net/xfrm/xfrm_interface.c at v5.0 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / xfrm / xfrm_interface.c
at v5.0 975 lines 21 kB view raw
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 *	XFRM virtual interface
  4 *
  5 *	Copyright (C) 2018 secunet Security Networks AG
  6 *
  7 *	Author:
  8 *	Steffen Klassert <steffen.klassert@secunet.com>
  9 */
 10
 11#include <linux/module.h>
 12#include <linux/capability.h>
 13#include <linux/errno.h>
 14#include <linux/types.h>
 15#include <linux/sockios.h>
 16#include <linux/icmp.h>
 17#include <linux/if.h>
 18#include <linux/in.h>
 19#include <linux/ip.h>
 20#include <linux/net.h>
 21#include <linux/in6.h>
 22#include <linux/netdevice.h>
 23#include <linux/if_link.h>
 24#include <linux/if_arp.h>
 25#include <linux/icmpv6.h>
 26#include <linux/init.h>
 27#include <linux/route.h>
 28#include <linux/rtnetlink.h>
 29#include <linux/netfilter_ipv6.h>
 30#include <linux/slab.h>
 31#include <linux/hash.h>
 32
 33#include <linux/uaccess.h>
 34#include <linux/atomic.h>
 35
 36#include <net/icmp.h>
 37#include <net/ip.h>
 38#include <net/ipv6.h>
 39#include <net/ip6_route.h>
 40#include <net/addrconf.h>
 41#include <net/xfrm.h>
 42#include <net/net_namespace.h>
 43#include <net/netns/generic.h>
 44#include <linux/etherdevice.h>
 45
 46static int xfrmi_dev_init(struct net_device *dev);
 47static void xfrmi_dev_setup(struct net_device *dev);
 48static struct rtnl_link_ops xfrmi_link_ops __read_mostly;
 49static unsigned int xfrmi_net_id __read_mostly;
 50
 51struct xfrmi_net {
 52	/* lists for storing interfaces in use */
 53	struct xfrm_if __rcu *xfrmi[1];
 54};
 55
 56#define for_each_xfrmi_rcu(start, xi) \
 57	for (xi = rcu_dereference(start); xi; xi = rcu_dereference(xi->next))
 58
 59static struct xfrm_if *xfrmi_lookup(struct net *net, struct xfrm_state *x)
 60{
 61	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
 62	struct xfrm_if *xi;
 63
 64	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
 65		if (x->if_id == xi->p.if_id &&
 66		    (xi->dev->flags & IFF_UP))
 67			return xi;
 68	}
 69
 70	return NULL;
 71}
 72
 73static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
 74{
 75	struct xfrmi_net *xfrmn;
 76	int ifindex;
 77	struct xfrm_if *xi;
 78
 79	if (!secpath_exists(skb) || !skb->dev)
 80		return NULL;
 81
 82	xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
 83	ifindex = skb->dev->ifindex;
 84
 85	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
 86		if (ifindex == xi->dev->ifindex &&
 87			(xi->dev->flags & IFF_UP))
 88				return xi;
 89	}
 90
 91	return NULL;
 92}
 93
 94static void xfrmi_link(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
 95{
 96	struct xfrm_if __rcu **xip = &xfrmn->xfrmi[0];
 97
 98	rcu_assign_pointer(xi->next , rtnl_dereference(*xip));
 99	rcu_assign_pointer(*xip, xi);
100}
101
102static void xfrmi_unlink(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
103{
104	struct xfrm_if __rcu **xip;
105	struct xfrm_if *iter;
106
107	for (xip = &xfrmn->xfrmi[0];
108	     (iter = rtnl_dereference(*xip)) != NULL;
109	     xip = &iter->next) {
110		if (xi == iter) {
111			rcu_assign_pointer(*xip, xi->next);
112			break;
113		}
114	}
115}
116
117static void xfrmi_dev_free(struct net_device *dev)
118{
119	struct xfrm_if *xi = netdev_priv(dev);
120
121	gro_cells_destroy(&xi->gro_cells);
122	free_percpu(dev->tstats);
123}
124
125static int xfrmi_create2(struct net_device *dev)
126{
