Loading...
Note: File does not exist in v6.8.
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * XFRM virtual interface
4 *
5 * Copyright (C) 2018 secunet Security Networks AG
6 *
7 * Author:
8 * Steffen Klassert <steffen.klassert@secunet.com>
9 */
10
11#include <linux/module.h>
12#include <linux/capability.h>
13#include <linux/errno.h>
14#include <linux/types.h>
15#include <linux/sockios.h>
16#include <linux/icmp.h>
17#include <linux/if.h>
18#include <linux/in.h>
19#include <linux/ip.h>
20#include <linux/net.h>
21#include <linux/in6.h>
22#include <linux/netdevice.h>
23#include <linux/if_link.h>
24#include <linux/if_arp.h>
25#include <linux/icmpv6.h>
26#include <linux/init.h>
27#include <linux/route.h>
28#include <linux/rtnetlink.h>
29#include <linux/netfilter_ipv6.h>
30#include <linux/slab.h>
31#include <linux/hash.h>
32
33#include <linux/uaccess.h>
34#include <linux/atomic.h>
35
36#include <net/icmp.h>
37#include <net/ip.h>
38#include <net/ipv6.h>
39#include <net/ip6_route.h>
40#include <net/ip_tunnels.h>
41#include <net/addrconf.h>
42#include <net/xfrm.h>
43#include <net/net_namespace.h>
44#include <net/netns/generic.h>
45#include <linux/etherdevice.h>
46
47static int xfrmi_dev_init(struct net_device *dev);
48static void xfrmi_dev_setup(struct net_device *dev);
49static struct rtnl_link_ops xfrmi_link_ops __read_mostly;
50static unsigned int xfrmi_net_id __read_mostly;
51static const struct net_device_ops xfrmi_netdev_ops;
52
53#define XFRMI_HASH_BITS 8
54#define XFRMI_HASH_SIZE BIT(XFRMI_HASH_BITS)
55
56struct xfrmi_net {
57 /* lists for storing interfaces in use */
58 struct xfrm_if __rcu *xfrmi[XFRMI_HASH_SIZE];
59};
60
61#define for_each_xfrmi_rcu(start, xi) \
62 for (xi = rcu_dereference(start); xi; xi = rcu_dereference(xi->next))
63
64static u32 xfrmi_hash(u32 if_id)
65{
66 return hash_32(if_id, XFRMI_HASH_BITS);
67}
68
69static struct xfrm_if *xfrmi_lookup(struct net *net, struct xfrm_state *x)
70{
71 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
72 struct xfrm_if *xi;
73
74 for_each_xfrmi_rcu(xfrmn->xfrmi[xfrmi_hash(x->if_id)], xi) {
75 if (x->if_id == xi->p.if_id &&
76 (xi->dev->flags & IFF_UP))
77 return xi;
78 }
79
80 return NULL;
81}
82
83static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb,
84 unsigned short family)
85{
86 struct net_device *dev;
87 int ifindex = 0;
88
89 if (!secpath_exists(skb) || !skb->dev)
90 return NULL;
91
92 switch (family) {
93 case AF_INET6:
94 ifindex = inet6_sdif(skb);
95 break;
96 case AF_INET:
97 ifindex = inet_sdif(skb);
98 break;
99 }
100
101 if (ifindex) {
102 struct net *net = xs_net(xfrm_input_state(skb));
103
104 dev = dev_get_by_index_rcu(net, ifindex);
105 } else {
106 dev = skb->dev;
107 }
108
109 if (!dev || !(dev->flags & IFF_UP))
110 return NULL;
111 if (dev->netdev_ops != &xfrmi_netdev_ops)
112 return NULL;
113
114 return netdev_priv(dev);
115}
116
117static void xfrmi_link(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
118{
119 struct xfrm_if __rcu **xip = &xfrmn->xfrmi[xfrmi_hash(xi->p.if_id)];
120
121 rcu_assign_pointer(xi->next , rtnl_dereference(*xip));
122 rcu_assign_pointer(*xip, xi);
123}
124
125static void xfrmi_unlink(struct xfrmi_net *xfrmn, struct xfrm_if *xi)
126{
127 struct xfrm_if __rcu **xip;
