net/xfrm/xfrm_interface.c at v5.6 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / xfrm / xfrm_interface.c
at v5.6 927 lines 20 kB view raw
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 *	XFRM virtual interface
  4 *
  5 *	Copyright (C) 2018 secunet Security Networks AG
  6 *
  7 *	Author:
  8 *	Steffen Klassert <steffen.klassert@secunet.com>
  9 */
 10
 11#include <linux/module.h>
 12#include <linux/capability.h>
 13#include <linux/errno.h>
 14#include <linux/types.h>
 15#include <linux/sockios.h>
 16#include <linux/icmp.h>
 17#include <linux/if.h>
 18#include <linux/in.h>
 19#include <linux/ip.h>
 20#include <linux/net.h>
 21#include <linux/in6.h>
 22#include <linux/netdevice.h>
 23#include <linux/if_link.h>
 24#include <linux/if_arp.h>
 25#include <linux/icmpv6.h>
 26#include <linux/init.h>
 27#include <linux/route.h>
 28#include <linux/rtnetlink.h>
 29#include <linux/netfilter_ipv6.h>
 30#include <linux/slab.h>
 31#include <linux/hash.h>
 32
 33#include <linux/uaccess.h>
 34#include <linux/atomic.h>
 35
 36#include <net/icmp.h>
 37#include <net/ip.h>
 38#include <net/ipv6.h>
 39#include <net/ip6_route.h>
 40#include <net/addrconf.h>
 41#include <net/xfrm.h>
 42#include <net/net_namespace.h>
 43#include <net/netns/generic.h>
 44#include <linux/etherdevice.h>
 45
 46static int xfrmi_dev_init(struct net_device *dev);
 47static void xfrmi_dev_setup(struct net_device *dev);
 48static struct rtnl_link_ops xfrmi_link_ops __read_mostly;
 49static unsigned int xfrmi_net_id __read_mostly;
 50
 51struct xfrmi_net {
 52	/* lists for storing interfaces in use */
 53	struct xfrm_if __rcu *xfrmi[1];
 54};
 55
 56#define for_each_xfrmi_rcu(start, xi) \
 57	for (xi = rcu_dereference(start); xi; xi = rcu_dereference(xi->next))
 58
 59static struct xfrm_if *xfrmi_lookup(struct net *net, struct xfrm_state *x)
 60{
 61	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
 62	struct xfrm_if *xi;
 63
 64	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
 65		if (x->if_id == xi->p.if_id &&
 66		    (xi->dev->flags & IFF_UP))
 67			return xi;
 68	}
 69
 70	return NULL;
 71}
 72
 73static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb,
 74					    unsigned short family)
 75{
 76	struct xfrmi_net *xfrmn;
 77	struct xfrm_if *xi;
 78	int ifindex = 0;
 79
 80	if (!secpath_exists(skb) || !skb->dev)
 81		return NULL;
 82
 83	switch (family) {
 84	case AF_INET6:
 85		ifindex = inet6_sdif(skb);
 86		break;
 87	case AF_INET:
 88		ifindex = inet_sdif(skb);
 89		break;
 90	}
 91	if (!ifindex)
 92		ifindex = skb->dev->ifindex;
 93
 94	xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
 95
 96	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
 97		if (ifindex == xi->dev->ifindex &&
 98			(xi->dev->flags & IFF_UP))
 99				return xi;
100	}
101
102	return NULL;
103}
104
105static void xfrmi_link(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
106{
107	struct xfrm_if __rcu **xip = &xfrmn->xfrmi[0];
108
109	rcu_assign_pointer(xi->next , rtnl_dereference(*xip));
110	rcu_assign_pointer(*xip, xi);
111}
112
113static void xfrmi_unlink(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
114{
115	struct xfrm_if __rcu **xip;
116	struct xfrm_if *iter;
117
118	for (xip = &xfrmn->xfrmi[0];
119	     (iter = rtnl_dereference(*xip)) != NULL;
120	     xip = &iter->next) {
121		if (xi == iter) {
