Linux内核中PF_KEY协议族的实现(3)

本文档的Copyleft归yfydz所有,使用GPL发布,可以自由拷贝,转载,转载时请保持文档的完整性,严禁用于任何商业用途。
msn: [email protected]
来源:http://yfydz.cublog.cn

5.10 添加/更新SPD(安全策略)
// 添加安全策略到安全策略数据库SPDB
static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
 int err = 0;
 struct sadb_lifetime *lifetime;
 struct sadb_address *sa;
 struct sadb_x_policy *pol;
 struct xfrm_policy *xp;
 struct km_event c;
 struct sadb_x_sec_ctx *sec_ctx;
// 错误检查, 源目的地址类型要一致, 策略信息非空
 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
         ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||
     !ext_hdrs[SADB_X_EXT_POLICY-1])
  return -EINVAL;
// 策略指针
 pol = ext_hdrs[SADB_X_EXT_POLICY-1];
// 策略类型只能是DISCARD, NONE和IPSEC三者之一
 if (pol->sadb_x_policy_type > IPSEC_POLICY_IPSEC)
  return -EINVAL;
// 必须明确该SP作用于哪个方向的的数据: IN, OUT和FORWARD, 最后那个不是RFC标准的
 if (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)
  return -EINVAL;
// 分配xfrm策略
 xp = xfrm_policy_alloc(GFP_KERNEL);
 if (xp == NULL)
  return -ENOBUFS;
// 策略的动作: 阻塞还是放行
 xp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ?
        XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);
// 策略的优先级
 xp->priority = pol->sadb_x_policy_priority;
// 获取策略源地址及地址类型(v4 or v6)
 sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
 xp->family = pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.saddr);
 if (!xp->family) {
  err = -EINVAL;
  goto out;
 }
// 填充策略选择子结构参数, 选择子中包括用来辨别策略的相关参数, 用来查找匹配策略
// 协议族
 xp->selector.family = xp->family;
// 地址长度
 xp->selector.prefixlen_s = sa->sadb_address_prefixlen;
// 协议
 xp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
// 策略中可以有上层协议的源端口参数, 不过不是必须的
 xp->selector.sport = ((struct sockaddr_in *)(sa+1))->sin_port;
 if (xp->selector.sport)
  xp->selector.sport_mask = htons(0xffff);
// 获取策略目的地址及地址类型(v4 or v6)
// 和源地址处理类似
 sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1],
 pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.daddr);
 xp->selector.prefixlen_d = sa->sadb_address_prefixlen;
 /* Amusing, we set this twice.  KAME apps appear to set same value
  * in both addresses.
  */
 xp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
 xp->selector.dport = ((struct sockaddr_in *)(sa+1))->sin_port;
 if (xp->selector.dport)
  xp->selector.dport_mask = htons(0xffff);
// 用户定义的安全上下文
 sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
 if (sec_ctx != NULL) {
  struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx);
  if (!uctx) {
   err = -ENOBUFS;
   goto out;
  }
  err = security_xfrm_policy_alloc(xp, uctx);
  kfree(uctx);
  if (err)
   goto out;
 }
// lft: xfrm_lifetime_config, 生存时间配置参数
// 关于字节数和包数的软硬限制初始化
 xp->lft.soft_byte_limit = XFRM_INF;
 xp->lft.hard_byte_limit = XFRM_INF;
 xp->lft.soft_packet_limit = XFRM_INF;
 xp->lft.hard_packet_limit = XFRM_INF;
// 如果在消息中定义了限制, 设置之
 if ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_HARD-1]) != NULL) {
  xp->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
  xp->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
  xp->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;
  xp->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;
 }
 if ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_SOFT-1]) != NULL) {
  xp->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
  xp->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
  xp->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;
  xp->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;
 }
 xp->xfrm_nr = 0;
// 如果是IPSEC策略, 解析相关请求