128 struct xfrm_if *iter;
129
130 for (xip = &xfrmn->xfrmi[xfrmi_hash(xi->p.if_id)];
131 (iter = rtnl_dereference(*xip)) != NULL;
132 xip = &iter->next) {
133 if (xi == iter) {
134 rcu_assign_pointer(*xip, xi->next);
135 break;
136 }
137 }
138}
139
140static void xfrmi_dev_free(struct net_device *dev)
141{
142 struct xfrm_if *xi = netdev_priv(dev);
143
144 gro_cells_destroy(&xi->gro_cells);
145 free_percpu(dev->tstats);
146}
147
148static int xfrmi_create(struct net_device *dev)
149{
150 struct xfrm_if *xi = netdev_priv(dev);
151 struct net *net = dev_net(dev);
152 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
153 int err;
154
155 dev->rtnl_link_ops = &xfrmi_link_ops;
156 err = register_netdevice(dev);
157 if (err < 0)
158 goto out;
159
160 xfrmi_link(xfrmn, xi);
161
162 return 0;
163
164out:
165 return err;
166}
167
168static struct xfrm_if *xfrmi_locate(struct net *net, struct xfrm_if_parms *p)
169{
170 struct xfrm_if __rcu **xip;
171 struct xfrm_if *xi;
172 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
173
174 for (xip = &xfrmn->xfrmi[xfrmi_hash(p->if_id)];
175 (xi = rtnl_dereference(*xip)) != NULL;
176 xip = &xi->next)
177 if (xi->p.if_id == p->if_id)
178 return xi;
179
180 return NULL;
181}
182
183static void xfrmi_dev_uninit(struct net_device *dev)
184{
185 struct xfrm_if *xi = netdev_priv(dev);
186 struct xfrmi_net *xfrmn = net_generic(xi->net, xfrmi_net_id);
187
188 xfrmi_unlink(xfrmn, xi);
189}
190
191static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
192{
193 skb->tstamp = 0;
194 skb->pkt_type = PACKET_HOST;
195 skb->skb_iif = 0;
196 skb->ignore_df = 0;
197 skb_dst_drop(skb);
198 nf_reset_ct(skb);
199 nf_reset_trace(skb);
200
201 if (!xnet)
202 return;
203
204 ipvs_reset(skb);
205 secpath_reset(skb);
206 skb_orphan(skb);
207 skb->mark = 0;
208}
209
210static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
211{
212 const struct xfrm_mode *inner_mode;
213 struct net_device *dev;
214 struct xfrm_state *x;
215 struct xfrm_if *xi;
216 bool xnet;
217
218 if (err && !secpath_exists(skb))
219 return 0;
220
221 x = xfrm_input_state(skb);
222
223 xi = xfrmi_lookup(xs_net(x), x);
224 if (!xi)
225 return 1;
226
227 dev = xi->dev;
228 skb->dev = dev;
229
230 if (err) {
231 dev->stats.rx_errors++;
232 dev->stats.rx_dropped++;
233
234 return 0;
235 }
236
237 xnet = !net_eq(xi->net, dev_net(skb->dev));
238
239 if (xnet) {
240 inner_mode = &x->inner_mode;
241
242 if (x->sel.family == AF_UNSPEC) {
243 inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
244 if (inner_mode == NULL) {
245 XFRM_INC_STATS(dev_net(skb->dev),
246 LINUX_MIB_XFRMINSTATEMODEERROR);
247 return -EINVAL;
248 }
249 }
250
251 if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb,
252 inner_mode->family))
253 return -EPERM;
254 }
255
256 xfrmi_scrub_packet(skb, xnet);
257 dev_sw_netstats_rx_add(dev, skb->len);
258
259 return 0;
260}
261
262static int
263xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
264{
265 struct xfrm_if *xi = netdev_priv(dev);
266 struct net_device_stats *stats = &xi->dev->stats;
267 struct dst_entry *dst = skb_dst(skb);
268 unsigned int length = skb->len;
269 struct net_device *tdev;
270 struct xfrm_state *x;
271 int err = -1;
272 int mtu;
273