127	struct xfrm_if *xi = netdev_priv(dev);
128	struct net *net = dev_net(dev);
129	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
130	int err;
131
132	dev->rtnl_link_ops = &xfrmi_link_ops;
133	err = register_netdevice(dev);
134	if (err < 0)
135		goto out;
136
137	strcpy(xi->p.name, dev->name);
138
139	dev_hold(dev);
140	xfrmi_link(xfrmn, xi);
141
142	return 0;
143
144out:
145	return err;
146}
147
148static struct xfrm_if *xfrmi_create(struct net *net, struct xfrm_if_parms *p)
149{
150	struct net_device *dev;
151	struct xfrm_if *xi;
152	char name[IFNAMSIZ];
153	int err;
154
155	if (p->name[0]) {
156		strlcpy(name, p->name, IFNAMSIZ);
157	} else {
158		err = -EINVAL;
159		goto failed;
160	}
161
162	dev = alloc_netdev(sizeof(*xi), name, NET_NAME_UNKNOWN, xfrmi_dev_setup);
163	if (!dev) {
164		err = -EAGAIN;
165		goto failed;
166	}
167
168	dev_net_set(dev, net);
169
170	xi = netdev_priv(dev);
171	xi->p = *p;
172	xi->net = net;
173	xi->dev = dev;
174	xi->phydev = dev_get_by_index(net, p->link);
175	if (!xi->phydev) {
176		err = -ENODEV;
177		goto failed_free;
178	}
179
180	err = xfrmi_create2(dev);
181	if (err < 0)
182		goto failed_dev_put;
183
184	return xi;
185
186failed_dev_put:
187	dev_put(xi->phydev);
188failed_free:
189	free_netdev(dev);
190failed:
191	return ERR_PTR(err);
192}
193
194static struct xfrm_if *xfrmi_locate(struct net *net, struct xfrm_if_parms *p,
195				   int create)
196{
197	struct xfrm_if __rcu **xip;
198	struct xfrm_if *xi;
199	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
200
201	for (xip = &xfrmn->xfrmi[0];
202	     (xi = rtnl_dereference(*xip)) != NULL;
203	     xip = &xi->next) {
204		if (xi->p.if_id == p->if_id) {
205			if (create)
206				return ERR_PTR(-EEXIST);
207
208			return xi;
209		}
210	}
211	if (!create)
212		return ERR_PTR(-ENODEV);
213	return xfrmi_create(net, p);
214}
215
216static void xfrmi_dev_uninit(struct net_device *dev)
217{
218	struct xfrm_if *xi = netdev_priv(dev);
219	struct xfrmi_net *xfrmn = net_generic(xi->net, xfrmi_net_id);
220
221	xfrmi_unlink(xfrmn, xi);
222	dev_put(xi->phydev);
223	dev_put(dev);
224}
225
226static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
227{
228	skb->tstamp = 0;
229	skb->pkt_type = PACKET_HOST;
230	skb->skb_iif = 0;
231	skb->ignore_df = 0;
232	skb_dst_drop(skb);
233	nf_reset(skb);
234	nf_reset_trace(skb);
235
236	if (!xnet)
237		return;
238
239	ipvs_reset(skb);
240	secpath_reset(skb);
241	skb_orphan(skb);
242	skb->mark = 0;
243}
244
245static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
246{
247	struct pcpu_sw_netstats *tstats;
248	struct xfrm_mode *inner_mode;
249	struct net_device *dev;
250	struct xfrm_state *x;
251	struct xfrm_if *xi;
252	bool xnet;
253
254	if (err && !secpath_exists(skb))
255		return 0;
256
257	x = xfrm_input_state(skb);
258
259	xi = xfrmi_lookup(xs_net(x), x);
260	if (!xi)
261		return 1;
262
263	dev = xi->dev;
264	skb->dev = dev;
265
266	if (err) {
267		dev->stats.rx_errors++;
268		dev->stats.rx_dropped++;
269
270		return 0;
271	}
272
273	xnet = !net_eq(xi->net, dev_net(skb->dev));
274
275	if (xnet) {
276		inner_mode = x->inner_mode;
277
278		if (x->sel.family == AF_UNSPEC) {
279			inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
280			if (inner_mode == NULL) {
281				XFRM_INC_STATS(dev_net(skb->dev),
282					       LINUX_MIB_XFRMINSTATEMODEERROR);
283				return -EINVAL;
284			}
285		}
286
287		if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb,
