 if (mtu < IPV6_MIN_MTU) 305 mtu = IPV6_MIN_MTU; 306 307 if (skb->len > 1280) 308 icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); 309 else 310 goto xmit; 311 } else { 312 if (!(ip_hdr(skb)->frag_off & htons(IP_DF))) 313 goto xmit; 314 icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, 315 htonl(mtu)); 316 } 317 318 dst_release(dst); 319 return -EMSGSIZE; 320 } 321 322xmit: 323 xfrmi_scrub_packet(skb, !net_eq(xi->net, dev_net(dev))); 324 skb_dst_set(skb, dst); 325 skb->dev = tdev; 326 327 err = dst_output(xi->net, skb->sk, skb); 328 if (net_xmit_eval(err) == 0) { 329 dev_sw_netstats_tx_add(dev, 1, length); 330 } else { 331 stats->tx_errors++; 332 stats->tx_aborted_errors++; 333 } 334 335 return 0; 336tx_err_link_failure: 337 stats->tx_carrier_errors++; 338 dst_link_failure(skb); 339tx_err_dst_release: 340 dst_release(dst); 341 return err; 342} 343 344static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev) 345{ 346 struct xfrm_if *xi = netdev_priv(dev); 347 struct net_device_stats *stats = &xi->dev->stats; 348 struct dst_entry *dst = skb_dst(skb); 349 struct flowi fl; 350 int ret; 351 352 memset(&fl, 0, sizeof(fl)); 353 354 switch (skb->protocol) { 355 case htons(ETH_P_IPV6): 356 xfrm_decode_session(skb, &fl, AF_INET6); 357 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); 358 if (!dst) { 359 fl.u.ip6.flowi6_oif = dev->ifindex; 360 fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC; 361 dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6); 362 if (dst->error) { 363 dst_release(dst); 364 stats->tx_carrier_errors++; 365 goto tx_err; 366 } 367 skb_dst_set(skb, dst); 368 } 369 break; 370 case htons(ETH_P_IP): 371 xfrm_decode_session(skb, &fl, AF_INET); 372 memset(IPCB(skb), 0, sizeof(*IPCB(skb))); 373 if (!dst) { 374 struct rtable *rt; 375 376 fl.u.ip4.flowi4_oif = dev->ifindex; 377 fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC; 378 rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4); 379 if (IS_ERR(rt)) { 380 stats->tx_carrier_errors++; 381 goto tx_err; 382 } 383 skb_dst_set(skb, &rt->dst); 384 } 385 break; 386 default: 387 goto tx_err; 388 } 389 390 fl.flowi_oif = xi->p.link; 391 392 ret = xfrmi_xmit2(skb, dev, &fl); 393 if (ret < 0) 394 goto tx_err; 395 396 return NETDEV_TX_OK; 397 398tx_err: 399 stats->tx_errors++; 400 stats->tx_dropped++; 401 kfree_skb(skb); 402 return NETDEV_TX_OK; 403} 404 405static int xfrmi4_err(struct sk_buff *skb, u32 info) 406{ 407 const struct iphdr *iph = (const struct iphdr *)skb->data; 408 struct net *net = dev_net(skb->dev); 409 int protocol = iph->protocol; 410 struct ip_comp_hdr *ipch; 411 struct ip_esp_hdr *esph; 412 struct ip_auth_hdr *ah ; 413 struct xfrm_state *x; 414 struct xfrm_if *xi; 415 __be32 spi; 416 417 switch (protocol) { 418 case IPPROTO_ESP: 419 esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2)); 420 spi = esph->spi; 421 break; 422 case IPPROTO_AH: 423 ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2)); 424 spi = ah->spi; 425 break; 426 case IPPROTO_COMP: 427 ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2)); 428 spi = htonl(ntohs(ipch->cpi)); 429 break; 430 default: 431 return 0; 432 } 433 434 