274 dst_hold(dst);
275 dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id);
276 if (IS_ERR(dst)) {
277 err = PTR_ERR(dst);
278 dst = NULL;
279 goto tx_err_link_failure;
280 }
281
282 x = dst->xfrm;
283 if (!x)
284 goto tx_err_link_failure;
285
286 if (x->if_id != xi->p.if_id)
287 goto tx_err_link_failure;
288
289 tdev = dst->dev;
290
291 if (tdev == dev) {
292 stats->collisions++;
293 net_warn_ratelimited("%s: Local routing loop detected!\n",
294 dev->name);
295 goto tx_err_dst_release;
296 }
297
298 mtu = dst_mtu(dst);
299 if ((!skb_is_gso(skb) && skb->len > mtu) ||
300 (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu))) {
301 skb_dst_update_pmtu_no_confirm(skb, mtu);
302
303 if (skb->protocol == htons(ETH_P_IPV6)) {
304 if (mtu < IPV6_MIN_MTU)
305 mtu = IPV6_MIN_MTU;
306
307 icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
308 } else {
309 if (!(ip_hdr(skb)->frag_off & htons(IP_DF)))
310 goto xmit;
311 icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
312 htonl(mtu));
313 }
314
315 dst_release(dst);
316 return -EMSGSIZE;
317 }
318
319xmit:
320 xfrmi_scrub_packet(skb, !net_eq(xi->net, dev_net(dev)));
321 skb_dst_set(skb, dst);
322 skb->dev = tdev;
323
324 err = dst_output(xi->net, skb->sk, skb);
325 if (net_xmit_eval(err) == 0) {
326 dev_sw_netstats_tx_add(dev, 1, length);
327 } else {
328 stats->tx_errors++;
329 stats->tx_aborted_errors++;
330 }
331
332 return 0;
333tx_err_link_failure:
334 stats->tx_carrier_errors++;
335 dst_link_failure(skb);
336tx_err_dst_release:
337 dst_release(dst);
338 return err;
339}
340
341static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
342{
343 struct xfrm_if *xi = netdev_priv(dev);
344 struct net_device_stats *stats = &xi->dev->stats;
345 struct dst_entry *dst = skb_dst(skb);
346 struct flowi fl;
347 int ret;
348
349 memset(&fl, 0, sizeof(fl));
350
351 switch (skb->protocol) {
352 case htons(ETH_P_IPV6):
353 xfrm_decode_session(skb, &fl, AF_INET6);
354 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
355 if (!dst) {
356 fl.u.ip6.flowi6_oif = dev->ifindex;
357 fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
358 dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);
359 if (dst->error) {
360 dst_release(dst);
361 stats->tx_carrier_errors++;
362 goto tx_err;
363 }
364 skb_dst_set(skb, dst);
365 }
366 break;
367 case htons(ETH_P_IP):
368 xfrm_decode_session(skb, &fl, AF_INET);
369 memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
370 if (!dst) {
371 struct rtable *rt;
372
373 fl.u.ip4.flowi4_oif = dev->ifindex;
374 fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
375 rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);
376 if (IS_ERR(rt)) {
377 stats->tx_carrier_errors++;
378 goto tx_err;
379 }
380 skb_dst_set(skb, &rt->dst);
381 }
382 break;
383 default:
384 goto tx_err;
385 }
386
387 fl.flowi_oif = xi->p.link;
388
389 ret = xfrmi_xmit2(skb, dev, &fl);
390 if (ret < 0)
391 goto tx_err;
392
393 return NETDEV_TX_OK;
394
395tx_err:
396 stats->tx_errors++;
397 stats->tx_dropped++;
398 kfree_skb(skb);
399 return NETDEV_TX_OK;
400}
401
402static int xfrmi4_err(struct sk_buff *skb, u32 info)
403{
404 const struct iphdr *iph = (const struct iphdr *)skb->data;
405 struct net *net = dev_net(skb->dev);
