Commit 4e81bb83 authored by Masahide NAKAMURA's avatar Masahide NAKAMURA Committed by David S. Miller

[XFRM] POLICY: sub policy support.

Sub policy is introduced. Main and sub policy are applied the same flow.
(Policy that current kernel uses is named as main.)
It is required another transformation policy management to keep IPsec
and Mobile IPv6 lives separate.
Policy which lives shorter time in kernel should be a sub i.e. normally
main is for IPsec and sub is for Mobile IPv6.
(Such usage as two IPsec policies on different database can be used, too.)

Limitation or TODOs:
 - Sub policy is not supported for per socket one (it is always inserted as main).
 - Current kernel makes cached outbound with flowi to skip searching database.
   However this patch makes it disabled only when "two policies are used and
   the first matched one is bypass case" because neither flowi nor bundle
   information knows about transformation template size.
Signed-off-by: default avatarMasahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
parent c11f1a15
...@@ -102,6 +102,13 @@ struct xfrm_stats { ...@@ -102,6 +102,13 @@ struct xfrm_stats {
__u32 integrity_failed; __u32 integrity_failed;
}; };
enum
{
XFRM_POLICY_TYPE_MAIN = 0,
XFRM_POLICY_TYPE_SUB = 1,
XFRM_POLICY_TYPE_MAX = 2
};
enum enum
{ {
XFRM_POLICY_IN = 0, XFRM_POLICY_IN = 0,
......
...@@ -341,6 +341,7 @@ struct xfrm_policy ...@@ -341,6 +341,7 @@ struct xfrm_policy
atomic_t refcnt; atomic_t refcnt;
struct timer_list timer; struct timer_list timer;
u8 type;
u32 priority; u32 priority;
u32 index; u32 index;
struct xfrm_selector selector; struct xfrm_selector selector;
...@@ -389,6 +390,19 @@ extern int xfrm_unregister_km(struct xfrm_mgr *km); ...@@ -389,6 +390,19 @@ extern int xfrm_unregister_km(struct xfrm_mgr *km);
extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2]; extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2];
#ifdef CONFIG_XFRM_SUB_POLICY
extern struct xfrm_policy *xfrm_policy_list_sub[XFRM_POLICY_MAX*2];
static inline int xfrm_policy_lists_empty(int dir)
{
return (!xfrm_policy_list[dir] && !xfrm_policy_list_sub[dir]);
}
#else
static inline int xfrm_policy_lists_empty(int dir)
{
return (!xfrm_policy_list[dir]);
}
#endif
static inline void xfrm_pol_hold(struct xfrm_policy *policy) static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{ {
...@@ -404,6 +418,20 @@ static inline void xfrm_pol_put(struct xfrm_policy *policy) ...@@ -404,6 +418,20 @@ static inline void xfrm_pol_put(struct xfrm_policy *policy)
__xfrm_policy_destroy(policy); __xfrm_policy_destroy(policy);
} }
#ifdef CONFIG_XFRM_SUB_POLICY
static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
{
int i;
for (i = npols - 1; i >= 0; --i)
xfrm_pol_put(pols[i]);
}
#else
static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
{
xfrm_pol_put(pols[0]);
}
#endif
#define XFRM_DST_HSIZE 1024 #define XFRM_DST_HSIZE 1024
static __inline__ static __inline__
...@@ -737,8 +765,8 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk ...@@ -737,8 +765,8 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk
{ {
if (sk && sk->sk_policy[XFRM_POLICY_IN]) if (sk && sk->sk_policy[XFRM_POLICY_IN])
return __xfrm_policy_check(sk, dir, skb, family); return __xfrm_policy_check(sk, dir, skb, family);
return (!xfrm_policy_list[dir] && !skb->sp) || return (xfrm_policy_lists_empty(dir) && !skb->sp) ||
(skb->dst->flags & DST_NOPOLICY) || (skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(sk, dir, skb, family); __xfrm_policy_check(sk, dir, skb, family);
} }
...@@ -758,7 +786,7 @@ extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); ...@@ -758,7 +786,7 @@ extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
{ {
return !xfrm_policy_list[XFRM_POLICY_OUT] || return xfrm_policy_lists_empty(XFRM_POLICY_OUT) ||
(skb->dst->flags & DST_NOXFRM) || (skb->dst->flags & DST_NOXFRM) ||
__xfrm_route_forward(skb, family); __xfrm_route_forward(skb, family);
} }
...@@ -1023,18 +1051,19 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig ...@@ -1023,18 +1051,19 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig
#endif #endif
struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *); extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *);
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
struct xfrm_selector *sel,
struct xfrm_sec_ctx *ctx, int delete); struct xfrm_sec_ctx *ctx, int delete);
struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete);
void xfrm_policy_flush(void); void xfrm_policy_flush(u8 type);
u32 xfrm_get_acqseq(void); u32 xfrm_get_acqseq(void);
void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
xfrm_address_t *daddr, xfrm_address_t *saddr, xfrm_address_t *daddr, xfrm_address_t *saddr,
int create, unsigned short family); int create, unsigned short family);
extern void xfrm_policy_flush(void); extern void xfrm_policy_flush(u8 type);
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
extern int xfrm_flush_bundles(void); extern int xfrm_flush_bundles(void);
extern void xfrm_flush_all_bundles(void); extern void xfrm_flush_all_bundles(void);
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment