]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - net/xfrm/xfrm_device.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: Ubuntu-5.11.0-22.23
[mirror_ubuntu-hirsute-kernel.git] / net / xfrm / xfrm_device.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * xfrm_device.c - IPsec device offloading code.
4 *
5 * Copyright (c) 2015 secunet Security Networks AG
6 *
7 * Author:
8 * Steffen Klassert <steffen.klassert@secunet.com>
9 */
10
11 #include <linux/errno.h>
12 #include <linux/module.h>
13 #include <linux/netdevice.h>
14 #include <linux/skbuff.h>
15 #include <linux/slab.h>
16 #include <linux/spinlock.h>
17 #include <net/dst.h>
18 #include <net/xfrm.h>
19 #include <linux/notifier.h>
20
21 #ifdef CONFIG_XFRM_OFFLOAD
22 static void __xfrm_transport_prep(struct xfrm_state *x, struct sk_buff *skb,
23 unsigned int hsize)
24 {
25 struct xfrm_offload *xo = xfrm_offload(skb);
26
27 skb_reset_mac_len(skb);
28 if (xo->flags & XFRM_GSO_SEGMENT)
29 skb->transport_header -= x->props.header_len;
30
31 pskb_pull(skb, skb_transport_offset(skb) + x->props.header_len);
32 }
33
34 static void __xfrm_mode_tunnel_prep(struct xfrm_state *x, struct sk_buff *skb,
35 unsigned int hsize)
36
37 {
38 struct xfrm_offload *xo = xfrm_offload(skb);
39
40 if (xo->flags & XFRM_GSO_SEGMENT)
41 skb->transport_header = skb->network_header + hsize;
42
43 skb_reset_mac_len(skb);
44 pskb_pull(skb, skb->mac_len + x->props.header_len);
45 }
46
47 static void __xfrm_mode_beet_prep(struct xfrm_state *x, struct sk_buff *skb,
48 unsigned int hsize)
49 {
50 struct xfrm_offload *xo = xfrm_offload(skb);
51 int phlen = 0;
52
53 if (xo->flags & XFRM_GSO_SEGMENT)
54 skb->transport_header = skb->network_header + hsize;
55
56 skb_reset_mac_len(skb);
57 if (x->sel.family != AF_INET6) {
58 phlen = IPV4_BEET_PHMAXLEN;
59 if (x->outer_mode.family == AF_INET6)
60 phlen += sizeof(struct ipv6hdr) - sizeof(struct iphdr);
61 }
62
63 pskb_pull(skb, skb->mac_len + hsize + (x->props.header_len - phlen));
64 }
65
66 /* Adjust pointers into the packet when IPsec is done at layer2 */
67 static void xfrm_outer_mode_prep(struct xfrm_state *x, struct sk_buff *skb)
68 {
69 switch (x->outer_mode.encap) {
70 case XFRM_MODE_TUNNEL:
71 if (x->outer_mode.family == AF_INET)
72 return __xfrm_mode_tunnel_prep(x, skb,
73 sizeof(struct iphdr));
74 if (x->outer_mode.family == AF_INET6)
75 return __xfrm_mode_tunnel_prep(x, skb,
76 sizeof(struct ipv6hdr));
77 break;
78 case XFRM_MODE_TRANSPORT:
79 if (x->outer_mode.family == AF_INET)
80 return __xfrm_transport_prep(x, skb,
81 sizeof(struct iphdr));
82 if (x->outer_mode.family == AF_INET6)
83 return __xfrm_transport_prep(x, skb,
84 sizeof(struct ipv6hdr));
85 break;
86 case XFRM_MODE_BEET:
87 if (x->outer_mode.family == AF_INET)
88 return __xfrm_mode_beet_prep(x, skb,
89 sizeof(struct iphdr));
90 if (x->outer_mode.family == AF_INET6)
91 return __xfrm_mode_beet_prep(x, skb,
92 sizeof(struct ipv6hdr));
93 break;
94 case XFRM_MODE_ROUTEOPTIMIZATION:
95 case XFRM_MODE_IN_TRIGGER:
96 break;
97 }
98 }
99
100 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
101 {
102 int err;
103 unsigned long flags;
104 struct xfrm_state *x;
105 struct softnet_data *sd;
106 struct sk_buff *skb2, *nskb, *pskb = NULL;
107 netdev_features_t esp_features = features;
108 struct xfrm_offload *xo = xfrm_offload(skb);
109 struct net_device *dev = skb->dev;
110 struct sec_path *sp;
111
112 if (!xo || (xo->flags & XFRM_XMIT))
113 return skb;
114
115 if (!(features & NETIF_F_HW_ESP))
116 esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
117
118 sp = skb_sec_path(skb);
119 x = sp->xvec[sp->len - 1];
