Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

	u8			flags;

};

struct xfrm_mode {

	u8 encap;

	u8 family;

	u8 flags;

};

/* Flags for xfrm_mode. */

enum {

	XFRM_MODE_FLAG_TUNNEL = 1,

};

/* Full description of state of transformer. */

struct xfrm_state {

	possible_net_t		xs_net;

	/* Reference to data common to all the instances of this

	 * transformer. */

	const struct xfrm_type	*type;

	struct xfrm_mode	*inner_mode;

	struct xfrm_mode	*inner_mode_iaf;

	struct xfrm_mode	*outer_mode;

	struct xfrm_mode	inner_mode;

	struct xfrm_mode	inner_mode_iaf;

	struct xfrm_mode	outer_mode;

	const struct xfrm_type_offload	*type_offload;

					     xfrm_address_t *saddr,

					     xfrm_address_t *daddr,

					     u32 mark);

	void			(*decode_session)(struct sk_buff *skb,

						  struct flowi *fl,

						  int reverse);

	int			(*get_tos)(const struct flowi *fl);

	int			(*init_path)(struct xfrm_dst *path,

					     struct dst_entry *dst,

					     int nfheader_len);

	int			(*fill_dst)(struct xfrm_dst *xdst,

					    struct net_device *dev,

					    const struct flowi *fl);

	struct module			*owner;

	const struct xfrm_type		*type_map[IPPROTO_MAX];

	const struct xfrm_type_offload	*type_offload_map[IPPROTO_MAX];

	struct xfrm_mode		*mode_map[XFRM_MODE_MAX];

	int			(*init_flags)(struct xfrm_state *x);

	void			(*init_tempsel)(struct xfrm_selector *sel,

int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);

int xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);

struct xfrm_mode {

	/*

	 * Remove encapsulation header.

	 *

	 * The IP header will be moved over the top of the encapsulation

	 * header.

	 *

	 * On entry, the transport header shall point to where the IP header

	 * should be and the network header shall be set to where the IP

	 * header currently is.  skb->data shall point to the start of the

	 * payload.

	 */

	int (*input2)(struct xfrm_state *x, struct sk_buff *skb);

	/*

	 * This is the actual input entry point.

	 *

	 * For transport mode and equivalent this would be identical to

	 * input2 (which does not need to be set).  While tunnel mode

	 * and equivalent would set this to the tunnel encapsulation function

	 * xfrm4_prepare_input that would in turn call input2.

	 */

	int (*input)(struct xfrm_state *x, struct sk_buff *skb);

	/*

	 * Add encapsulation header.

	 *

	 * On exit, the transport header will be set to the start of the

	 * encapsulation header to be filled in by x->type->output and

	 * the mac header will be set to the nextheader (protocol for

	 * IPv4) field of the extension header directly preceding the

	 * encapsulation header, or in its absence, that of the top IP

	 * header.  The value of the network header will always point

	 * to the top IP header while skb->data will point to the payload.

	 */

	int (*output2)(struct xfrm_state *x,struct sk_buff *skb);

	/*

	 * This is the actual output entry point.

	 *

	 * For transport mode and equivalent this would be identical to

	 * output2 (which does not need to be set).  While tunnel mode

	 * and equivalent would set this to a tunnel encapsulation function

	 * (xfrm4_prepare_output or xfrm6_prepare_output) that would in turn

	 * call output2.

	 */

	int (*output)(struct xfrm_state *x, struct sk_buff *skb);

	/*

	 * Adjust pointers into the packet and do GSO segmentation.

	 */

	struct sk_buff *(*gso_segment)(struct xfrm_state *x, struct sk_buff *skb, netdev_features_t features);

	/*

	 * Adjust pointers into the packet when IPsec is done at layer2.

	 */

	void (*xmit)(struct xfrm_state *x, struct sk_buff *skb);

	struct xfrm_state_afinfo *afinfo;

	struct module *owner;

	unsigned int encap;

	int flags;

};

/* Flags for xfrm_mode. */

enum {

	XFRM_MODE_FLAG_TUNNEL = 1,

};

int xfrm_register_mode(struct xfrm_mode *mode, int family);

int xfrm_unregister_mode(struct xfrm_mode *mode, int family);

static inline int xfrm_af2proto(unsigned int family)

{

	switch(family) {

	}

}

static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)

static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)

{

	if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||

	    (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))

		return x->inner_mode;

		return &x->inner_mode;

	else

		return x->inner_mode_iaf;

		return &x->inner_mode_iaf;

}

struct xfrm_tmpl {

int xfrm_state_mtu(struct xfrm_state *x, int mtu);

int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);

int xfrm_init_state(struct xfrm_state *x);

int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);

int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);

int xfrm_input_resume(struct sk_buff *skb, int nexthdr);

int xfrm_trans_queue(struct sk_buff *skb,

				   struct sk_buff *));

int xfrm_output_resume(struct sk_buff *skb, int err);

int xfrm_output(struct sock *sk, struct sk_buff *skb);

int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);

#if IS_ENABLED(CONFIG_NET_PKTGEN)

int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);

#endif

void xfrm_local_error(struct sk_buff *skb, int mtu);

int xfrm4_extract_header(struct sk_buff *skb);

int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);

