6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <asm/uaccess.h>
23 #include <linux/audit.h>
24 #include <linux/cache.h>
26 #include "xfrm_hash.h"
29 EXPORT_SYMBOL(xfrm_nl);
31 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
32 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
34 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
35 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
37 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
39 /* Each xfrm_state may be linked to two tables:
41 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
42 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
43 destination/tunnel endpoint. (output)
46 static DEFINE_SPINLOCK(xfrm_state_lock);
48 /* Hash table to find appropriate SA towards given target (endpoint
49 * of tunnel or destination of transport mode) allowed by selector.
51 * Main use is finding SA after policy selected tunnel or transport mode.
52 * Also, it can be used by ah/esp icmp error handler to find offending SA.
54 static struct hlist_head *xfrm_state_bydst __read_mostly;
55 static struct hlist_head *xfrm_state_bysrc __read_mostly;
56 static struct hlist_head *xfrm_state_byspi __read_mostly;
57 static unsigned int xfrm_state_hmask __read_mostly;
58 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
59 static unsigned int xfrm_state_num;
60 static unsigned int xfrm_state_genid;
62 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
63 xfrm_address_t *saddr,
65 unsigned short family)
67 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
70 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
71 xfrm_address_t *saddr,
72 unsigned short family)
74 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
77 static inline unsigned int
78 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
80 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
83 static void xfrm_hash_transfer(struct hlist_head *list,
84 struct hlist_head *ndsttable,
85 struct hlist_head *nsrctable,
86 struct hlist_head *nspitable,
87 unsigned int nhashmask)
89 struct hlist_node *entry, *tmp;
92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
96 x->props.reqid, x->props.family,
98 hlist_add_head(&x->bydst, ndsttable+h);
100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
103 hlist_add_head(&x->bysrc, nsrctable+h);
106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
107 x->id.proto, x->props.family,
109 hlist_add_head(&x->byspi, nspitable+h);
114 static unsigned long xfrm_hash_new_size(void)
116 return ((xfrm_state_hmask + 1) << 1) *
117 sizeof(struct hlist_head);
120 static DEFINE_MUTEX(hash_resize_mutex);
122 static void xfrm_hash_resize(struct work_struct *__unused)
124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
125 unsigned long nsize, osize;
126 unsigned int nhashmask, ohashmask;
129 mutex_lock(&hash_resize_mutex);
131 nsize = xfrm_hash_new_size();
132 ndst = xfrm_hash_alloc(nsize);
135 nsrc = xfrm_hash_alloc(nsize);
137 xfrm_hash_free(ndst, nsize);
140 nspi = xfrm_hash_alloc(nsize);
142 xfrm_hash_free(ndst, nsize);
143 xfrm_hash_free(nsrc, nsize);
147 spin_lock_bh(&xfrm_state_lock);
149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
150 for (i = xfrm_state_hmask; i >= 0; i--)
151 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
154 odst = xfrm_state_bydst;
155 osrc = xfrm_state_bysrc;
156 ospi = xfrm_state_byspi;
157 ohashmask = xfrm_state_hmask;
159 xfrm_state_bydst = ndst;
160 xfrm_state_bysrc = nsrc;
161 xfrm_state_byspi = nspi;
162 xfrm_state_hmask = nhashmask;
164 spin_unlock_bh(&xfrm_state_lock);
166 osize = (ohashmask + 1) * sizeof(struct hlist_head);
167 xfrm_hash_free(odst, osize);
168 xfrm_hash_free(osrc, osize);
169 xfrm_hash_free(ospi, osize);
172 mutex_unlock(&hash_resize_mutex);
175 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
177 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
178 EXPORT_SYMBOL(km_waitq);
180 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
181 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