 if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
     (err = parse_ipsecrequests(xp, pol)) < 0)
  goto out;
// 将策略xp插入内核SPDB
 err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
// 一般是添加, 也可以是更新
     hdr->sadb_msg_type != SADB_X_SPDUPDATE);
 if (err)
  goto out;
 if (hdr->sadb_msg_type == SADB_X_SPDUPDATE)
  c.event = XFRM_MSG_UPDPOLICY;
 else
  c.event = XFRM_MSG_NEWPOLICY;
 c.seq = hdr->sadb_msg_seq;
 c.pid = hdr->sadb_msg_pid;
// 策略通知回调处理
 km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
 xfrm_pol_put(xp);
 return 0;
out:
 security_xfrm_policy_free(xp);
 kfree(xp);
 return err;
}
/* net/xfrm/xfrm_policy.c */
// 插入策略
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
{
 struct xfrm_policy *pol;
 struct xfrm_policy *delpol;
 struct hlist_head *chain;
 struct hlist_node *entry, *newpos, *last;
 struct dst_entry *gc_list;
 write_lock_bh(&xfrm_policy_lock);
// 找到具体的hash链表, SPDB也是用HASH表实现的
 chain = policy_hash_bysel(&policy->selector, policy->family, dir);
 delpol = NULL;
 newpos = NULL;
 last = NULL;
// 遍历链表, 该链表是以策略的优先级值进行排序的链表, 因此需要根据新策略的优先级大小
// 将新策略插到合适的位置
 hlist_for_each_entry(pol, entry, chain, bydst) {
// delpol要为空
  if (!delpol &&
// 策略类型比较
      pol->type == policy->type &&
// 选择子比较
      !selector_cmp(&pol->selector, &policy->selector) &&
// 安全上下文比较
      xfrm_sec_ctx_match(pol->security, policy->security)) {
// 找到了
   if (excl) {
// 如果是添加操作, 要插入的策略在数据库中已经存在, 发生错误
    write_unlock_bh(&xfrm_policy_lock);
    return -EEXIST;
   }
// 保存好要删除的策略位置
   delpol = pol;
// 要更新的策略优先级值大于原有的优先级值, 重新循环找到合适的插入位置
// 因为这个链表是以优先级值进行排序的, 不能乱
// 现在delpol已经非空了,  前面的策略查找条件已经不可能满足了
   if (policy->priority > pol->priority)
    continue;
  } else if (policy->priority >= pol->priority) {
// 如果新的优先级不低于当前的优先级, 保存当前节点, 继续查找合适插入位置
   last = &pol->bydst;
   continue;
  }
// 这里是根据新策略的优先级确定的插入位置
  if (!newpos)
   newpos = &pol->bydst;
// 如果已经找到要删除的策略, 中断
  if (delpol)
   break;
  last = &pol->bydst;
 }
 if (!newpos)
  newpos = last;
// 插入策略到按目的地址HASH的链表
 if (newpos)
  hlist_add_after(newpos, &policy->bydst);
 else
  hlist_add_head(&policy->bydst, chain);
 xfrm_pol_hold(policy);
 xfrm_policy_count[dir]++;
 atomic_inc(&flow_cache_genid);
// 如果有相同的老策略, 要从目的地址HASH和索引号HASH这两个表中删除
 if (delpol) {
  hlist_del(&delpol->bydst);
  hlist_del(&delpol->byidx);
  xfrm_policy_count[dir]--;
 }
// 获取策略索引号, 插入索引HASH链表
 policy->index = delpol ? delpol->index : xfrm_gen_index(policy->type, dir);
 hlist_add_head(&policy->byidx, xfrm_policy_byidx+idx_hash(policy->index));
// 策略插入实际时间
 policy->curlft.add_time = (unsigned long)xtime.tv_sec;
 policy->curlft.use_time = 0;
 if (!mod_timer(&policy->timer, jiffies + HZ))
  xfrm_pol_hold(policy);
 write_unlock_bh(&xfrm_policy_lock);
// 释放老策略
 if (delpol)
  xfrm_policy_kill(delpol);
 else if (xfrm_bydst_should_resize(dir, NULL))
  schedule_work(&xfrm_hash_work);
// 下面释放所有策略当前的路由cache
 read_lock_bh(&xfrm_policy_lock);
 gc_list = NULL;
 entry = &policy->bydst;
// 遍历链表, 搜集垃圾路由cache建立链表
 hlist_for_each_entry_continue(policy, entry, bydst) {
  struct dst_entry *dst;
  write_lock(&policy->lock);
  dst = policy->bundles;
  if (dst) {
   struct dst_entry *tail = dst;
   while (tail->next)
    tail = tail->next;
   tail->next = gc_list;
   gc_list = dst;
   policy->bundles = NULL;
  }
  write_unlock(&policy->lock);
 }
 read_unlock_bh(&xfrm_policy_lock);
// 释放垃圾路由cahce
 while (gc_list) {
  struct dst_entry *dst = gc_list;
  gc_list = dst->next;
  dst_free(dst);
 }
 return 0;
}
EXPORT_SYMBOL(xfrm_policy_insert);