}

int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb);

int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb);

int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);

int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);

int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err);

int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);

int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);

int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);

int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,

		     xfrm_address_t *saddr, u8 proto);

void xfrm6_local_error(struct sk_buff *skb, u32 mtu);

int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err);

int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);

int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);

int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);

__be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);

__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);

int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb);

int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb);

int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);

int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);

int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,

			tunnel = true;

		break;

	}

	if (tunnel && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL))

	if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))

		return -EINVAL;

	return 0;

		skb->_skb_refdst = (unsigned long)&pkt_dev->xdst.u.dst | SKB_DST_NOREF;

	rcu_read_lock_bh();

	err = x->outer_mode->output(x, skb);

	err = pktgen_xfrm_outer_mode_output(x, skb);

	rcu_read_unlock_bh();

	if (err) {

		XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEMODEERROR);

	tristate "Virtual (secure) IP: tunneling"

	select INET_TUNNEL

	select NET_IP_TUNNEL

	depends on INET_XFRM_MODE_TUNNEL

	select XFRM

	---help---

	  Tunneling means encapsulating data of one protocol type within

	  another protocol and sending it over a channel that understands the

	tristate

	default n

config INET_XFRM_MODE_TRANSPORT

	tristate "IP: IPsec transport mode"

	default y

	select XFRM

	---help---

	  Support for IPsec transport mode.

	  If unsure, say Y.

config INET_XFRM_MODE_TUNNEL

	tristate "IP: IPsec tunnel mode"

	default y

	select XFRM

	---help---

	  Support for IPsec tunnel mode.

	  If unsure, say Y.

config INET_XFRM_MODE_BEET

	tristate "IP: IPsec BEET mode"

	default y

	select XFRM

	---help---

	  Support for IPsec BEET mode.

	  If unsure, say Y.

config INET_DIAG

	tristate "INET: socket monitoring interface"

	default y

obj-$(CONFIG_INET_ESP_OFFLOAD) += esp4_offload.o

obj-$(CONFIG_INET_IPCOMP) += ipcomp.o

obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o

obj-$(CONFIG_INET_XFRM_MODE_BEET) += xfrm4_mode_beet.o

obj-$(CONFIG_INET_TUNNEL) += tunnel4.o

obj-$(CONFIG_INET_XFRM_MODE_TRANSPORT) += xfrm4_mode_transport.o

obj-$(CONFIG_INET_XFRM_MODE_TUNNEL) += xfrm4_mode_tunnel.o

obj-$(CONFIG_IP_PNP) += ipconfig.o

obj-$(CONFIG_NETFILTER)	+= netfilter.o netfilter/

obj-$(CONFIG_INET_DIAG) += inet_diag.o

	xo->proto = proto;

}

static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,

						struct sk_buff *skb,

						netdev_features_t features)

{

	__skb_push(skb, skb->mac_len);

	return skb_mac_gso_segment(skb, features);

}

static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x,

						   struct sk_buff *skb,

						   netdev_features_t features)

{

	const struct net_offload *ops;

	struct sk_buff *segs = ERR_PTR(-EINVAL);

	struct xfrm_offload *xo = xfrm_offload(skb);

	skb->transport_header += x->props.header_len;

	ops = rcu_dereference(inet_offloads[xo->proto]);

	if (likely(ops && ops->callbacks.gso_segment))

		segs = ops->callbacks.gso_segment(skb, features);

	return segs;

}

static struct sk_buff *xfrm4_outer_mode_gso_segment(struct xfrm_state *x,

						    struct sk_buff *skb,

						    netdev_features_t features)

{

	switch (x->outer_mode.encap) {

	case XFRM_MODE_TUNNEL:

		return xfrm4_tunnel_gso_segment(x, skb, features);

	case XFRM_MODE_TRANSPORT:

		return xfrm4_transport_gso_segment(x, skb, features);

	}

	return ERR_PTR(-EOPNOTSUPP);

}

static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,

				        netdev_features_t features)

{

	skb->encap_hdr_csum = 1;

	if (!(features & NETIF_F_HW_ESP) || x->xso.dev != skb->dev)

	if ((!(skb->dev->gso_partial_features & NETIF_F_HW_ESP) &&

	     !(features & NETIF_F_HW_ESP)) || x->xso.dev != skb->dev)

		esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);

	else if (!(features & NETIF_F_HW_ESP_TX_CSUM))

	else if (!(features & NETIF_F_HW_ESP_TX_CSUM) &&

		 !(skb->dev->gso_partial_features & NETIF_F_HW_ESP_TX_CSUM))

		esp_features = features & ~NETIF_F_CSUM_MASK;

	xo->flags |= XFRM_GSO_SEGMENT;

	return x->outer_mode->gso_segment(x, skb, esp_features);

	return xfrm4_outer_mode_gso_segment(x, skb, esp_features);

}

static int esp_input_tail(struct xfrm_state *x, struct sk_buff *skb)

	if (!xo)

		return -EINVAL;

	if (!(features & NETIF_F_HW_ESP) || x->xso.dev != skb->dev) {

	if ((!(features & NETIF_F_HW_ESP) &&

	     !(skb->dev->gso_partial_features & NETIF_F_HW_ESP)) ||

	    x->xso.dev != skb->dev) {

		xo->flags |= CRYPTO_FALLBACK;

		hw_offload = false;

	}