183 static struct work_struct xfrm_state_gc_work;
184 static HLIST_HEAD(xfrm_state_gc_list);
185 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
187 int __xfrm_state_delete(struct xfrm_state *x);
189 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
190 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
192 static void xfrm_state_gc_destroy(struct xfrm_state *x)
194 del_timer_sync(&x->timer);
195 del_timer_sync(&x->rtimer);
202 xfrm_put_mode(x->mode);
204 x->type->destructor(x);
205 xfrm_put_type(x->type);
207 security_xfrm_state_free(x);
211 static void xfrm_state_gc_task(struct work_struct *data)
213 struct xfrm_state *x;
214 struct hlist_node *entry, *tmp;
215 struct hlist_head gc_list;
217 spin_lock_bh(&xfrm_state_gc_lock);
218 gc_list.first = xfrm_state_gc_list.first;
219 INIT_HLIST_HEAD(&xfrm_state_gc_list);
220 spin_unlock_bh(&xfrm_state_gc_lock);
222 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
223 xfrm_state_gc_destroy(x);
228 static inline unsigned long make_jiffies(long secs)
230 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
231 return MAX_SCHEDULE_TIMEOUT-1;
236 static void xfrm_timer_handler(unsigned long data)
238 struct xfrm_state *x = (struct xfrm_state*)data;
239 unsigned long now = get_seconds();
240 long next = LONG_MAX;
245 if (x->km.state == XFRM_STATE_DEAD)
247 if (x->km.state == XFRM_STATE_EXPIRED)
249 if (x->lft.hard_add_expires_seconds) {
250 long tmo = x->lft.hard_add_expires_seconds +
251 x->curlft.add_time - now;
257 if (x->lft.hard_use_expires_seconds) {
258 long tmo = x->lft.hard_use_expires_seconds +
259 (x->curlft.use_time ? : now) - now;
267 if (x->lft.soft_add_expires_seconds) {
268 long tmo = x->lft.soft_add_expires_seconds +
269 x->curlft.add_time - now;
275 if (x->lft.soft_use_expires_seconds) {
276 long tmo = x->lft.soft_use_expires_seconds +
277 (x->curlft.use_time ? : now) - now;
286 km_state_expired(x, 0, 0);
288 if (next != LONG_MAX)
289 mod_timer(&x->timer, jiffies + make_jiffies(next));
294 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
295 x->km.state = XFRM_STATE_EXPIRED;
301 err = __xfrm_state_delete(x);
302 if (!err && x->id.spi)
303 km_state_expired(x, 1, 0);
305 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
306 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
309 spin_unlock(&x->lock);
312 static void xfrm_replay_timer_handler(unsigned long data);
314 struct xfrm_state *xfrm_state_alloc(void)
316 struct xfrm_state *x;
318 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
321 atomic_set(&x->refcnt, 1);
322 atomic_set(&x->tunnel_users, 0);
323 INIT_HLIST_NODE(&x->bydst);
324 INIT_HLIST_NODE(&x->bysrc);
325 INIT_HLIST_NODE(&x->byspi);
326 init_timer(&x->timer);
327 x->timer.function = xfrm_timer_handler;
328 x->timer.data = (unsigned long)x;
329 init_timer(&x->rtimer);
330 x->rtimer.function = xfrm_replay_timer_handler;
331 x->rtimer.data = (unsigned long)x;
332 x->curlft.add_time = get_seconds();
333 x->lft.soft_byte_limit = XFRM_INF;
334 x->lft.soft_packet_limit = XFRM_INF;
335 x->lft.hard_byte_limit = XFRM_INF;
336 x->lft.hard_packet_limit = XFRM_INF;
337 x->replay_maxage = 0;
338 x->replay_maxdiff = 0;
339 spin_lock_init(&x->lock);
343 EXPORT_SYMBOL(xfrm_state_alloc);
345 void __xfrm_state_destroy(struct xfrm_state *x)
347 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
349 spin_lock_bh(&xfrm_state_gc_lock);
350 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
351 spin_unlock_bh(&xfrm_state_gc_lock);
352 schedule_work(&xfrm_state_gc_work);
354 EXPORT_SYMBOL(__xfrm_state_destroy);
356 int __xfrm_state_delete(struct xfrm_state *x)
360 if (x->km.state != XFRM_STATE_DEAD) {
361 x->km.state = XFRM_STATE_DEAD;
362 spin_lock(&xfrm_state_lock);
363 hlist_del(&x->bydst);
364 hlist_del(&x->bysrc);
366 hlist_del(&x->byspi);
368 spin_unlock(&xfrm_state_lock);
370 /* All xfrm_state objects are created by xfrm_state_alloc.
371 * The xfrm_state_alloc call gives a reference, and that
372 * is what we are dropping here.