120 if (xo->flags & XFRM_GRO || x->xso.flags & XFRM_OFFLOAD_INBOUND)
121 return skb;
122
123 /* This skb was already validated on the upper/virtual dev */
124 if ((x->xso.dev != dev) && (x->xso.real_dev == dev))
125 return skb;
126
127 local_irq_save(flags);
128 sd = this_cpu_ptr(&softnet_data);
129 err = !skb_queue_empty(&sd->xfrm_backlog);
130 local_irq_restore(flags);
131
132 if (err) {
133 *again = true;
134 return skb;
135 }
136
137 if (skb_is_gso(skb) && unlikely(x->xso.dev != dev)) {
138 struct sk_buff *segs;
139
140 /* Packet got rerouted, fixup features and segment it. */
141 esp_features = esp_features & ~(NETIF_F_HW_ESP | NETIF_F_GSO_ESP);
142
143 segs = skb_gso_segment(skb, esp_features);
144 if (IS_ERR(segs)) {
145 kfree_skb(skb);
146 atomic_long_inc(&dev->tx_dropped);
147 return NULL;
148 } else {
149 consume_skb(skb);
150 skb = segs;
151 }
152 }
153
154 if (!skb->next) {
155 esp_features |= skb->dev->gso_partial_features;
156 xfrm_outer_mode_prep(x, skb);
157
158 xo->flags |= XFRM_DEV_RESUME;
159
160 err = x->type_offload->xmit(x, skb, esp_features);
161 if (err) {
162 if (err == -EINPROGRESS)
163 return NULL;
164
165 XFRM_INC_STATS(xs_net(x), LINUX_MIB_XFRMOUTSTATEPROTOERROR);
166 kfree_skb(skb);
167 return NULL;
168 }
169
170 skb_push(skb, skb->data - skb_mac_header(skb));
171
172 return skb;
173 }
174
175 skb_list_walk_safe(skb, skb2, nskb) {
176 esp_features |= skb->dev->gso_partial_features;
177 skb_mark_not_on_list(skb2);
178
179 xo = xfrm_offload(skb2);
180 xo->flags |= XFRM_DEV_RESUME;
181
182 xfrm_outer_mode_prep(x, skb2);
183
184 err = x->type_offload->xmit(x, skb2, esp_features);
185 if (!err) {
186 skb2->next = nskb;
187 } else if (err != -EINPROGRESS) {
188 XFRM_INC_STATS(xs_net(x), LINUX_MIB_XFRMOUTSTATEPROTOERROR);
189 skb2->next = nskb;
190 kfree_skb_list(skb2);
191 return NULL;
192 } else {
193 if (skb == skb2)
194 skb = nskb;
195 else
196 pskb->next = nskb;
197
198 continue;
199 }
200
201 skb_push(skb2, skb2->data - skb_mac_header(skb2));
202 pskb = skb2;
203 }
204
205 return skb;
206 }
207 EXPORT_SYMBOL_GPL(validate_xmit_xfrm);
208
209 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
210 struct xfrm_user_offload *xuo)
211 {
212 int err;
213 struct dst_entry *dst;
214 struct net_device *dev;
215 struct xfrm_state_offload *xso = &x->xso;
216 xfrm_address_t *saddr;
217 xfrm_address_t *daddr;
218
219 if (!x->type_offload)
220 return -EINVAL;
221
222 /* We don't yet support UDP encapsulation and TFC padding. */
223 if (x->encap || x->tfcpad)
224 return -EINVAL;
225
226 dev = dev_get_by_index(net, xuo->ifindex);
227 if (!dev) {
228 if (!(xuo->flags & XFRM_OFFLOAD_INBOUND)) {
229 saddr = &x->props.saddr;
230 daddr = &x->id.daddr;
231 } else {
232 saddr = &x->id.daddr;
233 daddr = &x->props.saddr;
234 }
235
236 dst = __xfrm_dst_lookup(net, 0, 0, saddr, daddr,
237 x->props.family,
238 xfrm_smark_get(0, x));
239 if (IS_ERR(dst))
240 return 0;
241
242 dev = dst->dev;
243
244 dev_hold(dev);
245 dst_release(dst);
246 }
247
248 if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_state_add) {
249 xso->dev = NULL;
250 dev_put(dev);
251 return 0;
252 }
253
254 if (x->props.flags & XFRM_STATE_ESN &&
255 !dev->xfrmdev_ops->xdo_dev_state_advance_esn) {
256 xso->dev = NULL;
257 dev_put(dev);
258 return -EINVAL;
259 }
260
261 xso->dev = dev;
262 xso->real_dev = dev;
263 xso->num_exthdrs = 1;
264 xso->flags = xuo->flags;
265
266 err = dev->xfrmdev_ops->xdo_dev_state_add(x);
267 if (err) {
268 xso->num_exthdrs = 0;
269 xso->flags = 0;
270 xso->dev = NULL;
271 dev_put(dev);
272
273 if (err != -EOPNOTSUPP)
274 return err;
275 }
276
277 return 0;
278 }
279 EXPORT_SYMBOL_GPL(xfrm_dev_state_add);
