xref: /kernel/linux/linux-5.10/net/xfrm/xfrm_policy.c

169 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);
170 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
526 	struct xfrm_policy *pol;
532 	hlist_for_each_entry_safe(pol, tmp, list, bydst) {
535 		__get_hash_thresh(net, pol->family, dir, &dbits, &sbits);
536 		h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,
537 				pol->family, nhashmask, dbits, sbits);
539 			hlist_del_rcu(&pol->bydst);
540 			hlist_add_head_rcu(&pol->bydst, ndsttable + h);
545 			hlist_del_rcu(&pol->bydst);
546 			hlist_add_behind_rcu(&pol->bydst, entry0);
548 		entry0 = &pol->bydst;
561 	struct xfrm_policy *pol;
563 	hlist_for_each_entry_safe(pol, tmp, list, byidx) {
566 		h = __idx_hash(pol->index, nhashmask);
567 		hlist_add_head(&pol->byidx, nidxtable+h);
691 /* Make sure *pol can be inserted into fastbin.
696 xfrm_policy_inexact_alloc_bin(const struct xfrm_policy *pol, u8 dir)
700 		.family = pol->family,
701 		.type = pol->type,
703 		.if_id = pol->if_id,
705 	struct net *net = xp_net(pol);
1226 	struct xfrm_policy *pol;
1344 		hlist_for_each_entry(pol, chain, bydst) {
1345 			if (policy->priority >= pol->priority)
1346 				newpos = &pol->bydst;
1446 					  struct xfrm_policy *pol)
1448 	return mark->v == pol->mark.v && mark->m == pol->mark.m;
1503 	struct xfrm_policy *pol, *delpol = NULL;
1507 	hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1508 		if (pol->type == policy->type &&
1509 		    pol->if_id == policy->if_id &&
1510 		    !selector_cmp(&pol->selector, &policy->selector) &&
1511 		    xfrm_policy_mark_match(&policy->mark, pol) &&
1512 		    xfrm_sec_ctx_match(pol->security, policy->security) &&
1514 			delpol = pol;
1515 			if (policy->priority > pol->priority)
1517 		} else if (policy->priority >= pol->priority) {
1518 			newpos = &pol->bydst_inexact_list;
1530 	hlist_for_each_entry(pol, chain, bydst_inexact_list) {
1531 		pol->pos = i;
1540 	struct xfrm_policy *pol, *newpos = NULL, *delpol = NULL;
1542 	hlist_for_each_entry(pol, chain, bydst) {
1543 		if (pol->type == policy->type &&
1544 		    pol->if_id == policy->if_id &&
1545 		    !selector_cmp(&pol->selector, &policy->selector) &&
1546 		    xfrm_policy_mark_match(&policy->mark, pol) &&
1547 		    xfrm_sec_ctx_match(pol->security, policy->security) &&
1551 			delpol = pol;
1552 			if (policy->priority > pol->priority)
1554 		} else if (policy->priority >= pol->priority) {
1555 			newpos = pol;
1622 	struct xfrm_policy *pol;
1627 	hlist_for_each_entry(pol, chain, bydst) {
1628 		if (pol->type == type &&
1629 		    pol->if_id == if_id &&
1630 		    xfrm_policy_mark_match(mark, pol) &&
1631 		    !selector_cmp(sel, &pol->selector) &&
1632 		    xfrm_sec_ctx_match(ctx, pol->security))
1633 			return pol;
1645 	struct xfrm_policy *pol, *ret = NULL;
1669 		pol = NULL;
1679 			if (!pol || tmp->pos < pol->pos)
1680 				pol = tmp;
1683 		pol = __xfrm_policy_bysel_ctx(chain, mark, if_id, type, dir,
1687 	if (pol) {
1688 		xfrm_pol_hold(pol);
1690 			*err = security_xfrm_policy_delete(pol->security);
1693 				return pol;
1695 			__xfrm_policy_unlink(pol, dir);
1697 		ret = pol;
1713 	struct xfrm_policy *pol, *ret;
1724 	hlist_for_each_entry(pol, chain, byidx) {