380 EXPORT_SYMBOL(__xfrm_state_delete);
382 int xfrm_state_delete(struct xfrm_state *x)
386 spin_lock_bh(&x->lock);
387 err = __xfrm_state_delete(x);
388 spin_unlock_bh(&x->lock);
392 EXPORT_SYMBOL(xfrm_state_delete);
394 #ifdef CONFIG_SECURITY_NETWORK_XFRM
396 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
400 for (i = 0; i <= xfrm_state_hmask; i++) {
401 struct hlist_node *entry;
402 struct xfrm_state *x;
404 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
405 if (xfrm_id_proto_match(x->id.proto, proto) &&
406 (err = security_xfrm_state_delete(x)) != 0) {
407 xfrm_audit_log(audit_info->loginuid,
409 AUDIT_MAC_IPSEC_DELSA,
421 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
427 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
431 spin_lock_bh(&xfrm_state_lock);
432 err = xfrm_state_flush_secctx_check(proto, audit_info);
436 for (i = 0; i <= xfrm_state_hmask; i++) {
437 struct hlist_node *entry;
438 struct xfrm_state *x;
440 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
441 if (!xfrm_state_kern(x) &&
442 xfrm_id_proto_match(x->id.proto, proto)) {
444 spin_unlock_bh(&xfrm_state_lock);
446 err = xfrm_state_delete(x);
447 xfrm_audit_log(audit_info->loginuid,
449 AUDIT_MAC_IPSEC_DELSA,
450 err ? 0 : 1, NULL, x);
453 spin_lock_bh(&xfrm_state_lock);
461 spin_unlock_bh(&xfrm_state_lock);
465 EXPORT_SYMBOL(xfrm_state_flush);
467 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
469 spin_lock_bh(&xfrm_state_lock);
470 si->sadcnt = xfrm_state_num;
471 si->sadhcnt = xfrm_state_hmask;
472 si->sadhmcnt = xfrm_state_hashmax;
473 spin_unlock_bh(&xfrm_state_lock);
475 EXPORT_SYMBOL(xfrm_sad_getinfo);
478 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
479 struct xfrm_tmpl *tmpl,
480 xfrm_address_t *daddr, xfrm_address_t *saddr,
481 unsigned short family)
483 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
486 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
487 xfrm_state_put_afinfo(afinfo);
491 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
493 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
494 struct xfrm_state *x;
495 struct hlist_node *entry;
497 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
498 if (x->props.family != family ||
500 x->id.proto != proto)
505 if (x->id.daddr.a4 != daddr->a4)
509 if (!ipv6_addr_equal((struct in6_addr *)daddr,
523 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
525 unsigned int h = xfrm_src_hash(daddr, saddr, family);
526 struct xfrm_state *x;
527 struct hlist_node *entry;
529 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
530 if (x->props.family != family ||
531 x->id.proto != proto)
536 if (x->id.daddr.a4 != daddr->a4 ||
537 x->props.saddr.a4 != saddr->a4)
541 if (!ipv6_addr_equal((struct in6_addr *)daddr,
544 !ipv6_addr_equal((struct in6_addr *)saddr,
558 static inline struct xfrm_state *
559 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
562 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
563 x->id.proto, family);
565 return __xfrm_state_lookup_byaddr(&x->id.daddr,
567 x->id.proto, family);
570 static void xfrm_hash_grow_check(int have_hash_collision)
572 if (have_hash_collision &&
573 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
574 xfrm_state_num > xfrm_state_hmask)
575 schedule_work(&xfrm_hash_work);
579 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
580 struct flowi *fl, struct xfrm_tmpl *tmpl,
581 struct xfrm_policy *pol, int *err,
582 unsigned short family)
584 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
585 struct hlist_node *entry;
586 struct xfrm_state *x, *x0;
587 int acquire_in_progress = 0;
589 struct xfrm_state *best = NULL;
591 spin_lock_bh(&xfrm_state_lock);
592 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
593 if (x->props.family == family &&
594 x->props.reqid == tmpl->reqid &&
595 !(x->props.flags & XFRM_STATE_WILDRECV) &&
596 xfrm_state_addr_check(x, daddr, saddr, family) &&
597 tmpl->mode == x->props.mode &&
598 tmpl->id.proto == x->id.proto &&
599 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
601 1. There is a valid state with matching selector.
603 2. Valid state with inappropriate selector. Skip.