288				       inner_mode->afinfo->family))
289			return -EPERM;
290	}
291
292	xfrmi_scrub_packet(skb, xnet);
293
294	tstats = this_cpu_ptr(dev->tstats);
295
296	u64_stats_update_begin(&tstats->syncp);
297	tstats->rx_packets++;
298	tstats->rx_bytes += skb->len;
299	u64_stats_update_end(&tstats->syncp);
300
301	return 0;
302}
303
304static int
305xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
306{
307	struct xfrm_if *xi = netdev_priv(dev);
308	struct net_device_stats *stats = &xi->dev->stats;
309	struct dst_entry *dst = skb_dst(skb);
310	unsigned int length = skb->len;
311	struct net_device *tdev;
312	struct xfrm_state *x;
313	int err = -1;
314	int mtu;
315
316	if (!dst)
317		goto tx_err_link_failure;
318
319	dst_hold(dst);
320	dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id);
321	if (IS_ERR(dst)) {
322		err = PTR_ERR(dst);
323		dst = NULL;
324		goto tx_err_link_failure;
325	}
326
327	x = dst->xfrm;
328	if (!x)
329		goto tx_err_link_failure;
330
331	if (x->if_id != xi->p.if_id)
332		goto tx_err_link_failure;
333
334	tdev = dst->dev;
335
336	if (tdev == dev) {
337		stats->collisions++;
338		net_warn_ratelimited("%s: Local routing loop detected!\n",
339				     xi->p.name);
340		goto tx_err_dst_release;
341	}
342
343	mtu = dst_mtu(dst);
344	if (!skb->ignore_df && skb->len > mtu) {
345		skb_dst_update_pmtu(skb, mtu);
346
347		if (skb->protocol == htons(ETH_P_IPV6)) {
348			if (mtu < IPV6_MIN_MTU)
349				mtu = IPV6_MIN_MTU;
350
351			icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
352		} else {
353			icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
354				  htonl(mtu));
355		}
356
357		dst_release(dst);
358		return -EMSGSIZE;
359	}
360
361	xfrmi_scrub_packet(skb, !net_eq(xi->net, dev_net(dev)));
362	skb_dst_set(skb, dst);
363	skb->dev = tdev;
364
365	err = dst_output(xi->net, skb->sk, skb);
366	if (net_xmit_eval(err) == 0) {
367		struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
368
369		u64_stats_update_begin(&tstats->syncp);
370		tstats->tx_bytes += length;
371		tstats->tx_packets++;
372		u64_stats_update_end(&tstats->syncp);
373	} else {
374		stats->tx_errors++;
375		stats->tx_aborted_errors++;
376	}
377
378	return 0;
379tx_err_link_failure:
380	stats->tx_carrier_errors++;
381	dst_link_failure(skb);
382tx_err_dst_release:
383	dst_release(dst);
384	return err;
385}
386
387static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
388{
389	struct xfrm_if *xi = netdev_priv(dev);
390	struct net_device_stats *stats = &xi->dev->stats;
391	struct flowi fl;
392	int ret;
393
394	memset(&fl, 0, sizeof(fl));
395
396	switch (skb->protocol) {
397	case htons(ETH_P_IPV6):
398		xfrm_decode_session(skb, &fl, AF_INET6);
399		memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
400		break;
401	case htons(ETH_P_IP):
402		xfrm_decode_session(skb, &fl, AF_INET);
403		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
404		break;
405	default:
406		goto tx_err;
407	}
408
409	fl.flowi_oif = xi->phydev->ifindex;
410
411	ret = xfrmi_xmit2(skb, dev, &fl);
412	if (ret < 0)
413		goto tx_err;
414
415	return NETDEV_TX_OK;
416
417tx_err:
418	stats->tx_errors++;
419	stats->tx_dropped++;
420	kfree_skb(skb);
421	return NETDEV_TX_OK;
422}
423
424static int xfrmi4_err(struct sk_buff *skb, u32 info)
425{
426	const struct iphdr *iph = (const struct iphdr *)skb->data;
427	struct net *net = dev_net(skb->dev);
428	int protocol = iph->protocol;
429	struct ip_comp_hdr *ipch;
430	struct ip_esp_hdr *esph;