5.11 删除SPD

static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
 int err;
 struct sadb_address *sa;
 struct sadb_x_policy *pol;
 struct xfrm_policy *xp, tmp;
 struct xfrm_selector sel;
 struct km_event c;
 struct sadb_x_sec_ctx *sec_ctx;
// 错误检查, 源目的地址类型要一致, 策略信息非空
 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
         ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||
     !ext_hdrs[SADB_X_EXT_POLICY-1])
  return -EINVAL;
// 消息中定义的策略
 pol = ext_hdrs[SADB_X_EXT_POLICY-1];
// 策略类型合法性检查
 if (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)
  return -EINVAL;
 memset(&sel, 0, sizeof(sel));
// 解析消息中的源地址参数填充到选择子结构中
 sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
 sel.family = pfkey_sadb_addr2xfrm_addr(sa, &sel.saddr);
 sel.prefixlen_s = sa->sadb_address_prefixlen;
 sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
 sel.sport = ((struct sockaddr_in *)(sa+1))->sin_port;
 if (sel.sport)
  sel.sport_mask = htons(0xffff);
// 解析消息中的目的地址参数填充到选择子结构中
 sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1],
 pfkey_sadb_addr2xfrm_addr(sa, &sel.daddr);
 sel.prefixlen_d = sa->sadb_address_prefixlen;
 sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
 sel.dport = ((struct sockaddr_in *)(sa+1))->sin_port;
 if (sel.dport)
  sel.dport_mask = htons(0xffff);
 sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
 memset(&tmp, 0, sizeof(struct xfrm_policy));
// 扩展的用户安全上下文信息处理
 if (sec_ctx != NULL) {
  struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx);
  if (!uctx)
   return -ENOMEM;
  err = security_xfrm_policy_alloc(&tmp, uctx);
  kfree(uctx);
  if (err)
   return err;
 }
// 根据策略类型, 处理的数据方向, 选择子参数等信息查找策略
// 同时最后一个参数为1表示找到后将策略从系统的SPDB链表中断开后删除
 xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1,
       &sel, tmp.security, 1);
 security_xfrm_policy_free(&tmp);
// 没有该策略, 出错
 if (xp == NULL)
  return -ENOENT;
 err = 0;
 if ((err = security_xfrm_policy_delete(xp)))
  goto out;
 c.seq = hdr->sadb_msg_seq;
 c.pid = hdr->sadb_msg_pid;
 c.event = XFRM_MSG_DELPOLICY;
// 反方向的策略通知回调处理
 km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
out:
// 释放策略
 xfrm_pol_put(xp);
 return err;
}
/* net/xfrm/xfrm_policy.c */
// 根据选择子和上下文查找策略
struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
       struct xfrm_selector *sel,
       struct xfrm_sec_ctx *ctx, int delete)
{
 struct xfrm_policy *pol, *ret;
 struct hlist_head *chain;
 struct hlist_node *entry;
 write_lock_bh(&xfrm_policy_lock);
// 定位HASH表
 chain = policy_hash_bysel(sel, sel->family, dir);
 ret = NULL;
// 遍历链表
 hlist_for_each_entry(pol, entry, chain, bydst) {
// 根据类型, 选择子和上下文进行匹配
  if (pol->type == type &&
      !selector_cmp(sel, &pol->selector) &&
      xfrm_sec_ctx_match(ctx, pol->security)) {
   xfrm_pol_hold(pol);
   if (delete) {
// 要的删除话将策略节点从目的地址HASH链表和索引HASH链表中断开
    hlist_del(&pol->bydst);
    hlist_del(&pol->byidx);
    xfrm_policy_count[dir]--;
   }
   ret = pol;
   break;
  }
 }
 write_unlock_bh(&xfrm_policy_lock);
 if (ret && delete) {
  atomic_inc(&flow_cache_genid);
// 将策略状态置为dead, 并添加到系统的策略垃圾链表进行调度处理准备删除
  xfrm_policy_kill(ret);
 }
 return ret;
}
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);