406 int protocol = iph->protocol;
407 struct ip_comp_hdr *ipch;
408 struct ip_esp_hdr *esph;
409 struct ip_auth_hdr *ah ;
410 struct xfrm_state *x;
411 struct xfrm_if *xi;
412 __be32 spi;
413
414 switch (protocol) {
415 case IPPROTO_ESP:
416 esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
417 spi = esph->spi;
418 break;
419 case IPPROTO_AH:
420 ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
421 spi = ah->spi;
422 break;
423 case IPPROTO_COMP:
424 ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
425 spi = htonl(ntohs(ipch->cpi));
426 break;
427 default:
428 return 0;
429 }
430
431 switch (icmp_hdr(skb)->type) {
432 case ICMP_DEST_UNREACH:
433 if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
434 return 0;
435 break;
436 case ICMP_REDIRECT:
437 break;
438 default:
439 return 0;
440 }
441
442 x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
443 spi, protocol, AF_INET);
444 if (!x)
445 return 0;
446
447 xi = xfrmi_lookup(net, x);
448 if (!xi) {
449 xfrm_state_put(x);
450 return -1;
451 }
452
453 if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
454 ipv4_update_pmtu(skb, net, info, 0, protocol);
455 else
456 ipv4_redirect(skb, net, 0, protocol);
457 xfrm_state_put(x);
458
459 return 0;
460}
461
462static int xfrmi6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
463 u8 type, u8 code, int offset, __be32 info)
464{
465 const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
466 struct net *net = dev_net(skb->dev);
467 int protocol = iph->nexthdr;
468 struct ip_comp_hdr *ipch;
469 struct ip_esp_hdr *esph;
470 struct ip_auth_hdr *ah;
471 struct xfrm_state *x;
472 struct xfrm_if *xi;
473 __be32 spi;
474
475 switch (protocol) {
476 case IPPROTO_ESP:
477 esph = (struct ip_esp_hdr *)(skb->data + offset);
478 spi = esph->spi;
479 break;
480 case IPPROTO_AH:
481 ah = (struct ip_auth_hdr *)(skb->data + offset);
482 spi = ah->spi;
483 break;
484 case IPPROTO_COMP:
485 ipch = (struct ip_comp_hdr *)(skb->data + offset);
486 spi = htonl(ntohs(ipch->cpi));
487 break;
488 default:
489 return 0;
490 }
491
492 if (type != ICMPV6_PKT_TOOBIG &&
493 type != NDISC_REDIRECT)
494 return 0;
495
496 x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
497 spi, protocol, AF_INET6);
498 if (!x)
499 return 0;
500
501 xi = xfrmi_lookup(net, x);
502 if (!xi) {
503 xfrm_state_put(x);
504 return -1;
505 }
506
507 if (type == NDISC_REDIRECT)
508 ip6_redirect(skb, net, skb->dev->ifindex, 0,
509 sock_net_uid(net, NULL));
510 else
511 ip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));
512 xfrm_state_put(x);
513
514 return 0;
515}
516
517static int xfrmi_change(struct xfrm_if *xi, const struct xfrm_if_parms *p)
518{
519 if (xi->p.link != p->link)
520 return -EINVAL;
521
522 xi->p.if_id = p->if_id;
523
524 return 0;
525}
526
527static int xfrmi_update(struct xfrm_if *xi, struct xfrm_if_parms *p)
528{
529 struct net *net = xi->net;
530 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
531 int err;
532
533 xfrmi_unlink(xfrmn, xi);
534 synchronize_net();
535 err = xfrmi_change(xi, p);
536 xfrmi_link(xfrmn, xi);
537 netdev_state_change(xi->dev);
538 return err;
539}
540
541static int xfrmi_get_iflink(const struct net_device *dev)
542{
543 struct xfrm_if *xi = netdev_priv(dev);