1725 		if (pol->type == type && pol->index == id &&
1726 		    pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) {
1727 			xfrm_pol_hold(pol);
1730 								pol->security);
1733 					return pol;
1735 				__xfrm_policy_unlink(pol, dir);
1737 			ret = pol;
1753 	struct xfrm_policy *pol;
1756 	list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1757 		if (pol->walk.dead ||
1758 		    xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
1759 		    pol->type != type)
1762 		err = security_xfrm_policy_delete(pol->security);
1764 			xfrm_audit_policy_delete(pol, 0, task_valid);
1781 	struct xfrm_policy *pol;
1790 	list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
1791 		dir = xfrm_policy_id2dir(pol->index);
1792 		if (pol->walk.dead ||
1794 		    pol->type != type)
1797 		__xfrm_policy_unlink(pol, dir);
1800 		xfrm_audit_policy_delete(pol, 1, task_valid);
1801 		xfrm_policy_kill(pol);
1819 	struct xfrm_policy *pol;
1840 		pol = container_of(x, struct xfrm_policy, walk);
1842 		    walk->type != pol->type)
1844 		error = func(pol, xfrm_policy_id2dir(pol->index),
1888 static int xfrm_policy_match(const struct xfrm_policy *pol,
1892 	const struct xfrm_selector *sel = &pol->selector;
1896 	if (pol->family != family ||
1897 	    pol->if_id != if_id ||
1898 	    (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
1899 	    pol->type != type)
1904 		ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
2019 	struct xfrm_policy *pol;
2024 	hlist_for_each_entry_rcu(pol, chain, bydst) {
2027 		if (pol->priority > priority)
2030 		err = xfrm_policy_match(pol, fl, type, family, dir, if_id);
2040 			if (pol->priority == priority &&
2041 			    prefer->pos < pol->pos)
2045 		return pol;
2084 	struct xfrm_policy *pol, *ret;
2102 	hlist_for_each_entry_rcu(pol, chain, bydst) {
2103 		err = xfrm_policy_match(pol, fl, type, family, dir, if_id);
2112 			ret = pol;
2121 	pol = xfrm_policy_eval_candidates(&cand, ret, fl, type,
2123 	if (pol) {
2124 		ret = pol;
2125 		if (IS_ERR(pol))
2146 	struct xfrm_policy *pol;
2148 	pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family,
2150 	if (pol != NULL)
2151 		return pol;
2161 	struct xfrm_policy *pol;
2165 	pol = rcu_dereference(sk->sk_policy[dir]);
2166 	if (pol != NULL) {
2170 		if (pol->family != family) {
2171 			pol = NULL;
2175 		match = xfrm_selector_match(&pol->selector, fl, family);
2177 			if ((sk->sk_mark & pol->mark.m) != pol->mark.v ||
2178 			    pol->if_id != if_id) {
2179 				pol = NULL;
2182 			err = security_xfrm_policy_lookup(pol->security,
2186 				if (!xfrm_pol_hold_rcu(pol))
2189 				pol = NULL;
2191 				pol = ERR_PTR(err);
2194 			pol = NULL;
2198 	return pol;
2201 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir)
2203 	struct net *net = xp_net(pol);
2205 	list_add(&pol->walk.all, &net->xfrm.policy_all);
2207 	xfrm_pol_hold(pol);
2210 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
2213 	struct net *net = xp_net(pol);
2215 	if (list_empty(&pol->walk.all))
2219 	if (!hlist_unhashed(&pol->bydst)) {
2220 		hlist_del_rcu(&pol->bydst);
2221 		hlist_del_init(&pol->bydst_inexact_list);
2222 		hlist_del(&pol->byidx);
2225 	list_del_init(&pol->walk.all);
2228 	return pol;
2231 static void xfrm_sk_policy_link(struct xfrm_policy *pol, int dir)