5.12 获取SPD

static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
 unsigned int dir;
 int err;
 struct sadb_x_policy *pol;
 struct xfrm_policy *xp;
 struct km_event c;
// 消息中的策略头
 if ((pol = ext_hdrs[SADB_X_EXT_POLICY-1]) == NULL)
  return -EINVAL;
// 根据策略id判断数据方向
 dir = xfrm_policy_id2dir(pol->sadb_x_policy_id);
 if (dir >= XFRM_POLICY_MAX)
  return -EINVAL;
// 根据方向/ID等参数来查找策略, 如果最后一个参数为真的同时删除策略
 xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id,
         hdr->sadb_msg_type == SADB_X_SPDDELETE2);
 if (xp == NULL)
  return -ENOENT;
 err = 0;
 c.seq = hdr->sadb_msg_seq;
 c.pid = hdr->sadb_msg_pid;
 if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) {
// 如果要删除策略, 进行通知回调
  c.data.byid = 1;
  c.event = XFRM_MSG_DELPOLICY;
  km_policy_notify(xp, dir, &c);
 } else {
// 将结果填充一个skb返回给用户空间
  err = key_pol_get_resp(sk, xp, hdr, dir);
 }
 xfrm_pol_put(xp);
 return err;
}
 
5.13 输出整个SPD
static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
 struct pfkey_dump_data data = { .skb = skb, .hdr = hdr, .sk = sk };
// 遍历策略链表输出策略, dump_sa是输出单一SP的函数
 return xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, dump_sp, &data);
}
// 输出单一SP
static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
{
 struct pfkey_dump_data *data = ptr;
 struct sk_buff *out_skb;
 struct sadb_msg *out_hdr;
// 将安全策略填充到skb前的准备操作
 out_skb = pfkey_xfrm_policy2msg_prep(xp);
 if (IS_ERR(out_skb))
  return PTR_ERR(out_skb);
// 将安全策略填充到skb
 pfkey_xfrm_policy2msg(out_skb, xp, dir);
// 填充基本SA消息头
 out_hdr = (struct sadb_msg *) out_skb->data;
 out_hdr->sadb_msg_version = data->hdr->sadb_msg_version;
 out_hdr->sadb_msg_type = SADB_X_SPDDUMP;
 out_hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
 out_hdr->sadb_msg_errno = 0;
// SA消息的序号
 out_hdr->sadb_msg_seq = count;
 out_hdr->sadb_msg_pid = data->hdr->sadb_msg_pid;
// 发送到指定的sock
 pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, data->sk);
 return 0;
}

