hip-beet-2.6.15.7-4in1.patch

Host Identity Protocol on Linux is an implemetation of the Host Identity Protocol (HIP) and the rela

+
+	XFRM_MSG_UPDPOLICY,
+#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
+	XFRM_MSG_UPDSA,
+#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
+
+	XFRM_MSG_POLEXPIRE,
+#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+
+	XFRM_MSG_FLUSHSA,
+#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
+	XFRM_MSG_FLUSHPOLICY,
+#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+
+	__XFRM_MSG_MAX
+};
+#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
+
+#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
+
+struct xfrm_user_tmpl {
+	struct xfrm_id		id;
+	__u16			family;
+	xfrm_address_t		saddr;
+	__u32			reqid;
+	__u8			mode;
+	__u8			share;
+	__u8			optional;
+	__u32			aalgos;
+	__u32			ealgos;
+	__u32			calgos;
+};
+
+struct xfrm_encap_tmpl {
+	__u16		encap_type;
+	__u16		encap_sport;
+	__u16		encap_dport;
+	xfrm_address_t	encap_oa;
+};
+
+/* Netlink message attributes.  */
+enum xfrm_attr_type_t {
+	XFRMA_UNSPEC,
+	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
+	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
+	XFRMA_ALG_COMP,		/* struct xfrm_algo */
+	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
+	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
+	XFRMA_SA,
+	XFRMA_POLICY,
+	__XFRMA_MAX
+
+#define XFRMA_MAX (__XFRMA_MAX - 1)
+};
+
+struct xfrm_usersa_info {
+	struct xfrm_selector		sel;
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	struct xfrm_stats		stats;
+	__u32				seq;
+	__u32				reqid;
+	__u16				family;
+	__u8				mode; /* 0=transport,1=tunnel */
+	__u8				replay_window;
+	__u8				flags;
+#define XFRM_STATE_NOECN	1
+#define XFRM_STATE_DECAP_DSCP	2
+#define XFRM_STATE_NOPMTUDISC	4
+};
+
+struct xfrm_usersa_id {
+	xfrm_address_t			daddr;
+	__u32				spi;
+	__u16				family;
+	__u8				proto;
+};
+
+struct xfrm_userspi_info {
+	struct xfrm_usersa_info		info;
+	__u32				min;
+	__u32				max;
+};
+
+struct xfrm_userpolicy_info {
+	struct xfrm_selector		sel;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	__u32				priority;
+	__u32				index;
+	__u8				dir;
+	__u8				action;
+#define XFRM_POLICY_ALLOW	0
+#define XFRM_POLICY_BLOCK	1
+	__u8				flags;
+#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
+	__u8				share;
+};
+
+struct xfrm_userpolicy_id {
+	struct xfrm_selector		sel;
+	__u32				index;
+	__u8				dir;
+};
+
+struct xfrm_user_acquire {
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_selector		sel;
+	struct xfrm_userpolicy_info	policy;
+	__u32				aalgos;
+	__u32				ealgos;
+	__u32				calgos;
+	__u32				seq;
+};
+
+struct xfrm_user_expire {
+	struct xfrm_usersa_info		state;
+	__u8				hard;
+};
+
+struct xfrm_user_polexpire {
+	struct xfrm_userpolicy_info	pol;
+	__u8				hard;
+};
+
+struct xfrm_usersa_flush {
+	__u8				proto;
+};
+
+#ifndef __KERNEL__
+/* backwards compatibility for userspace */
+#define XFRMGRP_ACQUIRE		1
+#define XFRMGRP_EXPIRE		2
+#define XFRMGRP_SA		4
+#define XFRMGRP_POLICY		8
+#endif
+
+enum xfrm_nlgroups {
+	XFRMNLGRP_NONE,
+#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
+	XFRMNLGRP_ACQUIRE,
+#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
+	XFRMNLGRP_EXPIRE,
+#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
+	XFRMNLGRP_SA,
+#define XFRMNLGRP_SA		XFRMNLGRP_SA
+	XFRMNLGRP_POLICY,
+#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
+	__XFRMNLGRP_MAX
+};
+#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
+
+#endif /* _LINUX_XFRM_H */
diff -urN linux-source-2.6.15/include/net/xfrm.h linux-source-2.6.15-beet/include/net/xfrm.h
--- linux-source-2.6.15/include/net/xfrm.h	2006-03-02 23:18:41.000000000 +0200
+++ linux-source-2.6.15-beet/include/net/xfrm.h	2006-07-02 16:47:40.000000000 +0300
@@ -196,7 +196,7 @@
 extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
 extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
 
-#define XFRM_ACQ_EXPIRES	30
+#define XFRM_ACQ_EXPIRES	3
 
 struct xfrm_tmpl;
 struct xfrm_state_afinfo {
@@ -258,6 +258,10 @@
 /* Source address of tunnel. Ignored, if it is not a tunnel. */
 	xfrm_address_t		saddr;
 