122			rcu_assign_pointer(*xip, xi->next);
123			break;
124		}
125	}
126}
127
128static void xfrmi_dev_free(struct net_device *dev)
129{
130	struct xfrm_if *xi = netdev_priv(dev);
131
132	gro_cells_destroy(&xi->gro_cells);
133	free_percpu(dev->tstats);
134}
135
136static int xfrmi_create(struct net_device *dev)
137{
138	struct xfrm_if *xi = netdev_priv(dev);
139	struct net *net = dev_net(dev);
140	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
141	int err;
142
143	dev->rtnl_link_ops = &xfrmi_link_ops;
144	err = register_netdevice(dev);
145	if (err < 0)
146		goto out;
147
148	dev_hold(dev);
149	xfrmi_link(xfrmn, xi);
150
151	return 0;
152
153out:
154	return err;
155}
156
157static struct xfrm_if *xfrmi_locate(struct net *net, struct xfrm_if_parms *p)
158{
159	struct xfrm_if __rcu **xip;
160	struct xfrm_if *xi;
161	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
162
163	for (xip = &xfrmn->xfrmi[0];
164	     (xi = rtnl_dereference(*xip)) != NULL;
165	     xip = &xi->next)
166		if (xi->p.if_id == p->if_id)
167			return xi;
168
169	return NULL;
170}
171
172static void xfrmi_dev_uninit(struct net_device *dev)
173{
174	struct xfrm_if *xi = netdev_priv(dev);
175	struct xfrmi_net *xfrmn = net_generic(xi->net, xfrmi_net_id);
176
177	xfrmi_unlink(xfrmn, xi);
178	dev_put(dev);
179}
180
181static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
182{
183	skb->tstamp = 0;
184	skb->pkt_type = PACKET_HOST;
185	skb->skb_iif = 0;
186	skb->ignore_df = 0;
187	skb_dst_drop(skb);
188	nf_reset_ct(skb);
189	nf_reset_trace(skb);
190
191	if (!xnet)
192		return;
193
194	ipvs_reset(skb);
195	secpath_reset(skb);
196	skb_orphan(skb);
197	skb->mark = 0;
198}
199
200static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
201{
202	const struct xfrm_mode *inner_mode;
203	struct pcpu_sw_netstats *tstats;
204	struct net_device *dev;
205	struct xfrm_state *x;
206	struct xfrm_if *xi;
207	bool xnet;
208
209	if (err && !secpath_exists(skb))
210		return 0;
211
212	x = xfrm_input_state(skb);
213
214	xi = xfrmi_lookup(xs_net(x), x);
215	if (!xi)
216		return 1;
217
218	dev = xi->dev;
219	skb->dev = dev;
220
221	if (err) {
222		dev->stats.rx_errors++;
223		dev->stats.rx_dropped++;
224
225		return 0;
226	}
227
228	xnet = !net_eq(xi->net, dev_net(skb->dev));
229
230	if (xnet) {
231		inner_mode = &x->inner_mode;
232
233		if (x->sel.family == AF_UNSPEC) {
234			inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
235			if (inner_mode == NULL) {
236				XFRM_INC_STATS(dev_net(skb->dev),
237					       LINUX_MIB_XFRMINSTATEMODEERROR);
238				return -EINVAL;
239			}
240		}
241
242		if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb,
243				       inner_mode->family))
244			return -EPERM;
245	}
246
247	xfrmi_scrub_packet(skb, xnet);
248
249	tstats = this_cpu_ptr(dev->tstats);
250
251	u64_stats_update_begin(&tstats->syncp);
252	tstats->rx_packets++;
253	tstats->rx_bytes += skb->len;
254	u64_stats_update_end(&tstats->syncp);
255
256	return 0;
257}
258
259static int
260xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
261{
262	struct xfrm_if *xi = netdev_priv(dev);
263	struct net_device_stats *stats = &xi->dev->stats;
264	struct dst_entry *dst = skb_dst(skb);
265	unsigned int length = skb->len;
266	struct net_device *tdev;
267	struct xfrm_state *x;
268	int err = -1;
269	int mtu;
270