/* net/xfrm/xfrm_policy.c */
// 遍历安全策略
int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*),
       void *data)
{
 struct xfrm_policy *pol;
 struct hlist_node *entry;
 int dir, count, error;
 read_lock_bh(&xfrm_policy_lock);
 count = 0;
// 先统计符合类型的策略的数量, 方向是双向的
 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
  struct hlist_head *table = xfrm_policy_bydst[dir].table;
  int i;
// inexact HASH表
  hlist_for_each_entry(pol, entry,
         &xfrm_policy_inexact[dir], bydst) {
   if (pol->type == type)
    count++;
  }
// bydst HASH表
  for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
   hlist_for_each_entry(pol, entry, table + i, bydst) {
    if (pol->type == type)
     count++;
   }
  }
 }
 if (count == 0) {
  error = -ENOENT;
  goto out;
 }
// 重新遍历HASH表, 当前的count值作为SA的序号, 因此用户空间收到的序号是递减的
 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
  struct hlist_head *table = xfrm_policy_bydst[dir].table;
  int i;
  hlist_for_each_entry(pol, entry,
         &xfrm_policy_inexact[dir], bydst) {
   if (pol->type != type)
    continue;
   error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
   if (error)
    goto out;
  }
  for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
   hlist_for_each_entry(pol, entry, table + i, bydst) {
    if (pol->type != type)
     continue;
    error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
    if (error)
     goto out;
   }
  }
 }
 error = 0;
out:
 read_unlock_bh(&xfrm_policy_lock);
 return error;
}
EXPORT_SYMBOL(xfrm_policy_walk);

5.14 删除全部SPD
 [SADB_X_SPDFLUSH] = pfkey_spdflush,
// 删除全部SP
static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{
 struct km_event c;
// 删除全部MAIN类型的SP
 xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN);
 c.data.type = XFRM_POLICY_TYPE_MAIN;
 c.event = XFRM_MSG_FLUSHPOLICY;
 c.pid = hdr->sadb_msg_pid;
 c.seq = hdr->sadb_msg_seq;
// 通知回调处理
 km_policy_notify(NULL, 0, &c);
 return 0;
}
// 删除SP回调
static int key_notify_policy_flush(struct km_event *c)
{
 struct sk_buff *skb_out;
 struct sadb_msg *hdr;
// 分配skb
 skb_out = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
 if (!skb_out)
  return -ENOBUFS;
 hdr = (struct sadb_msg *) skb_put(skb_out, sizeof(struct sadb_msg));
// SA消息类型为删除所有SP
 hdr->sadb_msg_type = SADB_X_SPDFLUSH;
 hdr->sadb_msg_seq = c->seq;
 hdr->sadb_msg_pid = c->pid;
 hdr->sadb_msg_version = PF_KEY_V2;
 hdr->sadb_msg_errno = (uint8_t) 0;
 hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
// 广播给所有打开PF_KEY类型套接口的用户进程
 pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL);
 return 0;
}
/* net/xfrm/xfrm_policy.c */
// 删除全部安全策略
void xfrm_policy_flush(u8 type)
{
 int dir;
 write_lock_bh(&xfrm_policy_lock);
 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
  struct xfrm_policy *pol;
  struct hlist_node *entry;
  int i, killed;
  killed = 0;
 again1:
// 遍历inexact HASH链表
  hlist_for_each_entry(pol, entry,
         &xfrm_policy_inexact[dir], bydst) {
// 判断类型
   if (pol->type != type)
    continue;
// 将策略从bydst链表中断开
   hlist_del(&pol->bydst);
// 将策略从byidt链表中断开
   hlist_del(&pol->byidx);
   write_unlock_bh(&xfrm_policy_lock);
// 将策略状态置为dead, 并添加到系统的策略垃圾链表进行调度处理准备删除
   xfrm_policy_kill(pol);
   killed++;
   write_lock_bh(&xfrm_policy_lock);
   goto again1;
  }
// 遍历bydst HASH链表
  for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
 again2:
   hlist_for_each_entry(pol, entry,
          xfrm_policy_bydst[dir].table + i,
          bydst) {
    if (pol->type != type)
     continue;
// 将节点从链表中断开
    hlist_del(&pol->bydst);
    hlist_del(&pol->byidx);
    write_unlock_bh(&xfrm_policy_lock);
// 释放节点
    xfrm_policy_kill(pol);
    killed++;
    write_lock_bh(&xfrm_policy_lock);
    goto again2;
   }
  }
  xfrm_policy_count[dir] -= killed;
 }
 atomic_inc(&flow_cache_genid);
 write_unlock_bh(&xfrm_policy_lock);
}
EXPORT_SYMBOL(xfrm_policy_flush);

...... 待续 ......

你可能感兴趣的:(C++,linux,XP,ext,C#)