605 Entering area of "sysdeps".
607 3. If state is not valid, selector is temporary,
608 it selects only session which triggered
609 previous resolution. Key manager will do
610 something to install a state with proper
613 if (x->km.state == XFRM_STATE_VALID) {
614 if (!xfrm_selector_match(&x->sel, fl, family) ||
615 !security_xfrm_state_pol_flow_match(x, pol, fl))
618 best->km.dying > x->km.dying ||
619 (best->km.dying == x->km.dying &&
620 best->curlft.add_time < x->curlft.add_time))
622 } else if (x->km.state == XFRM_STATE_ACQ) {
623 acquire_in_progress = 1;
624 } else if (x->km.state == XFRM_STATE_ERROR ||
625 x->km.state == XFRM_STATE_EXPIRED) {
626 if (xfrm_selector_match(&x->sel, fl, family) &&
627 security_xfrm_state_pol_flow_match(x, pol, fl))
634 if (!x && !error && !acquire_in_progress) {
636 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
637 tmpl->id.proto, family)) != NULL) {
642 x = xfrm_state_alloc();
647 /* Initialize temporary selector matching only
648 * to current session. */
649 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
651 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
653 x->km.state = XFRM_STATE_DEAD;
659 if (km_query(x, tmpl, pol) == 0) {
660 x->km.state = XFRM_STATE_ACQ;
661 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
662 h = xfrm_src_hash(daddr, saddr, family);
663 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
665 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
666 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
668 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
669 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
670 add_timer(&x->timer);
672 xfrm_hash_grow_check(x->bydst.next != NULL);
674 x->km.state = XFRM_STATE_DEAD;
684 *err = acquire_in_progress ? -EAGAIN : error;
685 spin_unlock_bh(&xfrm_state_lock);
690 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
691 unsigned short family, u8 mode, u8 proto, u32 reqid)
693 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
694 struct xfrm_state *rx = NULL, *x = NULL;
695 struct hlist_node *entry;
697 spin_lock(&xfrm_state_lock);
698 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
699 if (x->props.family == family &&
700 x->props.reqid == reqid &&
701 !(x->props.flags & XFRM_STATE_WILDRECV) &&
702 xfrm_state_addr_check(x, daddr, saddr, family) &&
703 mode == x->props.mode &&
704 proto == x->id.proto &&
705 x->km.state == XFRM_STATE_VALID) {
713 spin_unlock(&xfrm_state_lock);
718 EXPORT_SYMBOL(xfrm_stateonly_find);
720 static void __xfrm_state_insert(struct xfrm_state *x)
724 x->genid = ++xfrm_state_genid;
726 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
727 x->props.reqid, x->props.family);
728 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
730 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
731 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
734 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
737 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
740 mod_timer(&x->timer, jiffies + HZ);
741 if (x->replay_maxage)
742 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
748 xfrm_hash_grow_check(x->bydst.next != NULL);
751 /* xfrm_state_lock is held */
752 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
754 unsigned short family = xnew->props.family;
755 u32 reqid = xnew->props.reqid;
756 struct xfrm_state *x;
757 struct hlist_node *entry;
760 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
761 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
762 if (x->props.family == family &&
763 x->props.reqid == reqid &&
764 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
765 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
766 x->genid = xfrm_state_genid;
770 void xfrm_state_insert(struct xfrm_state *x)
772 spin_lock_bh(&xfrm_state_lock);
773 __xfrm_state_bump_genids(x);
774 __xfrm_state_insert(x);
775 spin_unlock_bh(&xfrm_state_lock);
777 EXPORT_SYMBOL(xfrm_state_insert);
779 /* xfrm_state_lock is held */
780 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
782 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
783 struct hlist_node *entry;
784 struct xfrm_state *x;
786 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
787 if (x->props.reqid != reqid ||
788 x->props.mode != mode ||
789 x->props.family != family ||
790 x->km.state != XFRM_STATE_ACQ ||
792 x->id.proto != proto)
797 if (x->id.daddr.a4 != daddr->a4 ||
798 x->props.saddr.a4 != saddr->a4)
802 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
803 (struct in6_addr *)daddr) ||
804 !ipv6_addr_equal((struct in6_addr *)
806 (struct in6_addr *)saddr))
818 x = xfrm_state_alloc();
822 x->sel.daddr.a4 = daddr->a4;
823 x->sel.saddr.a4 = saddr->a4;
824 x->sel.prefixlen_d = 32;
825 x->sel.prefixlen_s = 32;
826 x->props.saddr.a4 = saddr->a4;
827 x->id.daddr.a4 = daddr->a4;
831 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
832 (struct in6_addr *)daddr);
833 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
834 (struct in6_addr *)saddr);
835 x->sel.prefixlen_d = 128;