271	dst_hold(dst);
272	dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id);
273	if (IS_ERR(dst)) {
274		err = PTR_ERR(dst);
275		dst = NULL;
276		goto tx_err_link_failure;
277	}
278
279	x = dst->xfrm;
280	if (!x)
281		goto tx_err_link_failure;
282
283	if (x->if_id != xi->p.if_id)
284		goto tx_err_link_failure;
285
286	tdev = dst->dev;
287
288	if (tdev == dev) {
289		stats->collisions++;
290		net_warn_ratelimited("%s: Local routing loop detected!\n",
291				     dev->name);
292		goto tx_err_dst_release;
293	}
294
295	mtu = dst_mtu(dst);
296	if (!skb->ignore_df && skb->len > mtu) {
297		skb_dst_update_pmtu_no_confirm(skb, mtu);
298
299		if (skb->protocol == htons(ETH_P_IPV6)) {
300			if (mtu < IPV6_MIN_MTU)
301				mtu = IPV6_MIN_MTU;
302
303			icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
304		} else {
305			icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
306				      htonl(mtu));
307		}
308
309		dst_release(dst);
310		return -EMSGSIZE;
311	}
312
313	xfrmi_scrub_packet(skb, !net_eq(xi->net, dev_net(dev)));
314	skb_dst_set(skb, dst);
315	skb->dev = tdev;
316
317	err = dst_output(xi->net, skb->sk, skb);
318	if (net_xmit_eval(err) == 0) {
319		struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
320
321		u64_stats_update_begin(&tstats->syncp);
322		tstats->tx_bytes += length;
323		tstats->tx_packets++;
324		u64_stats_update_end(&tstats->syncp);
325	} else {
326		stats->tx_errors++;
327		stats->tx_aborted_errors++;
328	}
329
330	return 0;
331tx_err_link_failure:
332	stats->tx_carrier_errors++;
333	dst_link_failure(skb);
334tx_err_dst_release:
335	dst_release(dst);
336	return err;
337}
338
339static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
340{
341	struct xfrm_if *xi = netdev_priv(dev);
342	struct net_device_stats *stats = &xi->dev->stats;
343	struct dst_entry *dst = skb_dst(skb);
344	struct flowi fl;
345	int ret;
346
347	memset(&fl, 0, sizeof(fl));
348
349	switch (skb->protocol) {
350	case htons(ETH_P_IPV6):
351		xfrm_decode_session(skb, &fl, AF_INET6);
352		memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
353		if (!dst) {
354			fl.u.ip6.flowi6_oif = dev->ifindex;
355			fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
356			dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);
357			if (dst->error) {
358				dst_release(dst);
359				stats->tx_carrier_errors++;
360				goto tx_err;
361			}
362			skb_dst_set(skb, dst);
363		}
364		break;
365	case htons(ETH_P_IP):
366		xfrm_decode_session(skb, &fl, AF_INET);
367		memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
368		if (!dst) {
369			struct rtable *rt;
370
371			fl.u.ip4.flowi4_oif = dev->ifindex;
372			fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
373			rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);
374			if (IS_ERR(rt)) {
375				stats->tx_carrier_errors++;
376				goto tx_err;
377			}
378			skb_dst_set(skb, &rt->dst);
379		}
380		break;
381	default:
382		goto tx_err;
383	}
384
385	fl.flowi_oif = xi->p.link;
386
387	ret = xfrmi_xmit2(skb, dev, &fl);
388	if (ret < 0)
389		goto tx_err;
390
391	return NETDEV_TX_OK;
392
393tx_err:
394	stats->tx_errors++;
395	stats->tx_dropped++;
396	kfree_skb(skb);
397	return NETDEV_TX_OK;
398}
399
400static int xfrmi4_err(struct sk_buff *skb, u32 info)
401{
402	const struct iphdr *iph = (const struct iphdr *)skb->data;
403	struct net *net = dev_net(skb->dev);
404	int protocol = iph->protocol;
405	struct ip_comp_hdr *ipch;
406	struct ip_esp_hdr *esph;
407	struct ip_auth_hdr *ah ;
408	struct xfrm_state *x;
409	struct xfrm_if *xi;
410	__be32 spi;
411
412	switch (protocol) {
413	case IPPROTO_ESP:
414		esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
415		spi = esph->spi;
416		break;
417	case IPPROTO_AH:
418		ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
419		spi = ah->spi;
420		break;
421	case IPPROTO_COMP:
422		ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
423		spi = htonl(ntohs(ipch->cpi));
424		break;
425	default:
426		return 0;
427	}
428
429	switch (icmp_hdr(skb)->type) {
430	case ICMP_DEST_UNREACH:
431		if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
432			return 0;
433	case ICMP_REDIRECT:
434		break;
435	default:
436		return 0;
437	}
438
439	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
440			      spi, protocol, AF_INET);
441	if (!x)
442		return 0;
443
444	xi = xfrmi_lookup(net, x);
445	if (!xi) {
446		xfrm_state_put(x);
447		return -1;
448	}
449
450	if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
451		ipv4_update_pmtu(skb, net, info, 0, protocol);
452	else
453		ipv4_redirect(skb, net, 0, protocol);
454	xfrm_state_put(x);
455
456	return 0;
457}
458
459static int xfrmi6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
460		    u8 type, u8 code, int offset, __be32 info)
461{
462	const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
463	struct net *net = dev_net(skb->dev);
464	int protocol = iph->nexthdr;
465	struct ip_comp_hdr *ipch;
466	struct ip_esp_hdr *esph;
467	struct ip_auth_hdr *ah;
468	struct xfrm_state *x;
469	struct xfrm_if *xi;
470	__be32 spi;
471
472	switch (protocol) {
473	case IPPROTO_ESP:
474		esph = (struct ip_esp_hdr *)(skb->data + offset);
475		spi = esph->spi;
476		break;
477	case IPPROTO_AH:
478		ah = (struct ip_auth_hdr *)(skb->data + offset);
479		spi = ah->spi;
480		break;
481	case IPPROTO_COMP:
482		ipch = (struct ip_comp_hdr *)(skb->data + offset);
483		spi = htonl(ntohs(ipch->cpi));
484		break;
485	default:
486		return 0;
487	}
488
489	if (type != ICMPV6_PKT_TOOBIG &&
490	    type != NDISC_REDIRECT)
491		return 0;
492
493	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
494			      spi, protocol, AF_INET6);
495	if (!x)
496		return 0;
497
498	xi = xfrmi_lookup(net, x);
499	if (!xi) {
500		xfrm_state_put(x);
501		return -1;
502	}
503
504	if (type == NDISC_REDIRECT)
505		ip6_redirect(skb, net, skb->dev->ifindex, 0,
506			     sock_net_uid(net, NULL));
507	else
508		ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));
509	xfrm_state_put(x);
510
511	return 0;
512}
513
514static int xfrmi_change(struct xfrm_if *xi, const struct xfrm_if_parms *p)
515{
516	if (xi->p.link != p->link)
517		return -EINVAL;
518
519	xi->p.if_id = p->if_id;
520
521	return 0;
522}
523
524static int xfrmi_update(struct xfrm_if *xi, struct xfrm_if_parms *p)
525{
526	struct net *net = xi->net;
527	struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
528	int err;
529
530	xfrmi_unlink(xfrmn, xi);
531	synchronize_net();
532	err = xfrmi_change(xi, p);
533	xfrmi_link(xfrmn, xi);
534	netdev_state_change(xi->dev);
535	return err;
536}
537
538static void xfrmi_get_stats64(struct net_device *dev,
539			       struct rtnl_link_stats64 *s)
540{
541	int cpu;