280
281 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
282 {
283 int mtu;
284 struct dst_entry *dst = skb_dst(skb);
285 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
286 struct net_device *dev = x->xso.dev;
287
288 if (!x->type_offload || x->encap)
289 return false;
290
291 if ((!dev || (dev == xfrm_dst_path(dst)->dev)) &&
292 (!xdst->child->xfrm)) {
293 mtu = xfrm_state_mtu(x, xdst->child_mtu_cached);
294 if (skb->len <= mtu)
295 goto ok;
296
297 if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
298 goto ok;
299 }
300
301 return false;
302
303 ok:
304 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_offload_ok)
305 return x->xso.dev->xfrmdev_ops->xdo_dev_offload_ok(skb, x);
306
307 return true;
308 }
309 EXPORT_SYMBOL_GPL(xfrm_dev_offload_ok);
310
311 void xfrm_dev_resume(struct sk_buff *skb)
312 {
313 struct net_device *dev = skb->dev;
314 int ret = NETDEV_TX_BUSY;
315 struct netdev_queue *txq;
316 struct softnet_data *sd;
317 unsigned long flags;
318
319 rcu_read_lock();
320 txq = netdev_core_pick_tx(dev, skb, NULL);
321
322 HARD_TX_LOCK(dev, txq, smp_processor_id());
323 if (!netif_xmit_frozen_or_stopped(txq))
324 skb = dev_hard_start_xmit(skb, dev, txq, &ret);
325 HARD_TX_UNLOCK(dev, txq);
326
327 if (!dev_xmit_complete(ret)) {
328 local_irq_save(flags);
329 sd = this_cpu_ptr(&softnet_data);
330 skb_queue_tail(&sd->xfrm_backlog, skb);
331 raise_softirq_irqoff(NET_TX_SOFTIRQ);
332 local_irq_restore(flags);
333 }
334 rcu_read_unlock();
335 }
336 EXPORT_SYMBOL_GPL(xfrm_dev_resume);
337
338 void xfrm_dev_backlog(struct softnet_data *sd)
339 {
340 struct sk_buff_head *xfrm_backlog = &sd->xfrm_backlog;
341 struct sk_buff_head list;
342 struct sk_buff *skb;
343
344 if (skb_queue_empty(xfrm_backlog))
345 return;
346
347 __skb_queue_head_init(&list);
348
349 spin_lock(&xfrm_backlog->lock);
350 skb_queue_splice_init(xfrm_backlog, &list);
351 spin_unlock(&xfrm_backlog->lock);
352
353 while (!skb_queue_empty(&list)) {
354 skb = __skb_dequeue(&list);
355 xfrm_dev_resume(skb);
356 }
357
358 }
359 #endif
360
361 static int xfrm_api_check(struct net_device *dev)
362 {
363 #ifdef CONFIG_XFRM_OFFLOAD
364 if ((dev->features & NETIF_F_HW_ESP_TX_CSUM) &&
365 !(dev->features & NETIF_F_HW_ESP))
366 return NOTIFY_BAD;
367
368 if ((dev->features & NETIF_F_HW_ESP) &&
369 (!(dev->xfrmdev_ops &&
370 dev->xfrmdev_ops->xdo_dev_state_add &&
371 dev->xfrmdev_ops->xdo_dev_state_delete)))
372 return NOTIFY_BAD;
373 #else
374 if (dev->features & (NETIF_F_HW_ESP | NETIF_F_HW_ESP_TX_CSUM))
375 return NOTIFY_BAD;
376 #endif
377
378 return NOTIFY_DONE;
379 }
380
381 static int xfrm_dev_register(struct net_device *dev)
382 {
383 return xfrm_api_check(dev);
384 }
385
386 static int xfrm_dev_feat_change(struct net_device *dev)
387 {
388 return xfrm_api_check(dev);
389 }
390
391 static int xfrm_dev_down(struct net_device *dev)
392 {
393 if (dev->features & NETIF_F_HW_ESP)
394 xfrm_dev_state_flush(dev_net(dev), dev, true);
395
396 return NOTIFY_DONE;
397 }
398
399 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
400 {
401 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
402
403 switch (event) {
404 case NETDEV_REGISTER:
405 return xfrm_dev_register(dev);
406
407 case NETDEV_FEAT_CHANGE:
408 return xfrm_dev_feat_change(dev);
409
410 case NETDEV_DOWN:
411 case NETDEV_UNREGISTER:
412 return xfrm_dev_down(dev);
413 }
414 return NOTIFY_DONE;
415 }
416
417 static struct notifier_block xfrm_dev_notifier = {
418 .notifier_call = xfrm_dev_event,
419 };
420
421 void __init xfrm_dev_init(void)
422 {
423 register_netdevice_notifier(&xfrm_dev_notifier);
424 }
Ubuntu Hirsute Linux kernel mirror