836 x->sel.prefixlen_s = 128;
837 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
838 (struct in6_addr *)saddr);
839 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
840 (struct in6_addr *)daddr);
844 x->km.state = XFRM_STATE_ACQ;
846 x->props.family = family;
847 x->props.mode = mode;
848 x->props.reqid = reqid;
849 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
851 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
852 add_timer(&x->timer);
853 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
854 h = xfrm_src_hash(daddr, saddr, family);
855 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
860 xfrm_hash_grow_check(x->bydst.next != NULL);
866 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
868 int xfrm_state_add(struct xfrm_state *x)
870 struct xfrm_state *x1;
873 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
875 family = x->props.family;
877 spin_lock_bh(&xfrm_state_lock);
879 x1 = __xfrm_state_locate(x, use_spi, family);
887 if (use_spi && x->km.seq) {
888 x1 = __xfrm_find_acq_byseq(x->km.seq);
889 if (x1 && ((x1->id.proto != x->id.proto) ||
890 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
897 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
899 &x->id.daddr, &x->props.saddr, 0);
901 __xfrm_state_bump_genids(x);
902 __xfrm_state_insert(x);
906 spin_unlock_bh(&xfrm_state_lock);
909 xfrm_state_delete(x1);
915 EXPORT_SYMBOL(xfrm_state_add);
917 #ifdef CONFIG_XFRM_MIGRATE
918 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
921 struct xfrm_state *x = xfrm_state_alloc();
925 memcpy(&x->id, &orig->id, sizeof(x->id));
926 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
927 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
928 x->props.mode = orig->props.mode;
929 x->props.replay_window = orig->props.replay_window;
930 x->props.reqid = orig->props.reqid;
931 x->props.family = orig->props.family;
932 x->props.saddr = orig->props.saddr;
935 x->aalg = xfrm_algo_clone(orig->aalg);
939 x->props.aalgo = orig->props.aalgo;
942 x->ealg = xfrm_algo_clone(orig->ealg);
946 x->props.ealgo = orig->props.ealgo;
949 x->calg = xfrm_algo_clone(orig->calg);
953 x->props.calgo = orig->props.calgo;
956 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
962 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
968 err = xfrm_init_state(x);
972 x->props.flags = orig->props.flags;
974 x->curlft.add_time = orig->curlft.add_time;
975 x->km.state = orig->km.state;
976 x->km.seq = orig->km.seq;
993 EXPORT_SYMBOL(xfrm_state_clone);
995 /* xfrm_state_lock is held */
996 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
999 struct xfrm_state *x;
1000 struct hlist_node *entry;
1003 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1004 m->reqid, m->old_family);
1005 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1006 if (x->props.mode != m->mode ||
1007 x->id.proto != m->proto)
1009 if (m->reqid && x->props.reqid != m->reqid)
1011 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1013 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1020 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1022 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1023 if (x->props.mode != m->mode ||
1024 x->id.proto != m->proto)
1026 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1028 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1038 EXPORT_SYMBOL(xfrm_migrate_state_find);
1040 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1041 struct xfrm_migrate *m)
1043 struct xfrm_state *xc;
1046 xc = xfrm_state_clone(x, &err);
1050 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1051 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1054 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1055 /* a care is needed when the destination address of the
1056 state is to be updated as it is a part of triplet */
1057 xfrm_state_insert(xc);
1059 if ((err = xfrm_state_add(xc)) < 0)
1068 EXPORT_SYMBOL(xfrm_state_migrate);
1071 int xfrm_state_update(struct xfrm_state *x)
1073 struct xfrm_state *x1;
1075 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1077 spin_lock_bh(&xfrm_state_lock);
1078 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1084 if (xfrm_state_kern(x1)) {
1090 if (x1->km.state == XFRM_STATE_ACQ) {
1091 __xfrm_state_insert(x);
1097 spin_unlock_bh(&xfrm_state_lock);
1103 xfrm_state_delete(x1);
1109 spin_lock_bh(&x1->lock);
1110 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1111 if (x->encap && x1->encap)
1112 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1113 if (x->coaddr && x1->coaddr) {
1114 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1116 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1117 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1118 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1121 mod_timer(&x1->timer, jiffies + HZ);
1122 if (x1->curlft.use_time)
1123 xfrm_state_check_expire(x1);
1127 spin_unlock_bh(&x1->lock);
1133 EXPORT_SYMBOL(xfrm_state_update);
1135 int xfrm_state_check_expire(struct xfrm_state *x)