542
543	for_each_possible_cpu(cpu) {
544		struct pcpu_sw_netstats *stats;
545		struct pcpu_sw_netstats tmp;
546		int start;
547
548		stats = per_cpu_ptr(dev->tstats, cpu);
549		do {
550			start = u64_stats_fetch_begin_irq(&stats->syncp);
551			tmp.rx_packets = stats->rx_packets;
552			tmp.rx_bytes   = stats->rx_bytes;
553			tmp.tx_packets = stats->tx_packets;
554			tmp.tx_bytes   = stats->tx_bytes;
555		} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
556
557		s->rx_packets += tmp.rx_packets;
558		s->rx_bytes   += tmp.rx_bytes;
559		s->tx_packets += tmp.tx_packets;
560		s->tx_bytes   += tmp.tx_bytes;
561	}
562
563	s->rx_dropped = dev->stats.rx_dropped;
564	s->tx_dropped = dev->stats.tx_dropped;
565}
566
567static int xfrmi_get_iflink(const struct net_device *dev)
568{
569	struct xfrm_if *xi = netdev_priv(dev);
570
571	return xi->p.link;
572}
573
574
575static const struct net_device_ops xfrmi_netdev_ops = {
576	.ndo_init	= xfrmi_dev_init,
577	.ndo_uninit	= xfrmi_dev_uninit,
578	.ndo_start_xmit = xfrmi_xmit,
579	.ndo_get_stats64 = xfrmi_get_stats64,
580	.ndo_get_iflink = xfrmi_get_iflink,
581};
582
583static void xfrmi_dev_setup(struct net_device *dev)
584{
585	dev->netdev_ops 	= &xfrmi_netdev_ops;
586	dev->type		= ARPHRD_NONE;
587	dev->mtu		= ETH_DATA_LEN;
588	dev->min_mtu		= ETH_MIN_MTU;
589	dev->max_mtu		= IP_MAX_MTU;
590	dev->flags 		= IFF_NOARP;
591	dev->needs_free_netdev	= true;
592	dev->priv_destructor	= xfrmi_dev_free;
593	netif_keep_dst(dev);
594
595	eth_broadcast_addr(dev->broadcast);
596}
597
598static int xfrmi_dev_init(struct net_device *dev)
599{
600	struct xfrm_if *xi = netdev_priv(dev);
601	struct net_device *phydev = __dev_get_by_index(xi->net, xi->p.link);
602	int err;
603
604	dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
605	if (!dev->tstats)
606		return -ENOMEM;
607
608	err = gro_cells_init(&xi->gro_cells, dev);
609	if (err) {
610		free_percpu(dev->tstats);
611		return err;
612	}
613
614	dev->features |= NETIF_F_LLTX;
615
616	if (phydev) {
617		dev->needed_headroom = phydev->needed_headroom;
618		dev->needed_tailroom = phydev->needed_tailroom;
619
620		if (is_zero_ether_addr(dev->dev_addr))
621			eth_hw_addr_inherit(dev, phydev);
622		if (is_zero_ether_addr(dev->broadcast))
623			memcpy(dev->broadcast, phydev->broadcast,
624			       dev->addr_len);
625	} else {
626		eth_hw_addr_random(dev);
627		eth_broadcast_addr(dev->broadcast);
628	}
629
630	return 0;
631}
632
633static int xfrmi_validate(struct nlattr *tb[], struct nlattr *data[],
634			 struct netlink_ext_ack *extack)
635{
636	return 0;
637}
638
639static void xfrmi_netlink_parms(struct nlattr *data[],
640			       struct xfrm_if_parms *parms)
641{
642	memset(parms, 0, sizeof(*parms));
643
644	if (!data)
645		return;
646
647	if (data[IFLA_XFRM_LINK])
648		parms->link = nla_get_u32(data[IFLA_XFRM_LINK]);
649
650	if (data[IFLA_XFRM_IF_ID])
651		parms->if_id = nla_get_u32(data[IFLA_XFRM_IF_ID]);
652}
653
654static int xfrmi_newlink(struct net *src_net, struct net_device *dev,
655			struct nlattr *tb[], struct nlattr *data[],
656			struct netlink_ext_ack *extack)
657{
658	struct net *net = dev_net(dev);
659	struct xfrm_if_parms p;
660	struct xfrm_if *xi;
661	int err;
662
663	xfrmi_netlink_parms(data, &p);
664	xi = xfrmi_locate(net, &p);
665	if (xi)
666		return -EEXIST;
667
668	xi = netdev_priv(dev);