+/* family of the outer addresses. The family may differ from
+   the one in selector */
+	unsigned short		outer_family;
+
 	__u32			reqid;
 
 /* Mode: transport/tunnel */
diff -urN linux-source-2.6.15/include/net/xfrm.h.orig linux-source-2.6.15-beet/include/net/xfrm.h.orig
--- linux-source-2.6.15/include/net/xfrm.h.orig	1970-01-01 02:00:00.000000000 +0200
+++ linux-source-2.6.15-beet/include/net/xfrm.h.orig	2006-07-02 16:47:22.000000000 +0300
@@ -0,0 +1,944 @@
+#ifndef _NET_XFRM_H
+#define _NET_XFRM_H
+
+#include <linux/compiler.h>
+#include <linux/xfrm.h>
+#include <linux/spinlock.h>
+#include <linux/list.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/crypto.h>
+#include <linux/pfkeyv2.h>
+#include <linux/in6.h>
+
+#include <net/sock.h>
+#include <net/dst.h>
+#include <net/route.h>
+#include <net/ipv6.h>
+#include <net/ip6_fib.h>
+
+#define XFRM_ALIGN8(len)	(((len) + 7) & ~7)
+
+extern struct semaphore xfrm_cfg_sem;
+
+/* Organization of SPD aka "XFRM rules"
+   ------------------------------------
+
+   Basic objects:
+   - policy rule, struct xfrm_policy (=SPD entry)
+   - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
+   - instance of a transformer, struct xfrm_state (=SA)
+   - template to clone xfrm_state, struct xfrm_tmpl
+
+   SPD is plain linear list of xfrm_policy rules, ordered by priority.
+   (To be compatible with existing pfkeyv2 implementations,
+   many rules with priority of 0x7fffffff are allowed to exist and
+   such rules are ordered in an unpredictable way, thanks to bsd folks.)
+
+   Lookup is plain linear search until the first match with selector.
+
+   If "action" is "block", then we prohibit the flow, otherwise:
+   if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
+   policy entry has list of up to XFRM_MAX_DEPTH transformations,
+   described by templates xfrm_tmpl. Each template is resolved
+   to a complete xfrm_state (see below) and we pack bundle of transformations
+   to a dst_entry returned to requestor.
+
+   dst -. xfrm  .-> xfrm_state #1
+    |---. child .-> dst -. xfrm .-> xfrm_state #2
+                     |---. child .-> dst -. xfrm .-> xfrm_state #3
+                                      |---. child .-> NULL
+
+   Bundles are cached at xrfm_policy struct (field ->bundles).
+
+
+   Resolution of xrfm_tmpl
+   -----------------------
+   Template contains:
+   1. ->mode		Mode: transport or tunnel
+   2. ->id.proto	Protocol: AH/ESP/IPCOMP
+   3. ->id.daddr	Remote tunnel endpoint, ignored for transport mode.
+      Q: allow to resolve security gateway?
+   4. ->id.spi          If not zero, static SPI.
+   5. ->saddr		Local tunnel endpoint, ignored for transport mode.
+   6. ->algos		List of allowed algos. Plain bitmask now.
+      Q: ealgos, aalgos, calgos. What a mess...
+   7. ->share		Sharing mode.
+      Q: how to implement private sharing mode? To add struct sock* to
+      flow id?
+
+   Having this template we search through SAD searching for entries
+   with appropriate mode/proto/algo, permitted by selector.
+   If no appropriate entry found, it is requested from key manager.
+
+   PROBLEMS:
+   Q: How to find all the bundles referring to a physical path for
+      PMTU discovery? Seems, dst should contain list of all parents...
+      and enter to infinite locking hierarchy disaster.
+      No! It is easier, we will not search for them, let them find us.
+      We add genid to each dst plus pointer to genid of raw IP route,
+      pmtu disc will update pmtu on raw IP route and increase its genid.
+      dst_check() will see this for top level and trigger resyncing
+      metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
+ */
+
+/* Full description of state of transformer. */
+struct xfrm_state
+{
+	/* Note: bydst is re-used during gc */
+	struct list_head	bydst;
+	struct list_head	byspi;
+
+	atomic_t		refcnt;
+	spinlock_t		lock;
+
+	struct xfrm_id		id;
+	struct xfrm_selector	sel;
+
+	/* Key manger bits */
+	struct {
+		u8		state;
+		u8		dying;
+		u32		seq;
+	} km;
+
+	/* Parameters of this state. */
+	struct {
+		u32		reqid;
+		u8		mode;
+		u8		replay_window;
+		u8		aalgo, ealgo, calgo;
+		u8		flags;
+		u16		family;
+		xfrm_address_t	saddr;
+		int		header_len;
+		int		trailer_len;
+	} props;
+
+	struct xfrm_lifetime_cfg lft;
+
+	/* Data for transformer */
+	struct xfrm_algo	*aalg;
+	struct xfrm_algo	*ealg;
+	struct xfrm_algo	*calg;
+
+	/* Data for encapsulator */
+	struct xfrm_encap_tmpl	*encap;