431	struct ip_auth_hdr *ah ;
432	struct xfrm_state *x;
433	struct xfrm_if *xi;
434	__be32 spi;
435
436	switch (protocol) {
437	case IPPROTO_ESP:
438		esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
439		spi = esph->spi;
440		break;
441	case IPPROTO_AH:
442		ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
443		spi = ah->spi;
444		break;
445	case IPPROTO_COMP:
446		ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
447		spi = htonl(ntohs(ipch->cpi));
448		break;
449	default:
450		return 0;
451	}
452
453	switch (icmp_hdr(skb)->type) {
454	case ICMP_DEST_UNREACH:
455		if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
456			return 0;
457	case ICMP_REDIRECT:
458		break;
459	default:
460		return 0;
461	}
462
463	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
464			      spi, protocol, AF_INET);
465	if (!x)
466		return 0;
467
468	xi = xfrmi_lookup(net, x);
469	if (!xi) {
470		xfrm_state_put(x);
471		return -1;
472	}
473
474	if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
475		ipv4_update_pmtu(skb, net, info, 0, protocol);
476	else
477		ipv4_redirect(skb, net, 0, protocol);
478	xfrm_state_put(x);
479
480	return 0;
481}
482
483static int xfrmi6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
484		    u8 type, u8 code, int offset, __be32 info)
485{
486	const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
487	struct net *net = dev_net(skb->dev);
488	int protocol = iph->nexthdr;
489	struct ip_comp_hdr *ipch;
490	struct ip_esp_hdr *esph;
491	struct ip_auth_hdr *ah;
492	struct xfrm_state *x;
493	struct xfrm_if *xi;
494	__be32 spi;
495
496	switch (protocol) {
497	case IPPROTO_ESP:
498		esph = (struct ip_esp_hdr *)(skb->data + offset);
499		spi = esph->spi;
500		break;
501	case IPPROTO_AH:
502		ah = (struct ip_auth_hdr *)(skb->data + offset);
503		spi = ah->spi;
504		break;
505	case IPPROTO_COMP:
506		ipch = (struct ip_comp_hdr *)(skb->data + offset);
507		spi = htonl(ntohs(ipch->cpi));
508		break;
509	default:
510		return 0;
511	}
512
513	if (type != ICMPV6_PKT_TOOBIG &&
514	    type != NDISC_REDIRECT)
515		return 0;
516
517	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
518			      spi, protocol, AF_INET6);
519	if (!x)
520		return 0;
521
522	xi = xfrmi_lookup(net, x);
523	if (!xi) {
524		xfrm_state_put(x);
525		return -1;
526	}
527
528	if (type == NDISC_REDIRECT)
529		ip6_redirect(skb, net, skb->dev->ifindex, 0,
530			     sock_net_uid(net, NULL));
531	else
532		ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));
533	xfrm_state_put(x);
534
535	return 0;
536}
537
538static int xfrmi_change(struct xfrm_if *xi, const struct xfrm_if_parms *p)
539{
540	if (xi->p.link != p->link)
541		return -EINVAL;
542
543	xi->p.if_id = p->if_id;
544
545	return 0;
546}
547
548static int xfrmi_update(struct xfrm_if *xi, struct xfrm_if_parms *p)
549{
550	struct net *net = dev_net(xi->dev);
551	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
552	int err;
553
554	xfrmi_unlink(xfrmn, xi);
555	synchronize_net();
556	err = xfrmi_change(xi, p);
557	xfrmi_link(xfrmn, xi);
558	netdev_state_change(xi->dev);
559	return err;
560}
561
562static void xfrmi_get_stats64(struct net_device *dev,
563			       struct rtnl_link_stats64 *s)
564{
565	int cpu;
566
567	for_each_possible_cpu(cpu) {
568		struct pcpu_sw_netstats *stats;
569		struct pcpu_sw_netstats tmp;
570		int start;
571
572		stats = per_cpu_ptr(dev->tstats, cpu);
573		do {
574			start = u64_stats_fetch_begin_irq(&stats->syncp);