669	xi->p = p;
670	xi->net = net;
671	xi->dev = dev;
672
673	err = xfrmi_create(dev);
674	return err;
675}
676
677static void xfrmi_dellink(struct net_device *dev, struct list_head *head)
678{
679	unregister_netdevice_queue(dev, head);
680}
681
682static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
683			   struct nlattr *data[],
684			   struct netlink_ext_ack *extack)
685{
686	struct xfrm_if *xi = netdev_priv(dev);
687	struct net *net = xi->net;
688	struct xfrm_if_parms p;
689
690	xfrmi_netlink_parms(data, &p);
691	xi = xfrmi_locate(net, &p);
692	if (!xi) {
693		xi = netdev_priv(dev);
694	} else {
695		if (xi->dev != dev)
696			return -EEXIST;
697	}
698
699	return xfrmi_update(xi, &p);
700}
701
702static size_t xfrmi_get_size(const struct net_device *dev)
703{
704	return
705		/* IFLA_XFRM_LINK */
706		nla_total_size(4) +
707		/* IFLA_XFRM_IF_ID */
708		nla_total_size(4) +
709		0;
710}
711
712static int xfrmi_fill_info(struct sk_buff *skb, const struct net_device *dev)
713{
714	struct xfrm_if *xi = netdev_priv(dev);
715	struct xfrm_if_parms *parm = &xi->p;
716
717	if (nla_put_u32(skb, IFLA_XFRM_LINK, parm->link) ||
718	    nla_put_u32(skb, IFLA_XFRM_IF_ID, parm->if_id))
719		goto nla_put_failure;
720	return 0;
721
722nla_put_failure:
723	return -EMSGSIZE;
724}
725
726static struct net *xfrmi_get_link_net(const struct net_device *dev)
727{
728	struct xfrm_if *xi = netdev_priv(dev);
729
730	return xi->net;
731}
732
733static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = {
734	[IFLA_XFRM_LINK]	= { .type = NLA_U32 },
735	[IFLA_XFRM_IF_ID]	= { .type = NLA_U32 },
736};
737
738static struct rtnl_link_ops xfrmi_link_ops __read_mostly = {
739	.kind		= "xfrm",
740	.maxtype	= IFLA_XFRM_MAX,
741	.policy		= xfrmi_policy,
742	.priv_size	= sizeof(struct xfrm_if),
743	.setup		= xfrmi_dev_setup,
744	.validate	= xfrmi_validate,
745	.newlink	= xfrmi_newlink,
746	.dellink	= xfrmi_dellink,
747	.changelink	= xfrmi_changelink,
748	.get_size	= xfrmi_get_size,
749	.fill_info	= xfrmi_fill_info,
750	.get_link_net	= xfrmi_get_link_net,
751};
752
753static struct pernet_operations xfrmi_net_ops = {
754	.id   = &xfrmi_net_id,
755	.size = sizeof(struct xfrmi_net),
756};
757
758static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
759	.handler	=	xfrm6_rcv,
760	.cb_handler	=	xfrmi_rcv_cb,
761	.err_handler	=	xfrmi6_err,
762	.priority	=	10,
763};
764
765static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = {
766	.handler	=	xfrm6_rcv,
767	.cb_handler	=	xfrmi_rcv_cb,
768	.err_handler	=	xfrmi6_err,
769	.priority	=	10,
770};
771
772static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = {
773	.handler	=	xfrm6_rcv,
774	.cb_handler	=	xfrmi_rcv_cb,
775	.err_handler	=	xfrmi6_err,
776	.priority	=	10,
777};
778
779static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
780	.handler	=	xfrm4_rcv,
781	.input_handler	=	xfrm_input,
782	.cb_handler	=	xfrmi_rcv_cb,
783	.err_handler	=	xfrmi4_err,
784	.priority	=	10,
785};
786
787static struct xfrm4_protocol xfrmi_ah4_protocol __read_mostly = {
788	.handler	=	xfrm4_rcv,
789	.input_handler	=	xfrm_input,
790	.cb_handler	=	xfrmi_rcv_cb,
791	.err_handler	=	xfrmi4_err,
792	.priority	=	10,
793};
794
795static struct xfrm4_protocol xfrmi_ipcomp4_protocol __read_mostly = {
796	.handler	=	xfrm4_rcv,
797	.input_handler	=	xfrm_input,