1137 if (!x->curlft.use_time)
1138 x->curlft.use_time = get_seconds();
1140 if (x->km.state != XFRM_STATE_VALID)
1143 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1144 x->curlft.packets >= x->lft.hard_packet_limit) {
1145 x->km.state = XFRM_STATE_EXPIRED;
1146 mod_timer(&x->timer, jiffies);
1151 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1152 x->curlft.packets >= x->lft.soft_packet_limit)) {
1154 km_state_expired(x, 0, 0);
1158 EXPORT_SYMBOL(xfrm_state_check_expire);
1160 static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
1162 int nhead = x->props.header_len + LL_RESERVED_SPACE(skb->dst->dev)
1163 - skb_headroom(skb);
1166 return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
1168 /* Check tail too... */
1172 int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb)
1174 int err = xfrm_state_check_expire(x);
1177 err = xfrm_state_check_space(x, skb);
1181 EXPORT_SYMBOL(xfrm_state_check);
1184 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1185 unsigned short family)
1187 struct xfrm_state *x;
1189 spin_lock_bh(&xfrm_state_lock);
1190 x = __xfrm_state_lookup(daddr, spi, proto, family);
1191 spin_unlock_bh(&xfrm_state_lock);
1194 EXPORT_SYMBOL(xfrm_state_lookup);
1197 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1198 u8 proto, unsigned short family)
1200 struct xfrm_state *x;
1202 spin_lock_bh(&xfrm_state_lock);
1203 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1204 spin_unlock_bh(&xfrm_state_lock);
1207 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1210 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1211 xfrm_address_t *daddr, xfrm_address_t *saddr,
1212 int create, unsigned short family)
1214 struct xfrm_state *x;
1216 spin_lock_bh(&xfrm_state_lock);
1217 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1218 spin_unlock_bh(&xfrm_state_lock);
1222 EXPORT_SYMBOL(xfrm_find_acq);
1224 #ifdef CONFIG_XFRM_SUB_POLICY
1226 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1227 unsigned short family)
1230 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1232 return -EAFNOSUPPORT;
1234 spin_lock_bh(&xfrm_state_lock);
1235 if (afinfo->tmpl_sort)
1236 err = afinfo->tmpl_sort(dst, src, n);
1237 spin_unlock_bh(&xfrm_state_lock);
1238 xfrm_state_put_afinfo(afinfo);
1241 EXPORT_SYMBOL(xfrm_tmpl_sort);
1244 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1245 unsigned short family)
1248 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1250 return -EAFNOSUPPORT;
1252 spin_lock_bh(&xfrm_state_lock);
1253 if (afinfo->state_sort)
1254 err = afinfo->state_sort(dst, src, n);
1255 spin_unlock_bh(&xfrm_state_lock);
1256 xfrm_state_put_afinfo(afinfo);
1259 EXPORT_SYMBOL(xfrm_state_sort);
1262 /* Silly enough, but I'm lazy to build resolution list */
1264 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1268 for (i = 0; i <= xfrm_state_hmask; i++) {
1269 struct hlist_node *entry;
1270 struct xfrm_state *x;
1272 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1273 if (x->km.seq == seq &&
1274 x->km.state == XFRM_STATE_ACQ) {
1283 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1285 struct xfrm_state *x;
1287 spin_lock_bh(&xfrm_state_lock);
1288 x = __xfrm_find_acq_byseq(seq);
1289 spin_unlock_bh(&xfrm_state_lock);
1292 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1294 u32 xfrm_get_acqseq(void)
1298 static DEFINE_SPINLOCK(acqseq_lock);
1300 spin_lock_bh(&acqseq_lock);
1301 res = (++acqseq ? : ++acqseq);
1302 spin_unlock_bh(&acqseq_lock);
1305 EXPORT_SYMBOL(xfrm_get_acqseq);
1308 xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi)
1311 struct xfrm_state *x0;
1316 if (minspi == maxspi) {
1317 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1325 u32 low = ntohl(minspi);
1326 u32 high = ntohl(maxspi);
1327 for (h=0; h<high-low+1; h++) {
1328 spi = low + net_random()%(high-low+1);
1329 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1331 x->id.spi = htonl(spi);
1338 spin_lock_bh(&xfrm_state_lock);
1339 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1340 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1341 spin_unlock_bh(&xfrm_state_lock);
1345 EXPORT_SYMBOL(xfrm_alloc_spi);
1347 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1351 struct xfrm_state *x, *last = NULL;
1352 struct hlist_node *entry;
1356 spin_lock_bh(&xfrm_state_lock);
1357 for (i = 0; i <= xfrm_state_hmask; i++) {
1358 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1359 if (!xfrm_id_proto_match(x->id.proto, proto))
1362 err = func(last, count, data);
1374 err = func(last, 0, data);
1376 spin_unlock_bh(&xfrm_state_lock);
1379 EXPORT_SYMBOL(xfrm_state_walk);
1382 void xfrm_replay_notify(struct xfrm_state *x, int event)
1385 /* we send notify messages in case
1386 * 1. we updated on of the sequence numbers, and the seqno difference
1387 * is at least x->replay_maxdiff, in this case we also update the
1388 * timeout of our timer function
1389 * 2. if x->replay_maxage has elapsed since last update,
1390 * and there were changes
1392 * The state structure must be locked!