575			tmp.rx_packets = stats->rx_packets;
576			tmp.rx_bytes   = stats->rx_bytes;
577			tmp.tx_packets = stats->tx_packets;
578			tmp.tx_bytes   = stats->tx_bytes;
579		} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
580
581		s->rx_packets += tmp.rx_packets;
582		s->rx_bytes   += tmp.rx_bytes;
583		s->tx_packets += tmp.tx_packets;
584		s->tx_bytes   += tmp.tx_bytes;
585	}
586
587	s->rx_dropped = dev->stats.rx_dropped;
588	s->tx_dropped = dev->stats.tx_dropped;
589}
590
591static int xfrmi_get_iflink(const struct net_device *dev)
592{
593	struct xfrm_if *xi = netdev_priv(dev);
594
595	return xi->phydev->ifindex;
596}
597
598
599static const struct net_device_ops xfrmi_netdev_ops = {
600	.ndo_init	= xfrmi_dev_init,
601	.ndo_uninit	= xfrmi_dev_uninit,
602	.ndo_start_xmit = xfrmi_xmit,
603	.ndo_get_stats64 = xfrmi_get_stats64,
604	.ndo_get_iflink = xfrmi_get_iflink,
605};
606
607static void xfrmi_dev_setup(struct net_device *dev)
608{
609	dev->netdev_ops 	= &xfrmi_netdev_ops;
610	dev->type		= ARPHRD_NONE;
611	dev->hard_header_len 	= ETH_HLEN;
612	dev->min_header_len	= ETH_HLEN;
613	dev->mtu		= ETH_DATA_LEN;
614	dev->min_mtu		= ETH_MIN_MTU;
615	dev->max_mtu		= ETH_DATA_LEN;
616	dev->addr_len		= ETH_ALEN;
617	dev->flags 		= IFF_NOARP;
618	dev->needs_free_netdev	= true;
619	dev->priv_destructor	= xfrmi_dev_free;
620	netif_keep_dst(dev);
621}
622
623static int xfrmi_dev_init(struct net_device *dev)
624{
625	struct xfrm_if *xi = netdev_priv(dev);
626	struct net_device *phydev = xi->phydev;
627	int err;
628
629	dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
630	if (!dev->tstats)
631		return -ENOMEM;
632
633	err = gro_cells_init(&xi->gro_cells, dev);
634	if (err) {
635		free_percpu(dev->tstats);
636		return err;
637	}
638
639	dev->features |= NETIF_F_LLTX;
640
641	dev->needed_headroom = phydev->needed_headroom;
642	dev->needed_tailroom = phydev->needed_tailroom;
643
644	if (is_zero_ether_addr(dev->dev_addr))
645		eth_hw_addr_inherit(dev, phydev);
646	if (is_zero_ether_addr(dev->broadcast))
647		memcpy(dev->broadcast, phydev->broadcast, dev->addr_len);
648
649	return 0;
650}
651
652static int xfrmi_validate(struct nlattr *tb[], struct nlattr *data[],
653			 struct netlink_ext_ack *extack)
654{
655	return 0;
656}
657
658static void xfrmi_netlink_parms(struct nlattr *data[],
659			       struct xfrm_if_parms *parms)
660{
661	memset(parms, 0, sizeof(*parms));
662
663	if (!data)
664		return;
665
666	if (data[IFLA_XFRM_LINK])
667		parms->link = nla_get_u32(data[IFLA_XFRM_LINK]);
668
669	if (data[IFLA_XFRM_IF_ID])
670		parms->if_id = nla_get_u32(data[IFLA_XFRM_IF_ID]);
671}
672
673static int xfrmi_newlink(struct net *src_net, struct net_device *dev,
674			struct nlattr *tb[], struct nlattr *data[],
675			struct netlink_ext_ack *extack)
676{
677	struct net *net = dev_net(dev);
678	struct xfrm_if_parms *p;
679	struct xfrm_if *xi;
680
681	xi = netdev_priv(dev);
682	p = &xi->p;
683
684	xfrmi_netlink_parms(data, p);
685
686	if (!tb[IFLA_IFNAME])
687		return -EINVAL;
688
689	nla_strlcpy(p->name, tb[IFLA_IFNAME], IFNAMSIZ);
690
691	xi = xfrmi_locate(net, p, 1);
692	return PTR_ERR_OR_ZERO(xi);
693}
694
695static void xfrmi_dellink(struct net_device *dev, struct list_head *head)
696{
697	unregister_netdevice_queue(dev, head);
698}
699
700static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
701			   struct nlattr *data[],
702			   struct netlink_ext_ack *extack)
703{
704	struct xfrm_if *xi = netdev_priv(dev);