798	.cb_handler	=	xfrmi_rcv_cb,
799	.err_handler	=	xfrmi4_err,
800	.priority	=	10,
801};
802
803static int __init xfrmi4_init(void)
804{
805	int err;
806
807	err = xfrm4_protocol_register(&xfrmi_esp4_protocol, IPPROTO_ESP);
808	if (err < 0)
809		goto xfrm_proto_esp_failed;
810	err = xfrm4_protocol_register(&xfrmi_ah4_protocol, IPPROTO_AH);
811	if (err < 0)
812		goto xfrm_proto_ah_failed;
813	err = xfrm4_protocol_register(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
814	if (err < 0)
815		goto xfrm_proto_comp_failed;
816
817	return 0;
818
819xfrm_proto_comp_failed:
820	xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
821xfrm_proto_ah_failed:
822	xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
823xfrm_proto_esp_failed:
824	return err;
825}
826
827static void xfrmi4_fini(void)
828{
829	xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
830	xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
831	xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
832}
833
834static int __init xfrmi6_init(void)
835{
836	int err;
837
838	err = xfrm6_protocol_register(&xfrmi_esp6_protocol, IPPROTO_ESP);
839	if (err < 0)
840		goto xfrm_proto_esp_failed;
841	err = xfrm6_protocol_register(&xfrmi_ah6_protocol, IPPROTO_AH);
842	if (err < 0)
843		goto xfrm_proto_ah_failed;
844	err = xfrm6_protocol_register(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
845	if (err < 0)
846		goto xfrm_proto_comp_failed;
847
848	return 0;
849
850xfrm_proto_comp_failed:
851	xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
852xfrm_proto_ah_failed:
853	xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
854xfrm_proto_esp_failed:
855	return err;
856}
857
858static void xfrmi6_fini(void)
859{
860	xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
861	xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
862	xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
863}
864
865static const struct xfrm_if_cb xfrm_if_cb = {
866	.decode_session =	xfrmi_decode_session,
867};
868
869static int __init xfrmi_init(void)
870{
871	const char *msg;
872	int err;
873
874	pr_info("IPsec XFRM device driver\n");
875
876	msg = "tunnel device";
877	err = register_pernet_device(&xfrmi_net_ops);
878	if (err < 0)
879		goto pernet_dev_failed;
880
881	msg = "xfrm4 protocols";
882	err = xfrmi4_init();
883	if (err < 0)
884		goto xfrmi4_failed;
885
886	msg = "xfrm6 protocols";
887	err = xfrmi6_init();
888	if (err < 0)
889		goto xfrmi6_failed;
890
891
892	msg = "netlink interface";
893	err = rtnl_link_register(&xfrmi_link_ops);
894	if (err < 0)
895		goto rtnl_link_failed;
896
897	xfrm_if_register_cb(&xfrm_if_cb);
898
899	return err;
900
901rtnl_link_failed:
902	xfrmi6_fini();
903xfrmi6_failed:
904	xfrmi4_fini();
905xfrmi4_failed:
906	unregister_pernet_device(&xfrmi_net_ops);
907pernet_dev_failed:
908	pr_err("xfrmi init: failed to register %s\n", msg);
909	return err;
910}
911
912static void __exit xfrmi_fini(void)
913{
914	xfrm_if_unregister_cb();
915	rtnl_link_unregister(&xfrmi_link_ops);
916	xfrmi4_fini();
917	xfrmi6_fini();
918	unregister_pernet_device(&xfrmi_net_ops);
919}
920
921module_init(xfrmi_init);
922module_exit(xfrmi_fini);
923MODULE_LICENSE("GPL");
924MODULE_ALIAS_RTNL_LINK("xfrm");
925MODULE_ALIAS_NETDEV("xfrm0");
926MODULE_AUTHOR("Steffen Klassert");
927MODULE_DESCRIPTION("XFRM virtual interface");