+
+	/* IPComp needs an IPIP tunnel for handling uncompressed packets */
+	struct xfrm_state	*tunnel;
+
+	/* If a tunnel, number of users + 1 */
+	atomic_t		tunnel_users;
+
+	/* State for replay detection */
+	struct xfrm_replay_state replay;
+
+	/* Statistics */
+	struct xfrm_stats	stats;
+
+	struct xfrm_lifetime_cur curlft;
+	struct timer_list	timer;
+
+	/* Reference to data common to all the instances of this
+	 * transformer. */
+	struct xfrm_type	*type;
+
+	/* Private data of this transformer, format is opaque,
+	 * interpreted by xfrm_type methods. */
+	void			*data;
+};
+
+enum {
+	XFRM_STATE_VOID,
+	XFRM_STATE_ACQ,
+	XFRM_STATE_VALID,
+	XFRM_STATE_ERROR,
+	XFRM_STATE_EXPIRED,
+	XFRM_STATE_DEAD
+};
+
+/* callback structure passed from either netlink or pfkey */
+struct km_event
+{
+	union {
+		u32 hard;
+		u32 proto;
+		u32 byid;
+	} data;
+
+	u32	seq;
+	u32	pid;
+	u32	event;
+};
+
+struct xfrm_type;
+struct xfrm_dst;
+struct xfrm_policy_afinfo {
+	unsigned short		family;
+	rwlock_t		lock;
+	struct xfrm_type_map	*type_map;
+	struct dst_ops		*dst_ops;
+	void			(*garbage_collect)(void);
+	int			(*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
+	struct dst_entry	*(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
+	int			(*bundle_create)(struct xfrm_policy *policy, 
+						 struct xfrm_state **xfrm, 
+						 int nx,
+						 struct flowi *fl, 
+						 struct dst_entry **dst_p);
+	void			(*decode_session)(struct sk_buff *skb,
+						  struct flowi *fl);
+};
+
+extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
+extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
+extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
+extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
+
+#define XFRM_ACQ_EXPIRES	30
+
+struct xfrm_tmpl;
+struct xfrm_state_afinfo {
+	unsigned short		family;
+	rwlock_t		lock;
+	struct list_head	*state_bydst;
+	struct list_head	*state_byspi;
+	int			(*init_flags)(struct xfrm_state *x);
+	void			(*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
+						struct xfrm_tmpl *tmpl,
+						xfrm_address_t *daddr, xfrm_address_t *saddr);
+	struct xfrm_state	*(*state_lookup)(xfrm_address_t *daddr, u32 spi, u8 proto);
+	struct xfrm_state	*(*find_acq)(u8 mode, u32 reqid, u8 proto, 
+					     xfrm_address_t *daddr, xfrm_address_t *saddr, 
+					     int create);
+};
+
+extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
+extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
+
+extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
+
+struct xfrm_decap_state;
+struct xfrm_type
+{
+	char			*description;
+	struct module		*owner;
+	__u8			proto;
+
+	int			(*init_state)(struct xfrm_state *x);
+	void			(*destructor)(struct xfrm_state *);
+	int			(*input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
+	int			(*post_input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
+	int			(*output)(struct xfrm_state *, struct sk_buff *pskb);
+	/* Estimate maximal size of result of transformation of a dgram */
+	u32			(*get_max_size)(struct xfrm_state *, int size);
+};
+
+struct xfrm_type_map {
+	rwlock_t		lock;
+	struct xfrm_type	*map[256];
+};
+
+extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
+extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
+extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family);
+extern void xfrm_put_type(struct xfrm_type *type);
+
+struct xfrm_tmpl
+{
+/* id in template is interpreted as:
+ * daddr - destination of tunnel, may be zero for transport mode.
+ * spi   - zero to acquire spi. Not zero if spi is static, then
+ *	   daddr must be fixed too.
+ * proto - AH/ESP/IPCOMP
+ */
+	struct xfrm_id		id;
+
+/* Source address of tunnel. Ignored, if it is not a tunnel. */
+	xfrm_address_t		saddr;
+
+/* family of the outer addresses. The family may differ from
+   the one in selector */
+	unsigned short		outer_family;
+
+	__u32			reqid;
+
+/* Mode: transport/tunnel */
+	__u8			mode;
+
+/* Sharing mode: unique, this session only, this user only etc. */
+	__u8			share;
+
+/* May skip this transfomration if no SA is found */
+	__u8			optional;
+
+/* Bit mask of algos allowed for acquisition */
+	__u32			aalgos;
+	__u32			ealgos;
+	__u32			calgos;
+};
+
+#define XFRM_MAX_DEPTH		4
+
+struct xfrm_policy
+{
+	struct xfrm_policy	*next;
+	struct list_head	list;
+
+	/* This lock only affects elements except for entry. */
+	rwlock_t		lock;
+	atomic_t		refcnt;
+	struct timer_list	timer;
+
+	u32			priority;