static struct xfrm_state *xfrm_user_state_lookup(struct net *net,
struct xfrm_usersa_id *p,
struct nlattr **attrs,
int *errp)
{
struct xfrm_state *x = NULL;
struct xfrm_mark m;
int err;
u32 mark = xfrm_mark_get(attrs, &m);
if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) {
err = -ESRCH;
x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family);
} else {
xfrm_address_t *saddr = NULL;
verify_one_addr(attrs, XFRMA_SRCADDR, &saddr);
if (!saddr) {
err = -EINVAL;
goto out;
}
err = -ESRCH;
x = xfrm_state_lookup_byaddr(net, mark,
&p->daddr, saddr,
p->proto, p->family);
}
out:
if (!x && errp)
*errp = err;
return x;
}
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
xfrm_address_t *saddr, u8 proto)
{
struct net *net = dev_net(skb->dev);
struct xfrm_state *x = NULL;
int i = 0;
if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
struct sec_path *sp;
sp = secpath_dup(skb->sp);
if (!sp) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
goto drop;
}
if (skb->sp)
secpath_put(skb->sp);
skb->sp = sp;
}
if (1 + skb->sp->len == XFRM_MAX_DEPTH) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
goto drop;
}
for (i = 0; i < 3; i++) {
xfrm_address_t *dst, *src;
switch (i) {
case 0:
dst = daddr;
src = saddr;
break;
case 1:
dst = daddr;
src = (xfrm_address_t *)&in6addr_any;
break;
default:
dst = (xfrm_address_t *)&in6addr_any;
src = (xfrm_address_t *)&in6addr_any;
break;
}
x = xfrm_state_lookup_byaddr(net, skb->mark, dst, src, proto, AF_INET6);
if (!x)
continue;
spin_lock(&x->lock);
if ((!i || (x->props.flags & XFRM_STATE_WILDRECV)) &&
likely(x->km.state == XFRM_STATE_VALID) &&
!xfrm_state_check_expire(x)) {
spin_unlock(&x->lock);
if (x->type->input(x, skb) > 0) {
break;
}
} else
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
}
if (!x) {
XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
xfrm_audit_state_notfound_simple(skb, AF_INET6);
goto drop;
}
skb->sp->xvec[skb->sp->len++] = x;
spin_lock(&x->lock);
x->curlft.bytes += skb->len;
x->curlft.packets++;
spin_unlock(&x->lock);
return 1;
drop:
return -1;
}
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
xfrm_address_t *saddr, u8 proto)
{
struct xfrm_state *x = NULL;
int wildcard = 0;
struct in6_addr any;
xfrm_address_t *xany;
struct xfrm_state *xfrm_vec_one = NULL;
int nh = 0;
int i = 0;
ipv6_addr_set(&any, 0, 0, 0, 0);
xany = (xfrm_address_t *)&any;
for (i = 0; i < 3; i++) {
xfrm_address_t *dst, *src;
switch (i) {
case 0:
dst = daddr;
src = saddr;
break;
case 1:
/* lookup state with wild-card source address */
wildcard = 1;
dst = daddr;
src = xany;
break;
case 2:
default:
/* lookup state with wild-card addresses */
wildcard = 1; /* XXX */
dst = xany;
src = xany;
break;
}
x = xfrm_state_lookup_byaddr(dst, src, proto, AF_INET6);
if (!x)
continue;
spin_lock(&x->lock);
if (wildcard) {
if ((x->props.flags & XFRM_STATE_WILDRECV) == 0) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
}
if (unlikely(x->km.state != XFRM_STATE_VALID)) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
if (xfrm_state_check_expire(x)) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
nh = x->type->input(x, skb);
if (nh <= 0) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
x->curlft.bytes += skb->len;
x->curlft.packets++;
spin_unlock(&x->lock);
xfrm_vec_one = x;
break;
}
if (!xfrm_vec_one)
goto drop;
/* Allocate new secpath or COW existing one. */
if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
struct sec_path *sp;
sp = secpath_dup(skb->sp);
if (!sp)
goto drop;
if (skb->sp)
secpath_put(skb->sp);
skb->sp = sp;
}
if (1 + skb->sp->len > XFRM_MAX_DEPTH)
goto drop;
skb->sp->xvec[skb->sp->len] = xfrm_vec_one;
skb->sp->len ++;
return 1;
drop:
if (xfrm_vec_one)
xfrm_state_put(xfrm_vec_one);
return -1;
}
int __xfrm6_rcv_one(struct sk_buff *skb, xfrm_address_t *daddr,
xfrm_address_t *saddr, u8 proto)
{
struct xfrm_state *x = NULL;
int wildcard = 0;
struct in6_addr any;
xfrm_address_t *xany;
struct xfrm_state *xfrm_vec_one = NULL;
int nh = 0;
int i = 0;
ipv6_addr_set(&any, 0, 0, 0, 0);
xany = (xfrm_address_t *)&any;
for (i = 0; i < 3; i++) {
xfrm_address_t *dst, *src;
switch (i) {
case 0:
dst = daddr;
src = saddr;
break;
case 1:
/* lookup state with wild-card source address */
wildcard = 1;
dst = daddr;
src = xany;
break;
case 2:
default:
/* lookup state with wild-card addresses */
wildcard = 1; /* XXX */
dst = xany;
src = xany;
break;
}
x = xfrm_state_lookup_byaddr(dst, src, proto, AF_INET6);
if (!x)
continue;
spin_lock(&x->lock);
if (wildcard) {
if ((x->props.flags & XFRM_STATE_WILDRECV) == 0) {
printk(KERN_INFO "%s: found state is not wild-card.\n", __FUNCTION__);
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
}
if (unlikely(x->km.state != XFRM_STATE_VALID)) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
if (xfrm_state_check_expire(x)) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
nh = x->type->input(x, skb);
if (nh <= 0) {
spin_unlock(&x->lock);
xfrm_state_put(x);
x = NULL;
continue;
}
break;
}
if (!x)
goto error;
x->curlft.bytes += skb->len;
x->curlft.packets++;
x->curlft.use_time = (unsigned long) xtime.tv_sec;
spin_unlock(&x->lock);
xfrm_vec_one = x;
/* Allocate new secpath or COW existing one. */
if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
struct sec_path *sp;
sp = secpath_dup(skb->sp);
if (!sp) {
printk(KERN_INFO "%s: dup secpath failed\n", __FUNCTION__);
goto error;
}
if (skb->sp)
secpath_put(skb->sp);
skb->sp = sp;
}
if (1 + skb->sp->len > XFRM_MAX_DEPTH) {
printk(KERN_INFO "%s: too many states\n", __FUNCTION__);
goto error;
}
skb->sp->xvec[skb->sp->len] = xfrm_vec_one;
skb->sp->len ++;
skb->ip_summed = CHECKSUM_NONE;
return 0;
error:
return -1;
}