705	struct net *net = dev_net(dev);
706
707	xfrmi_netlink_parms(data, &xi->p);
708
709	xi = xfrmi_locate(net, &xi->p, 0);
710
711	if (IS_ERR_OR_NULL(xi)) {
712		xi = netdev_priv(dev);
713	} else {
714		if (xi->dev != dev)
715			return -EEXIST;
716	}
717
718	return xfrmi_update(xi, &xi->p);
719}
720
721static size_t xfrmi_get_size(const struct net_device *dev)
722{
723	return
724		/* IFLA_XFRM_LINK */
725		nla_total_size(4) +
726		/* IFLA_XFRM_IF_ID */
727		nla_total_size(4) +
728		0;
729}
730
731static int xfrmi_fill_info(struct sk_buff *skb, const struct net_device *dev)
732{
733	struct xfrm_if *xi = netdev_priv(dev);
734	struct xfrm_if_parms *parm = &xi->p;
735
736	if (nla_put_u32(skb, IFLA_XFRM_LINK, parm->link) ||
737	    nla_put_u32(skb, IFLA_XFRM_IF_ID, parm->if_id))
738		goto nla_put_failure;
739	return 0;
740
741nla_put_failure:
742	return -EMSGSIZE;
743}
744
745static struct net *xfrmi_get_link_net(const struct net_device *dev)
746{
747	struct xfrm_if *xi = netdev_priv(dev);
748
749	return dev_net(xi->phydev);
750}
751
752static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = {
753	[IFLA_XFRM_LINK]	= { .type = NLA_U32 },
754	[IFLA_XFRM_IF_ID]	= { .type = NLA_U32 },
755};
756
757static struct rtnl_link_ops xfrmi_link_ops __read_mostly = {
758	.kind		= "xfrm",
759	.maxtype	= IFLA_XFRM_MAX,
760	.policy		= xfrmi_policy,
761	.priv_size	= sizeof(struct xfrm_if),
762	.setup		= xfrmi_dev_setup,
763	.validate	= xfrmi_validate,
764	.newlink	= xfrmi_newlink,
765	.dellink	= xfrmi_dellink,
766	.changelink	= xfrmi_changelink,
767	.get_size	= xfrmi_get_size,
768	.fill_info	= xfrmi_fill_info,
769	.get_link_net	= xfrmi_get_link_net,
770};
771
772static void __net_exit xfrmi_destroy_interfaces(struct xfrmi_net *xfrmn)
773{
774	struct xfrm_if *xi;
775	LIST_HEAD(list);
776
777	xi = rtnl_dereference(xfrmn->xfrmi[0]);
778	if (!xi)
779		return;
780
781	unregister_netdevice_queue(xi->dev, &list);
782	unregister_netdevice_many(&list);
783}
784
785static int __net_init xfrmi_init_net(struct net *net)
786{
787	return 0;
788}
789
790static void __net_exit xfrmi_exit_net(struct net *net)
791{
792	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
793
794	rtnl_lock();
795	xfrmi_destroy_interfaces(xfrmn);
796	rtnl_unlock();
797}
798
799static struct pernet_operations xfrmi_net_ops = {
800	.init = xfrmi_init_net,
801	.exit = xfrmi_exit_net,
802	.id   = &xfrmi_net_id,
803	.size = sizeof(struct xfrmi_net),
804};
805
806static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
807	.handler	=	xfrm6_rcv,
808	.cb_handler	=	xfrmi_rcv_cb,
809	.err_handler	=	xfrmi6_err,
810	.priority	=	10,
811};
812
813static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = {
814	.handler	=	xfrm6_rcv,
815	.cb_handler	=	xfrmi_rcv_cb,
816	.err_handler	=	xfrmi6_err,
817	.priority	=	10,
818};
819
820static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = {
821	.handler	=	xfrm6_rcv,
822	.cb_handler	=	xfrmi_rcv_cb,
823	.err_handler	=	xfrmi6_err,
824	.priority	=	10,
825};
826
827static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
828	.handler	=	xfrm4_rcv,
829	.input_handler	=	xfrm_input,
830	.cb_handler	=	xfrmi_rcv_cb,
831	.err_handler	=	xfrmi4_err,
832	.priority	=	10,
833};
834
835static struct xfrm4_protocol xfrmi_ah4_protocol __read_mostly = {
836	.handler	=	xfrm4_rcv,
837	.input_handler	=	xfrm_input,
838	.cb_handler	=	xfrmi_rcv_cb,
839	.err_handler	=	xfrmi4_err,
840	.priority	=	10,
841};
842
