Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: David S. Miller <davem@davemloft.net>

Since skb_checksum_help has been using pskb_expand_head for a while
now without any ill effects, I thought it would be a good idea to
remove the double pointers from it and its callers.

This is what the following patch does.  The only 'rider' bit is the
removal of an unnecessary BUG_ON in ip6_pkt_discard_out.  The preceding
assignment was only added because the following function oopsed so
there is no point in doing BUG_ON.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

When larval states are generated along with ACQUIRE messages, we should
use the sequence to find the corresponding larval state when creating
states with ADD_SA or ALLOC_SPI.

If we don't do that, then it may take down an unrelated larval state
with the same parameters (think different TCP sessions).  This not only
leaves behind a larval state that shouldn't be there, it may also cause
another ACQUIRE message to be sent unnecessarily.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: HIDEAKI Yoshifuji <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@redhat.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@redhat.com>

Since skb_checksum_help() has been moved to xfrm[46]_output(), we don't
need the sk_buff ** argument in x->type->output anymore.  This patch
reverts it to a sk_buff *.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

This patch allows the the user to build xfrm4_tunnel/xfrm6_tunnel as
modules.

This makes sense because they're only used by IPComp/IPIP/IP6Tunnel
which are modules themselves.  It also means that distros can cut
down on there core kernel size when compiling with IPsec support.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

Signed-off-by: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>

This patch reuses the code in xfrm6_input.c for receiving xfrm6_tunnel
packets.  This removes duplicate code as well as fixing the bugs unique
to xfrm6_tunnel_input.  For example, it didn't move the MAC header down.
Nor did it do anything with ECN.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

This patch removes a left-over from the days when the flow cache lived
in xfrm_policy.c.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

This patch moves xfrm[46]_tunnel_check_size() into xfrm[46]_output.c
where it can be made static since it's only used there.

While moving the icmp.h inclusions over I also discovered that the
tunnel files are missing an inclusion of net/protocol.h.  So I've
added them as well.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

I've finally finished merging the general encapsulation code for IPv4.
Here is the patch.

The idea is basically to make x->type->output similar in structure to
x->type->input.  That means moving the tunnel encapsulation and other
generic code out.

They have ended up in xfrm4_output.c.

The advantage of this is that we have exactly one copy of the tunnel
encapsulation code.  So if we need to change it (e.g., set the TTL
according to the route) then it's easier and less error-prone.

In fact, in doing so I've already noticed that the ECN wasn't being
copied correctly in everything except xfrm4_tunnel.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

In a nutshell, skb checksum mangling has been removed from
nf_hook_slow() and pushed up to whatever really needs to do it.

Namely:  NAT, ip_fw_compat, ipt_TCPMSS, IPSec transforms.

skb_checksum_help() has been changed to perform an skb_copy() if needed 
(e.g. the original problem case where bcast/mcast was cloning packets for 
transmission over loopback, changing ip_summed).

Because of the above, the output path has been modified to take into 
account the fact that an skb may need to be changed in some places.  There 
are some minor changes in the routing code to take care of the now 
different input and output function prototypes.  The ipv6 fragmentation 
code has been modified to detect a changed skb.

The rest of the patch (probably the bulk of it) is simply the result of 
changing to double skb pointers.

I've tested this with ipv4, ipv6, ipsec (including xfrm bundles), NAT and 
the original DHCP test case.  Everything seems to be working ok.
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: David S. Miller <davem@redhat.com>

	optval (and in case of getsockopt - optlen) made __user, changes
percolated down into the instances.

When a secpath is COWed, we lose reference to the states.

This patch finally adds policy expiration.

Note that it resends soft policy expire messages every 30 seconds.  This
is needed as when "soft use expire" is used for dead peer detection,
a lost message could lead to a dead peer that isn't discovered until the
SAs expire.

I've only implemented notification for XFRM as I didn't want to just add
another PFKEY extension in case it collides with something else.  Of
course it could be easily done for PFKEY with an extension too.

Split xfrm_state_replace into xfrm_state_add and xfrm_state_replace.

Fixes:
1. Only update update lifetime and encap options if the state is valid.
2. Disallow updates to states that do not exist.
3. Bail if afinfo cannot be found.
 
This brings SADB_UPDATE in line with what is required by RFC2367.
It is also needed by SFS NAT-T support as it needs to update valid
states when the encap ports move.

I've tweaked the logic slightly so that SADB_UPDATE will fail on a
larval state that hasn't undergone SADB_GETSPI.  This is what RFC2367
calls for and it simplifies the code in that we don't have to call
find_acq for SADB_UPDATE.

This doesn't affect any of the three KMs as they either don't use
SADB_UPDATE or call SADB_GETSPI before doing an update.

With this the data dependency is reduced to just making sure that the first
member of both struct sock and struct tcp_tw_bucket are a struct sock_common.

Also makes it easier to grep for struct sock and struct tcp_tw_bucket usage in
the tree as all the members in those structs are prefixed, respectively, with
sk_ and tw_, like struct inode (i_), struct block_device (bd_), etc.

Checked namespace with make tags/ctags, just one colision with the macros for
the struct sock members, with a wanrouter struct, fixed that
s/sk_state/state_sk/g in the wanrouter struct.

Checked as well if the names of the members in both structs collided with some
macro, none found.