1396 case XFRM_REPLAY_UPDATE:
1397 if (x->replay_maxdiff &&
1398 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1399 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1400 if (x->xflags & XFRM_TIME_DEFER)
1401 event = XFRM_REPLAY_TIMEOUT;
1408 case XFRM_REPLAY_TIMEOUT:
1409 if ((x->replay.seq == x->preplay.seq) &&
1410 (x->replay.bitmap == x->preplay.bitmap) &&
1411 (x->replay.oseq == x->preplay.oseq)) {
1412 x->xflags |= XFRM_TIME_DEFER;
1419 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1420 c.event = XFRM_MSG_NEWAE;
1421 c.data.aevent = event;
1422 km_state_notify(x, &c);
1424 if (x->replay_maxage &&
1425 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1426 x->xflags &= ~XFRM_TIME_DEFER;
1428 EXPORT_SYMBOL(xfrm_replay_notify);
1430 static void xfrm_replay_timer_handler(unsigned long data)
1432 struct xfrm_state *x = (struct xfrm_state*)data;
1434 spin_lock(&x->lock);
1436 if (x->km.state == XFRM_STATE_VALID) {
1437 if (xfrm_aevent_is_on())
1438 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1440 x->xflags |= XFRM_TIME_DEFER;
1443 spin_unlock(&x->lock);
1446 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1449 u32 seq = ntohl(net_seq);
1451 if (unlikely(seq == 0))
1454 if (likely(seq > x->replay.seq))
1457 diff = x->replay.seq - seq;
1458 if (diff >= min_t(unsigned int, x->props.replay_window,
1459 sizeof(x->replay.bitmap) * 8)) {
1460 x->stats.replay_window++;
1464 if (x->replay.bitmap & (1U << diff)) {
1470 EXPORT_SYMBOL(xfrm_replay_check);
1472 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1475 u32 seq = ntohl(net_seq);
1477 if (seq > x->replay.seq) {
1478 diff = seq - x->replay.seq;
1479 if (diff < x->props.replay_window)
1480 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1482 x->replay.bitmap = 1;
1483 x->replay.seq = seq;
1485 diff = x->replay.seq - seq;
1486 x->replay.bitmap |= (1U << diff);
1489 if (xfrm_aevent_is_on())
1490 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1492 EXPORT_SYMBOL(xfrm_replay_advance);
1494 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1495 static DEFINE_RWLOCK(xfrm_km_lock);
1497 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1499 struct xfrm_mgr *km;
1501 read_lock(&xfrm_km_lock);
1502 list_for_each_entry(km, &xfrm_km_list, list)
1503 if (km->notify_policy)
1504 km->notify_policy(xp, dir, c);
1505 read_unlock(&xfrm_km_lock);
1508 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1510 struct xfrm_mgr *km;
1511 read_lock(&xfrm_km_lock);
1512 list_for_each_entry(km, &xfrm_km_list, list)
1515 read_unlock(&xfrm_km_lock);
1518 EXPORT_SYMBOL(km_policy_notify);
1519 EXPORT_SYMBOL(km_state_notify);
1521 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1527 c.event = XFRM_MSG_EXPIRE;
1528 km_state_notify(x, &c);
1534 EXPORT_SYMBOL(km_state_expired);
1536 * We send to all registered managers regardless of failure
1537 * We are happy with one success
1539 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1541 int err = -EINVAL, acqret;
1542 struct xfrm_mgr *km;
1544 read_lock(&xfrm_km_lock);
1545 list_for_each_entry(km, &xfrm_km_list, list) {
1546 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1550 read_unlock(&xfrm_km_lock);
1553 EXPORT_SYMBOL(km_query);
1555 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1558 struct xfrm_mgr *km;
1560 read_lock(&xfrm_km_lock);
1561 list_for_each_entry(km, &xfrm_km_list, list) {
1562 if (km->new_mapping)
1563 err = km->new_mapping(x, ipaddr, sport);
1567 read_unlock(&xfrm_km_lock);
1570 EXPORT_SYMBOL(km_new_mapping);
1572 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1578 c.event = XFRM_MSG_POLEXPIRE;
1579 km_policy_notify(pol, dir, &c);
1584 EXPORT_SYMBOL(km_policy_expired);
1586 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1587 struct xfrm_migrate *m, int num_migrate)
1591 struct xfrm_mgr *km;
1593 read_lock(&xfrm_km_lock);
1594 list_for_each_entry(km, &xfrm_km_list, list) {
1596 ret = km->migrate(sel, dir, type, m, num_migrate);
1601 read_unlock(&xfrm_km_lock);
1604 EXPORT_SYMBOL(km_migrate);
1606 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1610 struct xfrm_mgr *km;