843static struct xfrm4_protocol xfrmi_ipcomp4_protocol __read_mostly = {
844	.handler	=	xfrm4_rcv,
845	.input_handler	=	xfrm_input,
846	.cb_handler	=	xfrmi_rcv_cb,
847	.err_handler	=	xfrmi4_err,
848	.priority	=	10,
849};
850
851static int __init xfrmi4_init(void)
852{
853	int err;
854
855	err = xfrm4_protocol_register(&xfrmi_esp4_protocol, IPPROTO_ESP);
856	if (err < 0)
857		goto xfrm_proto_esp_failed;
858	err = xfrm4_protocol_register(&xfrmi_ah4_protocol, IPPROTO_AH);
859	if (err < 0)
860		goto xfrm_proto_ah_failed;
861	err = xfrm4_protocol_register(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
862	if (err < 0)
863		goto xfrm_proto_comp_failed;
864
865	return 0;
866
867xfrm_proto_comp_failed:
868	xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
869xfrm_proto_ah_failed:
870	xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
871xfrm_proto_esp_failed:
872	return err;
873}
874
875static void xfrmi4_fini(void)
876{
877	xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
878	xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
879	xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
880}
881
882static int __init xfrmi6_init(void)
883{
884	int err;
885
886	err = xfrm6_protocol_register(&xfrmi_esp6_protocol, IPPROTO_ESP);
887	if (err < 0)
888		goto xfrm_proto_esp_failed;
889	err = xfrm6_protocol_register(&xfrmi_ah6_protocol, IPPROTO_AH);
890	if (err < 0)
891		goto xfrm_proto_ah_failed;
892	err = xfrm6_protocol_register(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
893	if (err < 0)
894		goto xfrm_proto_comp_failed;
895
896	return 0;
897
898xfrm_proto_comp_failed:
899	xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
900xfrm_proto_ah_failed:
901	xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
902xfrm_proto_esp_failed:
903	return err;
904}
905
906static void xfrmi6_fini(void)
907{
908	xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
909	xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
910	xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
911}
912
913static const struct xfrm_if_cb xfrm_if_cb = {
914	.decode_session =	xfrmi_decode_session,
915};
916
917static int __init xfrmi_init(void)
918{
919	const char *msg;
920	int err;
921
922	pr_info("IPsec XFRM device driver\n");
923
924	msg = "tunnel device";
925	err = register_pernet_device(&xfrmi_net_ops);
926	if (err < 0)
927		goto pernet_dev_failed;
928
929	msg = "xfrm4 protocols";
930	err = xfrmi4_init();
931	if (err < 0)
932		goto xfrmi4_failed;
933
934	msg = "xfrm6 protocols";
935	err = xfrmi6_init();
936	if (err < 0)
937		goto xfrmi6_failed;
938
939
940	msg = "netlink interface";
941	err = rtnl_link_register(&xfrmi_link_ops);
942	if (err < 0)
943		goto rtnl_link_failed;
944
945	xfrm_if_register_cb(&xfrm_if_cb);
946
947	return err;
948
949rtnl_link_failed:
950	xfrmi6_fini();
951xfrmi6_failed:
952	xfrmi4_fini();
953xfrmi4_failed:
954	unregister_pernet_device(&xfrmi_net_ops);
955pernet_dev_failed:
956	pr_err("xfrmi init: failed to register %s\n", msg);
957	return err;
958}
959
960static void __exit xfrmi_fini(void)
961{
962	xfrm_if_unregister_cb();
963	rtnl_link_unregister(&xfrmi_link_ops);
964	xfrmi4_fini();
965	xfrmi6_fini();
966	unregister_pernet_device(&xfrmi_net_ops);
967}
968
969module_init(xfrmi_init);
970module_exit(xfrmi_fini);
971MODULE_LICENSE("GPL");
972MODULE_ALIAS_RTNL_LINK("xfrm");
973MODULE_ALIAS_NETDEV("xfrm0");
974MODULE_AUTHOR("Steffen Klassert");
975MODULE_DESCRIPTION("XFRM virtual interface");