544
545 return xi->p.link;
546}
547
548static const struct net_device_ops xfrmi_netdev_ops = {
549 .ndo_init = xfrmi_dev_init,
550 .ndo_uninit = xfrmi_dev_uninit,
551 .ndo_start_xmit = xfrmi_xmit,
552 .ndo_get_stats64 = dev_get_tstats64,
553 .ndo_get_iflink = xfrmi_get_iflink,
554};
555
556static void xfrmi_dev_setup(struct net_device *dev)
557{
558 dev->netdev_ops = &xfrmi_netdev_ops;
559 dev->header_ops = &ip_tunnel_header_ops;
560 dev->type = ARPHRD_NONE;
561 dev->mtu = ETH_DATA_LEN;
562 dev->min_mtu = ETH_MIN_MTU;
563 dev->max_mtu = IP_MAX_MTU;
564 dev->flags = IFF_NOARP;
565 dev->needs_free_netdev = true;
566 dev->priv_destructor = xfrmi_dev_free;
567 netif_keep_dst(dev);
568
569 eth_broadcast_addr(dev->broadcast);
570}
571
572#define XFRMI_FEATURES (NETIF_F_SG | \
573 NETIF_F_FRAGLIST | \
574 NETIF_F_GSO_SOFTWARE | \
575 NETIF_F_HW_CSUM)
576
577static int xfrmi_dev_init(struct net_device *dev)
578{
579 struct xfrm_if *xi = netdev_priv(dev);
580 struct net_device *phydev = __dev_get_by_index(xi->net, xi->p.link);
581 int err;
582
583 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
584 if (!dev->tstats)
585 return -ENOMEM;
586
587 err = gro_cells_init(&xi->gro_cells, dev);
588 if (err) {
589 free_percpu(dev->tstats);
590 return err;
591 }
592
593 dev->features |= NETIF_F_LLTX;
594 dev->features |= XFRMI_FEATURES;
595 dev->hw_features |= XFRMI_FEATURES;
596
597 if (phydev) {
598 dev->needed_headroom = phydev->needed_headroom;
599 dev->needed_tailroom = phydev->needed_tailroom;
600
601 if (is_zero_ether_addr(dev->dev_addr))
602 eth_hw_addr_inherit(dev, phydev);
603 if (is_zero_ether_addr(dev->broadcast))
604 memcpy(dev->broadcast, phydev->broadcast,
605 dev->addr_len);
606 } else {
607 eth_hw_addr_random(dev);
608 eth_broadcast_addr(dev->broadcast);
609 }
610
611 return 0;
612}
613
614static int xfrmi_validate(struct nlattr *tb[], struct nlattr *data[],
615 struct netlink_ext_ack *extack)
616{
617 return 0;
618}
619
620static void xfrmi_netlink_parms(struct nlattr *data[],
621 struct xfrm_if_parms *parms)
622{
623 memset(parms, 0, sizeof(*parms));
624
625 if (!data)
626 return;
627
628 if (data[IFLA_XFRM_LINK])
629 parms->link = nla_get_u32(data[IFLA_XFRM_LINK]);
630
631 if (data[IFLA_XFRM_IF_ID])
632 parms->if_id = nla_get_u32(data[IFLA_XFRM_IF_ID]);
633}
634
635static int xfrmi_newlink(struct net *src_net, struct net_device *dev,
636 struct nlattr *tb[], struct nlattr *data[],
637 struct netlink_ext_ack *extack)
638{
639 struct net *net = dev_net(dev);
640 struct xfrm_if_parms p;
641 struct xfrm_if *xi;
642 int err;
643
644 xfrmi_netlink_parms(data, &p);
645 xi = xfrmi_locate(net, &p);
646 if (xi)
647 return -EEXIST;
648
649 xi = netdev_priv(dev);
650 xi->p = p;
651 xi->net = net;
652 xi->dev = dev;
653
654 err = xfrmi_create(dev);
655 return err;
656}
657
658static void xfrmi_dellink(struct net_device *dev, struct list_head *head)
659{
660 unregister_netdevice_queue(dev, head);
661}
662
663static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
664 struct nlattr *data[],
665 struct netlink_ext_ack *extack)
666{
667 struct xfrm_if *xi = netdev_priv(dev);
668 struct net *net = xi->net;
669 struct xfrm_if_parms p;
670
671 xfrmi_netlink_parms(data, &p);