2233 	__xfrm_policy_link(pol, XFRM_POLICY_MAX + dir);
2236 static void xfrm_sk_policy_unlink(struct xfrm_policy *pol, int dir)
2238 	__xfrm_policy_unlink(pol, XFRM_POLICY_MAX + dir);
2241 int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
2243 	struct net *net = xp_net(pol);
2246 	pol = __xfrm_policy_unlink(pol, dir);
2248 	if (pol) {
2249 		xfrm_policy_kill(pol);
2256 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
2262 	if (pol && pol->type != XFRM_POLICY_TYPE_MAIN)
2269 	if (pol) {
2270 		pol->curlft.add_time = ktime_get_real_seconds();
2271 		pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
2272 		xfrm_sk_policy_link(pol, dir);
2274 	rcu_assign_pointer(sk->sk_policy[dir], pol);
2276 		if (pol)
2277 			xfrm_policy_requeue(old_pol, pol);
2761 	struct xfrm_policy *pol = from_timer(pol, t, polq.hold_timer);
2762 	struct net *net = xp_net(pol);
2763 	struct xfrm_policy_queue *pq = &pol->polq;
2779 	skb->mark = pol->mark.v;
2797 			xfrm_pol_hold(pol);
2815 		skb->mark = pol->mark.v;
2834 	xfrm_pol_put(pol);
2840 	xfrm_pol_put(pol);
2848 	struct xfrm_policy *pol = xdst->pols[0];
2849 	struct xfrm_policy_queue *pq = &pol->polq;
2873 		xfrm_pol_put(pol);
2878 		xfrm_pol_hold(pol);
3557 	struct xfrm_policy *pol;
3606 	pol = NULL;
3609 		pol = xfrm_sk_policy_lookup(sk, dir, &fl, family, if_id);
3610 		if (IS_ERR(pol)) {
3616 	if (!pol)
3617 		pol = xfrm_policy_lookup(net, &fl, family, dir, if_id);
3619 	if (IS_ERR(pol)) {
3624 	if (!pol) {
3638 	pol->curlft.use_time = ktime_get_real_seconds();
3640 	pols[0] = pol;
3659 	if (pol->action == XFRM_POLICY_ALLOW) {
3672 			if (pols[pi] != pol &&
4316 	struct xfrm_policy *pol, *ret = NULL;
4322 	hlist_for_each_entry(pol, chain, bydst) {
4323 		if ((if_id == 0 || pol->if_id == if_id) &&
4324 		    xfrm_migrate_selector_match(sel, &pol->selector) &&
4325 		    pol->type == type) {
4326 			ret = pol;
4332 	hlist_for_each_entry(pol, chain, bydst_inexact_list) {
4333 		if ((pol->priority >= priority) && ret)
4336 		if ((if_id == 0 || pol->if_id == if_id) &&
4337 		    xfrm_migrate_selector_match(sel, &pol->selector) &&
4338 		    pol->type == type) {
4339 			ret = pol;
4381 static int xfrm_policy_migrate(struct xfrm_policy *pol,
4387 	write_lock_bh(&pol->lock);
4388 	if (unlikely(pol->walk.dead)) {
4390 		write_unlock_bh(&pol->lock);
4394 	for (i = 0; i < pol->xfrm_nr; i++) {
4396 			if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
4399 			if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
4400 			    pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
4403 			memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
4404 			       sizeof(pol->xfrm_vec[i].id.daddr));
4405 			memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr,
4406 			       sizeof(pol->xfrm_vec[i].saddr));
4407 			pol->xfrm_vec[i].encap_family = mp->new_family;
4409 			atomic_inc(&pol->genid);
4413 	write_unlock_bh(&pol->lock);
4456 	struct xfrm_policy *pol = NULL;
4472 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id)) == NULL) {
4494 	if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
4506 	xfrm_pol_put(pol);
4513 	if (pol)
4514 		xfrm_pol_put(pol);

Indexes created Thu Nov 07 10:32:03 CST 2024