switch (icmp_hdr(skb)->type) { 435 case ICMP_DEST_UNREACH: 436 if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED) 437 return 0; 438 break; 439 case ICMP_REDIRECT: 440 break; 441 default: 442 return 0; 443 } 444 445 x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr, 446 spi, protocol, AF_INET); 447 if (!x) 448 return 0; 449 450 xi = xfrmi_lookup(net, x); 451 if (!xi) { 452 xfrm_state_put(x); 453 return -1; 454 } 455 456 if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) 457 ipv4_update_pmtu(skb, net, info, 0, protocol); 458 else 459 ipv4_redirect(skb, net, 0, protocol); 460 xfrm_state_put(x); 461 462 return 0; 463} 464 465static int xfrmi6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 466 u8 type, u8 code, int offset, __be32 info) 467{ 468 const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data; 469 struct net *net = dev_net(skb->dev); 470 int protocol = iph->nexthdr; 471 struct ip_comp_hdr *ipch; 472 struct ip_esp_hdr *esph; 473 struct ip_auth_hdr *ah; 474 struct xfrm_state *x; 475 struct xfrm_if *xi; 476 __be32 spi; 477 478 switch (protocol) { 479 case IPPROTO_ESP: 480 esph = (struct ip_esp_hdr *)(skb->data + offset); 481 spi = esph->spi; 482 break; 483 case IPPROTO_AH: 484 ah = (struct ip_auth_hdr *)(skb->data + offset); 485 spi = ah->spi; 486 break; 487 case IPPROTO_COMP: 488 ipch = (struct ip_comp_hdr *)(skb->data + offset); 489 spi = htonl(ntohs(ipch->cpi)); 490 break; 491 default: 492 return 0; 493 } 494 495 if (type != ICMPV6_PKT_TOOBIG && 496 type != NDISC_REDIRECT) 497 return 0; 498 499 x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr, 500 spi, protocol, AF_INET6); 501 if (!x) 502 return 0; 503 504 xi = xfrmi_lookup(net, x); 505 if (!xi) { 506 xfrm_state_put(x); 507 return -1; 508 } 509 510 if (type == NDISC_REDIRECT) 511 ip6_redirect(skb, net, skb->dev->ifindex, 0, 512 sock_net_uid(net, NULL)); 513 else 514 ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL)); 515 xfrm_state_put(x); 516 517 return 0; 518} 519 520static int xfrmi_change(struct xfrm_if *xi, const struct xfrm_if_parms *p) 521{ 522 if (xi->p.link != p->link) 523 return -EINVAL; 524 525 xi->p.if_id = p->if_id; 526 527 return 0; 528} 529 530static int xfrmi_update(struct xfrm_if *xi, struct xfrm_if_parms *p) 531{ 532 struct net *net = xi->net; 533 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id); 534 int err; 535 536 xfrmi_unlink(xfrmn, xi); 537 synchronize_net(); 538 err = xfrmi_change(xi, p); 539 xfrmi_link(xfrmn, xi); 540 netdev_state_change(xi->dev); 541 return err; 542} 543 544static int xfrmi_get_iflink(const struct net_device *dev) 545{ 546 struct xfrm_if *xi = netdev_priv(dev); 547 548 return xi->p.link; 549} 550 551static const struct net_device_ops xfrmi_netdev_ops = { 552 .ndo_init = xfrmi_dev_init, 553 .ndo_uninit = xfrmi_dev_uninit, 554 .ndo_start_xmit = xfrmi_xmit, 555 .ndo_get_stats64 = dev_get_tstats64, 556 .ndo_get_iflink = xfrmi_get_iflink, 557}; 558 559static void xfrmi_dev_setup(struct net_device *dev) 560{ 561 dev->netdev_ops = &xfrmi_netdev_ops; 562 dev->header_ops = &ip_tunnel_header_ops; 563 dev->type = ARPHRD_NONE; 564 dev->mtu = ETH_DATA_LEN; 565 dev->min_mtu = ETH_MIN_MTU; 566 dev->max_mtu = IP_MAX_MTU; 567 dev->flags = IFF_NOARP; 568 dev->needs_free_netdev = true; 569 dev->priv_destructor = xfrmi_dev_free; 570 netif_keep_dst(dev); 571 572 eth_broadcast_addr(dev->broadcast); 573} 574 575#define XFRMI_FEATURES (NETIF_F_SG | \ 576 NETIF_F_FRAGLIST | \ 577 NETIF_F_GSO_SOFTWARE | \ 578 NETIF_F_HW_CSUM) 579 580static int xfrmi_dev_init(struct net_device *dev) 581{ 582 struct xfrm_if *xi = netdev_priv(dev); 583 struct net_device *phydev = __dev_get_by_index(xi->net, xi->p.link); 584 int err; 585 586 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); 587 if (!dev->tstats) 588 return -ENOMEM; 589 590 err = gro_cells_init(&xi->gro_cells, dev); 591 if (err) { 592 free_percpu(dev->tstats); 593 return err; 594 } 595 596 dev->features |= NETIF_F_LLTX; 597 dev->features |= XFRMI_FEATURES; 598 dev->hw_features |= XFRMI_FEATURES; 599 600 if (phydev) { 601 dev->needed_headroom = phydev->needed_headroom; 602 dev->needed_tailroom = phydev->needed_tailroom; 603 604 if (is_zero_ether_addr(dev->dev_addr)) 605 eth_hw_addr_inherit(dev, phydev); 606 if (is_zero_ether_addr(dev->broadcast)) 607 memcpy(dev->broadcast, phydev->broadcast, 608 dev->addr_len); 609 } else { 610 eth_hw_addr_random(dev); 611 eth_broadcast_addr(dev->broadcast); 612 } 613 614 return 0; 615} 616 617static int xfrmi_validate(struct nlattr *tb[], struct nlattr *data[], 618 struct netlink_ext_ack *extack) 619{ 620 return 0; 621} 622 623static void xfrmi_netlink_parms(struct nlattr *data[], 624 struct xfrm_if_parms *parms) 625{ 626 memset(parms, 0, sizeof(*parms)); 627 628 if (!data) 629 return; 630 631 if (data[IFLA_XFRM_LINK]) 632 parms->link = nla_get_u32(data[IFLA_XFRM_LINK]); 633 634 if (data[IFLA_XFRM_IF_ID]) 635 parms->if_id = nla_get_u32(data[IFLA_XFRM_IF_ID]); 636} 637 638static int xfrmi_newlink(struct net *src_net, struct net_device *dev, 639 struct nlattr *tb[], struct nlattr *data[], 640 struct netlink_ext_ack *extack) 641{ 642 struct net *net = dev_net(dev); 643 struct xfrm_if_parms p = {}; 644 struct xfrm_if *xi; 645 int err; 646 647 xfrmi_netlink_parms(data, &p); 648 if (!p.if_id) { 649 NL_SET_ERR_MSG(extack, "if_id must be non zero"); 650 return -EINVAL; 651 } 652 653 xi = xfrmi_locate(net, &p); 654 if (xi) 655 return -EEXIST; 656 657 xi = netdev_priv(dev); 658 xi->p = p; 659 xi->net = net; 660 xi->dev = dev; 661 662 err = xfrmi_create(dev); 663 return err; 664} 665 666static void xfrmi_dellink(struct net_device *dev, struct list_head *head) 667{ 668 unregister_netdevice_queue(dev, head); 669} 670 671static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[], 672 struct nlattr *data[], 673 struct netlink_ext_ack *extack) 674{ 675 struct xfrm_if *xi = netdev_priv(dev); 676 struct net *net = xi->net; 677 struct xfrm_if_parms p = {}; 678 679 xfrmi_netlink_parms(data, &p); 680 if (!p.if_id) { 681 NL_SET_ERR_MSG(extack, "if_id must be non zero"); 682 return -EINVAL; 683 } 684 685 xi = xfrmi_locate(net, &p); 686 if (!xi) { 687 xi = netdev_priv(dev); 688 } else { 689 if (xi->dev != dev) 690 return -EEXIST; 691 } 692 693 return xfrmi_update(xi, &p); 694} 695 696static size_t xfrmi_get_size(const struct net_device *dev) 697{ 698 return 699 /* IFLA_XFRM_LINK */ 700 nla_total_size(4) + 701 /* IFLA_XFRM_IF_ID */ 702 nla_total_size(4) + 703 0; 704} 705 706static int xfrmi_fill_info(struct sk_buff *skb, const struct net_device *dev) 707{ 708 struct xfrm_if *xi = netdev_priv(dev); 709 struct xfrm_if_parms *parm = &xi->p; 710 711 if (nla_put_u32(skb, IFLA_XFRM_LINK, parm->link) || 712 nla_put_u32(skb, IFLA_XFRM_IF_ID, parm->if_id)) 713 goto nla_put_failure; 714 return 0; 715 716nla_put_failure: 717 return -EMSGSIZE; 718} 719 720static struct net *xfrmi_get_link_net(const struct net_device *dev) 721{ 722 struct xfrm_if *xi = netdev_priv(dev); 723 724 return xi->net; 725} 726 727static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = { 728 [IFLA_XFRM_LINK] = { .type = NLA_U32 }, 729 [IFLA_XFRM_IF_ID] = { .type = NLA_U32 }, 730}; 731 732static struct rtnl_link_ops xfrmi_link_ops __read_mostly = { 733 .kind = "xfrm", 734 .maxtype = IFLA_XFRM_MAX, 735 .policy = xfrmi_policy, 736 .priv_size = sizeof(struct xfrm_if), 737 .setup = xfrmi_dev_setup, 738 .validate = xfrmi_validate, 739 .newlink = xfrmi_newlink, 740 .dellink = xfrmi_dellink, 741 .changelink = xfrmi_changelink, 742 .get_size = xfrmi_get_size, 743 .fill_info = xfrmi_fill_info, 744 .get_link_net = xfrmi_get_link_net, 745}; 746 747static void __net_exit xfrmi_exit_batch_net(struct list_head *net_exit_list) 748{ 749 struct net *net; 750 LIST_HEAD(list); 751 752 rtnl_lock(); 753 list_for_each_entry(net, net_exit_list, exit_list) { 754 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id); 755 struct xfrm_if __rcu **xip; 756 struct xfrm_if *xi; 757 int i; 758 759 for (i = 0; i < XFRMI_HASH_SIZE; i++) { 760 for (xip = &xfrmn->xfrmi[i]; 761 (xi = rtnl_dereference(*xip)) != NULL; 762 xip = &xi->next) 763 unregister_netdevice_queue(xi->dev, &list); 764 } 765 } 766 unregister_netdevice_many(&list); 767 rtnl_unlock(); 768} 769 770static struct pernet_operations xfrmi_net_ops = { 771 .exit_batch = xfrmi_exit_batch_net, 772 .id = &xfrmi_net_id, 773 .size = sizeof(struct xfrmi_net), 774}; 775 776static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { 777 .handler = xfrm6_rcv, 778 .input_handler = xfrm_input, 779 .cb_handler = xfrmi_rcv_cb, 780 .err_handler = xfrmi6_err, 781 .priority = 10, 782}; 783 784static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = { 785 .handler = xfrm6_rcv, 786 .input_handler = xfrm_input, 787 .cb_handler = xfrmi_rcv_cb, 788 .err_handler = xfrmi6_err, 789 .priority = 10, 790}; 791 792static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = { 793 .handler = xfrm6_rcv, 794 .input_handler = xfrm_input, 795 .cb_handler = xfrmi_rcv_cb, 796 .err_handler = xfrmi6_err, 797 .priority = 10, 798}; 799 800#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL) 801static int xfrmi6_rcv_tunnel(struct sk_buff *skb) 802{ 803 const xfrm_address_t *saddr; 804 __be32 spi; 805 806 saddr = (const xfrm_address_t *)&ipv6_hdr(skb)->saddr; 807 spi = xfrm6_tunnel_spi_lookup(dev_net(skb->dev), saddr); 808 809 return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi, NULL); 810} 811 812static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = { 813 .handler = xfrmi6_rcv_tunnel, 814 .cb_handler = xfrmi_rcv_cb, 815 .err_handler = xfrmi6_err, 816 .priority = 2, 817}; 818 819static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { 820 .handler = xfrmi6_rcv_tunnel, 821 .cb_handler = xfrmi_rcv_cb, 822 .err_handler = xfrmi6_err, 823 .priority = 2, 824}; 825#endif 826 827static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { 828 .handler = xfrm4_rcv, 829 .input_handler = xfrm_input, 830 .cb_handler = xfrmi_rcv_cb, 831 .err_handler = xfrmi4_err, 832 .priority = 10, 833}; 834 835static struct xfrm4_protocol xfrmi_ah4_protocol __read_mostly = { 836 .handler = xfrm4_rcv, 837 .input_handler = xfrm_input, 838 .cb_handler = xfrmi_rcv_cb, 839 .err_handler = xfrmi4_err, 840 .priority = 10, 841}; 842 843static struct xfrm4_protocol xfrmi_ipcomp4_protocol __read_mostly = { 844 .handler = xfrm4_rcv, 845 .input_handler = xfrm_input, 846 .cb_handler = xfrmi_rcv_cb, 847 .err_handler = xfrmi4_err, 848 .priority = 10, 849}; 850 851#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL) 852static int xfrmi4_rcv_tunnel(struct sk_buff *skb) 853{ 854 return xfrm4_rcv_spi(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr); 855} 856 857static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = { 858 .handler = xfrmi4_rcv_tunnel, 859 .cb_handler = xfrmi_rcv_cb, 860 .err_handler = xfrmi4_err, 861 .priority = 3, 862}; 863 864static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = { 865 .handler = xfrmi4_rcv_tunnel, 866 .cb_handler = xfrmi_rcv_cb, 867 .err_handler = xfrmi4_err, 868 .priority = 2, 869}; 870#endif 871 872static int __init xfrmi4_init(void) 873{ 874 int err; 875 876 err = xfrm4_protocol_register(&xfrmi_esp4_protocol, IPPROTO_ESP); 877 if (err < 0) 878 goto xfrm_proto_esp_failed; 879 err = xfrm4_protocol_register(&xfrmi_ah4_protocol, IPPROTO_AH); 880 if (err < 0) 881 goto xfrm_proto_ah_failed; 882 err = xfrm4_protocol_register(&xfrmi_ipcomp4_protocol, IPPROTO_COMP); 883 if (err < 0) 884 goto xfrm_proto_comp_failed; 885#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL) 886 err = xfrm4_tunnel_register(&xfrmi_ipip_handler, AF_INET); 887 if (err < 0) 888 goto xfrm_tunnel_ipip_failed; 889 err = xfrm4_tunnel_register(&xfrmi_ipip6_handler, AF_INET6); 890 if (err < 0) 891 goto xfrm_tunnel_ipip6_failed; 892#endif 893 894 return 0; 895 896#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL) 897xfrm_tunnel_ipip6_failed: 898 xfrm4_tunnel_deregister(&xfrmi_ipip_handler, AF_INET); 899xfrm_tunnel_ipip_failed: 900 xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP); 901#endif 902xfrm_proto_comp_failed: 903 xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH); 904xfrm_proto_ah_failed: 905 xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP); 906xfrm_proto_esp_failed: 907 return err; 908} 909 910static void xfrmi4_fini(void) 911{ 912#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL) 913 xfrm4_tunnel_deregister(&xfrmi_ipip6_handler, AF_INET6); 914 xfrm4_tunnel_deregister(&xfrmi_ipip_handler, AF_INET); 915#endif 916 xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP); 917 xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH); 918 xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP); 919} 920 921static int __init xfrmi6_init(void) 922{ 923 int err; 924 925 err = xfrm6_protocol_register(&xfrmi_esp6_protocol, IPPROTO_ESP); 926 if (err < 0) 927 goto xfrm_proto_esp_failed; 928 err = xfrm6_protocol_register(&xfrmi_ah6_protocol, IPPROTO_AH); 929 if (err < 0) 930 goto xfrm_proto_ah_failed; 931 err = xfrm6_protocol_register(&xfrmi_ipcomp6_protocol, IPPROTO_COMP); 932 if (err < 0) 933 goto xfrm_proto_comp_failed; 934#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL) 935 err = xfrm6_tunnel_register(&xfrmi_ipv6_handler, AF_INET6); 936 if (err < 0) 937 goto xfrm_tunnel_ipv6_failed; 938 err = xfrm6_tunnel_register(&xfrmi_ip6ip_handler, AF_INET); 939 if (err < 0) 940 goto xfrm_tunnel_ip6ip_failed; 941#endif 942 943 return 0; 944 945#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL) 946xfrm_tunnel_ip6ip_failed: 947 xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6); 948xfrm_tunnel_ipv6_failed: 949 xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP); 950#endif 951xfrm_proto_comp_failed: 952 xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH); 953xfrm_proto_ah_failed: 954 xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP); 955xfrm_proto_esp_failed: 956 return err; 957} 958 959static void xfrmi6_fini(void) 960{ 961#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL) 962 xfrm6_tunnel_deregister(&xfrmi_ip6ip_handler, AF_INET); 963 xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6); 964#endif 965 xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP); 966 xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH); 967 xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP); 968} 969 970static const struct xfrm_if_cb xfrm_if_cb = { 971 .decode_session = xfrmi_decode_session, 972}; 973 974static int __init xfrmi_init(void) 975{ 976 const char *msg; 977 int err; 978 979 pr_info("IPsec XFRM device driver\n"); 980 981 msg = "tunnel device"; 982 err = register_pernet_device(&xfrmi_net_ops); 983 if (err < 0) 984 goto pernet_dev_failed; 985 986 msg = "xfrm4 protocols"; 987 err = xfrmi4_init(); 988 if (err < 0) 989 goto xfrmi4_failed; 990 991 msg = "xfrm6 protocols"; 992 err = xfrmi6_init(); 993 if (err < 0) 994 goto xfrmi6_failed; 995 996 997 msg = "netlink interface"; 998 err = rtnl_link_register(&xfrmi_link_ops); 999 if (err < 0) 1000 goto rtnl_link_failed; 1001 1002 xfrm_if_register_cb(&xfrm_if_cb); 1003 1004 return err; 1005 1006rtnl_link_failed: 1007 xfrmi6_fini(); 1008xfrmi6_failed: 1009 xfrmi4_fini(); 1010xfrmi4_failed: 1011 unregister_pernet_device(&xfrmi_net_ops); 1012pernet_dev_failed: 1013 pr_err("xfrmi init: failed to register %s\n", msg); 1014 return err; 1015} 1016 1017static void __exit xfrmi_fini(void) 1018{ 1019 xfrm_if_unregister_cb(); 1020 rtnl_link_unregister(&xfrmi_link_ops); 1021 xfrmi4_fini(); 1022 xfrmi6_fini(); 1023 unregister_pernet_device(&xfrmi_net_ops); 1024} 1025 1026module_init(xfrmi_init); 1027module_exit(xfrmi_fini); 1028MODULE_LICENSE("GPL"); 1029MODULE_ALIAS_RTNL_LINK("xfrm"); 1030MODULE_ALIAS_NETDEV("xfrm0"); 1031MODULE_AUTHOR("Steffen Klassert"); 1032MODULE_DESCRIPTION("XFRM virtual interface");