672 xi = xfrmi_locate(net, &p);
673 if (!xi) {
674 xi = netdev_priv(dev);
675 } else {
676 if (xi->dev != dev)
677 return -EEXIST;
678 }
679
680 return xfrmi_update(xi, &p);
681}
682
683static size_t xfrmi_get_size(const struct net_device *dev)
684{
685 return
686 /* IFLA_XFRM_LINK */
687 nla_total_size(4) +
688 /* IFLA_XFRM_IF_ID */
689 nla_total_size(4) +
690 0;
691}
692
693static int xfrmi_fill_info(struct sk_buff *skb, const struct net_device *dev)
694{
695 struct xfrm_if *xi = netdev_priv(dev);
696 struct xfrm_if_parms *parm = &xi->p;
697
698 if (nla_put_u32(skb, IFLA_XFRM_LINK, parm->link) ||
699 nla_put_u32(skb, IFLA_XFRM_IF_ID, parm->if_id))
700 goto nla_put_failure;
701 return 0;
702
703nla_put_failure:
704 return -EMSGSIZE;
705}
706
707static struct net *xfrmi_get_link_net(const struct net_device *dev)
708{
709 struct xfrm_if *xi = netdev_priv(dev);
710
711 return xi->net;
712}
713
714static const struct nla_policy xfrmi_policy[IFLA_XFRM_MAX + 1] = {
715 [IFLA_XFRM_LINK] = { .type = NLA_U32 },
716 [IFLA_XFRM_IF_ID] = { .type = NLA_U32 },
717};
718
719static struct rtnl_link_ops xfrmi_link_ops __read_mostly = {
720 .kind = "xfrm",
721 .maxtype = IFLA_XFRM_MAX,
722 .policy = xfrmi_policy,
723 .priv_size = sizeof(struct xfrm_if),
724 .setup = xfrmi_dev_setup,
725 .validate = xfrmi_validate,
726 .newlink = xfrmi_newlink,
727 .dellink = xfrmi_dellink,
728 .changelink = xfrmi_changelink,
729 .get_size = xfrmi_get_size,
730 .fill_info = xfrmi_fill_info,
731 .get_link_net = xfrmi_get_link_net,
732};
733
734static void __net_exit xfrmi_exit_batch_net(struct list_head *net_exit_list)
735{
736 struct net *net;
737 LIST_HEAD(list);
738
739 rtnl_lock();
740 list_for_each_entry(net, net_exit_list, exit_list) {
741 struct xfrmi_net *xfrmn = net_generic(net, xfrmi_net_id);
742 struct xfrm_if __rcu **xip;
743 struct xfrm_if *xi;
744 int i;
745
746 for (i = 0; i < XFRMI_HASH_SIZE; i++) {
747 for (xip = &xfrmn->xfrmi[i];
748 (xi = rtnl_dereference(*xip)) != NULL;
749 xip = &xi->next)
750 unregister_netdevice_queue(xi->dev, &list);
751 }
752 }
753 unregister_netdevice_many(&list);
754 rtnl_unlock();
755}
756
757static struct pernet_operations xfrmi_net_ops = {
758 .exit_batch = xfrmi_exit_batch_net,
759 .id = &xfrmi_net_id,
760 .size = sizeof(struct xfrmi_net),
761};
762
763static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
764 .handler = xfrm6_rcv,
765 .input_handler = xfrm_input,
766 .cb_handler = xfrmi_rcv_cb,
767 .err_handler = xfrmi6_err,
768 .priority = 10,
769};
770
771static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = {
772 .handler = xfrm6_rcv,
773 .input_handler = xfrm_input,
774 .cb_handler = xfrmi_rcv_cb,
775 .err_handler = xfrmi6_err,
776 .priority = 10,
777};
778
779static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = {
780 .handler = xfrm6_rcv,
781 .input_handler = xfrm_input,
782 .cb_handler = xfrmi_rcv_cb,
783 .err_handler = xfrmi6_err,
784 .priority = 10,
785};
786
787#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL)
788static int xfrmi6_rcv_tunnel(struct sk_buff *skb)
789{
790 const xfrm_address_t *saddr;
791 __be32 spi;
792
793 saddr = (const xfrm_address_t *)&ipv6_hdr(skb)->saddr;
794 spi = xfrm6_tunnel_spi_lookup(dev_net(skb->dev), saddr);