1612 read_lock(&xfrm_km_lock);
1613 list_for_each_entry(km, &xfrm_km_list, list) {
1615 ret = km->report(proto, sel, addr);
1620 read_unlock(&xfrm_km_lock);
1623 EXPORT_SYMBOL(km_report);
1625 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1629 struct xfrm_mgr *km;
1630 struct xfrm_policy *pol = NULL;
1632 if (optlen <= 0 || optlen > PAGE_SIZE)
1635 data = kmalloc(optlen, GFP_KERNEL);
1640 if (copy_from_user(data, optval, optlen))
1644 read_lock(&xfrm_km_lock);
1645 list_for_each_entry(km, &xfrm_km_list, list) {
1646 pol = km->compile_policy(sk, optname, data,
1651 read_unlock(&xfrm_km_lock);
1654 xfrm_sk_policy_insert(sk, err, pol);
1663 EXPORT_SYMBOL(xfrm_user_policy);
1665 int xfrm_register_km(struct xfrm_mgr *km)
1667 write_lock_bh(&xfrm_km_lock);
1668 list_add_tail(&km->list, &xfrm_km_list);
1669 write_unlock_bh(&xfrm_km_lock);
1672 EXPORT_SYMBOL(xfrm_register_km);
1674 int xfrm_unregister_km(struct xfrm_mgr *km)
1676 write_lock_bh(&xfrm_km_lock);
1677 list_del(&km->list);
1678 write_unlock_bh(&xfrm_km_lock);
1681 EXPORT_SYMBOL(xfrm_unregister_km);
1683 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1686 if (unlikely(afinfo == NULL))
1688 if (unlikely(afinfo->family >= NPROTO))
1689 return -EAFNOSUPPORT;
1690 write_lock_bh(&xfrm_state_afinfo_lock);
1691 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1694 xfrm_state_afinfo[afinfo->family] = afinfo;
1695 write_unlock_bh(&xfrm_state_afinfo_lock);
1698 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1700 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1703 if (unlikely(afinfo == NULL))
1705 if (unlikely(afinfo->family >= NPROTO))
1706 return -EAFNOSUPPORT;
1707 write_lock_bh(&xfrm_state_afinfo_lock);
1708 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1709 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1712 xfrm_state_afinfo[afinfo->family] = NULL;
1714 write_unlock_bh(&xfrm_state_afinfo_lock);
1717 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1719 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1721 struct xfrm_state_afinfo *afinfo;
1722 if (unlikely(family >= NPROTO))
1724 read_lock(&xfrm_state_afinfo_lock);
1725 afinfo = xfrm_state_afinfo[family];
1726 if (unlikely(!afinfo))
1727 read_unlock(&xfrm_state_afinfo_lock);
1731 void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1733 read_unlock(&xfrm_state_afinfo_lock);
1736 EXPORT_SYMBOL(xfrm_state_get_afinfo);
1737 EXPORT_SYMBOL(xfrm_state_put_afinfo);
1739 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1740 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1743 struct xfrm_state *t = x->tunnel;
1745 if (atomic_read(&t->tunnel_users) == 2)
1746 xfrm_state_delete(t);
1747 atomic_dec(&t->tunnel_users);
1752 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1754 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1758 spin_lock_bh(&x->lock);
1759 if (x->km.state == XFRM_STATE_VALID &&
1760 x->type && x->type->get_mtu)
1761 res = x->type->get_mtu(x, mtu);
1763 res = mtu - x->props.header_len;
1764 spin_unlock_bh(&x->lock);
1768 int xfrm_init_state(struct xfrm_state *x)
1770 struct xfrm_state_afinfo *afinfo;
1771 int family = x->props.family;
1774 err = -EAFNOSUPPORT;
1775 afinfo = xfrm_state_get_afinfo(family);
1780 if (afinfo->init_flags)
1781 err = afinfo->init_flags(x);
1783 xfrm_state_put_afinfo(afinfo);
1788 err = -EPROTONOSUPPORT;
1789 x->type = xfrm_get_type(x->id.proto, family);
1790 if (x->type == NULL)
1793 err = x->type->init_state(x);
1797 x->mode = xfrm_get_mode(x->props.mode, family);
1798 if (x->mode == NULL)
1801 x->km.state = XFRM_STATE_VALID;
1807 EXPORT_SYMBOL(xfrm_init_state);
1809 void __init xfrm_state_init(void)
1813 sz = sizeof(struct hlist_head) * 8;
1815 xfrm_state_bydst = xfrm_hash_alloc(sz);
1816 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1817 xfrm_state_byspi = xfrm_hash_alloc(sz);
1818 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1819 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1820 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1822 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
git.openpandora.org / pandora-kernel.git / blob