795
796 return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi, NULL);
797}
798
799static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = {
800 .handler = xfrmi6_rcv_tunnel,
801 .cb_handler = xfrmi_rcv_cb,
802 .err_handler = xfrmi6_err,
803 .priority = 2,
804};
805
806static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
807 .handler = xfrmi6_rcv_tunnel,
808 .cb_handler = xfrmi_rcv_cb,
809 .err_handler = xfrmi6_err,
810 .priority = 2,
811};
812#endif
813
814static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
815 .handler = xfrm4_rcv,
816 .input_handler = xfrm_input,
817 .cb_handler = xfrmi_rcv_cb,
818 .err_handler = xfrmi4_err,
819 .priority = 10,
820};
821
822static struct xfrm4_protocol xfrmi_ah4_protocol __read_mostly = {
823 .handler = xfrm4_rcv,
824 .input_handler = xfrm_input,
825 .cb_handler = xfrmi_rcv_cb,
826 .err_handler = xfrmi4_err,
827 .priority = 10,
828};
829
830static struct xfrm4_protocol xfrmi_ipcomp4_protocol __read_mostly = {
831 .handler = xfrm4_rcv,
832 .input_handler = xfrm_input,
833 .cb_handler = xfrmi_rcv_cb,
834 .err_handler = xfrmi4_err,
835 .priority = 10,
836};
837
838#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL)
839static int xfrmi4_rcv_tunnel(struct sk_buff *skb)
840{
841 return xfrm4_rcv_spi(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr);
842}
843
844static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = {
845 .handler = xfrmi4_rcv_tunnel,
846 .cb_handler = xfrmi_rcv_cb,
847 .err_handler = xfrmi4_err,
848 .priority = 3,
849};
850
851static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = {
852 .handler = xfrmi4_rcv_tunnel,
853 .cb_handler = xfrmi_rcv_cb,
854 .err_handler = xfrmi4_err,
855 .priority = 2,
856};
857#endif
858
859static int __init xfrmi4_init(void)
860{
861 int err;
862
863 err = xfrm4_protocol_register(&xfrmi_esp4_protocol, IPPROTO_ESP);
864 if (err < 0)
865 goto xfrm_proto_esp_failed;
866 err = xfrm4_protocol_register(&xfrmi_ah4_protocol, IPPROTO_AH);
867 if (err < 0)
868 goto xfrm_proto_ah_failed;
869 err = xfrm4_protocol_register(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
870 if (err < 0)
871 goto xfrm_proto_comp_failed;
872#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL)
873 err = xfrm4_tunnel_register(&xfrmi_ipip_handler, AF_INET);
874 if (err < 0)
875 goto xfrm_tunnel_ipip_failed;
876 err = xfrm4_tunnel_register(&xfrmi_ipip6_handler, AF_INET6);
877 if (err < 0)
878 goto xfrm_tunnel_ipip6_failed;
879#endif
880
881 return 0;
882
883#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL)
884xfrm_tunnel_ipip6_failed:
885 xfrm4_tunnel_deregister(&xfrmi_ipip_handler, AF_INET);
886xfrm_tunnel_ipip_failed:
887 xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
888#endif
889xfrm_proto_comp_failed:
890 xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
891xfrm_proto_ah_failed:
892 xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
893xfrm_proto_esp_failed:
894 return err;
895}
896
897static void xfrmi4_fini(void)
898{
899#if IS_REACHABLE(CONFIG_INET_XFRM_TUNNEL)
900 xfrm4_tunnel_deregister(&xfrmi_ipip6_handler, AF_INET6);
901 xfrm4_tunnel_deregister(&xfrmi_ipip_handler, AF_INET);
902#endif
903 xfrm4_protocol_deregister(&xfrmi_ipcomp4_protocol, IPPROTO_COMP);
904 xfrm4_protocol_deregister(&xfrmi_ah4_protocol, IPPROTO_AH);
905 xfrm4_protocol_deregister(&xfrmi_esp4_protocol, IPPROTO_ESP);
906}
907
908static int __init xfrmi6_init(void)
909{
910 int err;
911
912 err = xfrm6_protocol_register(&xfrmi_esp6_protocol, IPPROTO_ESP);
913 if (err < 0)
914 goto xfrm_proto_esp_failed;
915 err = xfrm6_protocol_register(&xfrmi_ah6_protocol, IPPROTO_AH);
916 if (err < 0)
917 goto xfrm_proto_ah_failed;
918 err = xfrm6_protocol_register(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
919 if (err < 0)
920 goto xfrm_proto_comp_failed;
921#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL)
922 err = xfrm6_tunnel_register(&xfrmi_ipv6_handler, AF_INET6);
923 if (err < 0)
924 goto xfrm_tunnel_ipv6_failed;
925 err = xfrm6_tunnel_register(&xfrmi_ip6ip_handler, AF_INET);
926 if (err < 0)
927 goto xfrm_tunnel_ip6ip_failed;
928#endif
929
930 return 0;
931
932#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL)
933xfrm_tunnel_ip6ip_failed:
934 xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6);
935xfrm_tunnel_ipv6_failed:
936 xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
937#endif
938xfrm_proto_comp_failed:
939 xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
940xfrm_proto_ah_failed:
941 xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
942xfrm_proto_esp_failed:
943 return err;
944}
945
946static void xfrmi6_fini(void)
947{
948#if IS_REACHABLE(CONFIG_INET6_XFRM_TUNNEL)
949 xfrm6_tunnel_deregister(&xfrmi_ip6ip_handler, AF_INET);
950 xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6);
951#endif
952 xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
953 xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
954 xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
955}
956
957static const struct xfrm_if_cb xfrm_if_cb = {
958 .decode_session = xfrmi_decode_session,
959};
960
961static int __init xfrmi_init(void)
962{
963 const char *msg;
964 int err;
965
966 pr_info("IPsec XFRM device driver\n");
967
968 msg = "tunnel device";
969 err = register_pernet_device(&xfrmi_net_ops);
970 if (err < 0)
971 goto pernet_dev_failed;
972
973 msg = "xfrm4 protocols";
974 err = xfrmi4_init();
975 if (err < 0)
976 goto xfrmi4_failed;
977
978 msg = "xfrm6 protocols";
979 err = xfrmi6_init();
980 if (err < 0)
981 goto xfrmi6_failed;
982
983
984 msg = "netlink interface";
985 err = rtnl_link_register(&xfrmi_link_ops);
986 if (err < 0)
987 goto rtnl_link_failed;
988
989 xfrm_if_register_cb(&xfrm_if_cb);
990
991 return err;
992
993rtnl_link_failed:
994 xfrmi6_fini();
995xfrmi6_failed:
996 xfrmi4_fini();
997xfrmi4_failed:
998 unregister_pernet_device(&xfrmi_net_ops);
999pernet_dev_failed:
1000 pr_err("xfrmi init: failed to register %s\n", msg);
1001 return err;
1002}
1003
1004static void __exit xfrmi_fini(void)
1005{
1006 xfrm_if_unregister_cb();
1007 rtnl_link_unregister(&xfrmi_link_ops);
1008 xfrmi4_fini();
1009 xfrmi6_fini();
1010 unregister_pernet_device(&xfrmi_net_ops);
1011}
1012
1013module_init(xfrmi_init);
1014module_exit(xfrmi_fini);
1015MODULE_LICENSE("GPL");
1016MODULE_ALIAS_RTNL_LINK("xfrm");
1017MODULE_ALIAS_NETDEV("xfrm0");
1018MODULE_AUTHOR("Steffen Klassert");
1019MODULE_DESCRIPTION("XFRM virtual interface");