[IPSEC]: Merge most of the output path

As part of the work on asynchrnous cryptographic operations, we need to be able to resume from the spot where they occur. As such, it helps if we isolate them to one spot. This patch moves most of the remaining family-specific processing into the common output code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2007-11-14 00:43:11 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-28 17:53:48 -0500
commit: 862b82c6f960cc61274d370aa78ce1112f92a83e (patch)
tree: 51e252e1525dd7d02a695d428890a4c37fae2442
parent: ef76bc23ef2acf20c8f7f841a542d8ab74c827c6 (diff)
11 files changed, 88 insertions, 145 deletions
diff --git a/include/net/dst.h b/include/net/dst.h
index 7a0b1bde8e28..e86b9a008ebf 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -98,6 +98,7 @@ struct dst_ops
        struct dst_entry *      (*negative_advice)(struct dst_entry *);
        void                    (*link_failure)(struct sk_buff *);
        void                    (*update_pmtu)(struct dst_entry *dst, u32 mtu);
+        int                     (*local_out)(struct sk_buff *skb);
        int                     entry_size;
        atomic_t                entries;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a9dbe091ae58..ab9e747340b4 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -259,6 +259,7 @@ struct xfrm_state_afinfo {
        unsigned int            family;
        unsigned int            proto;
        unsigned int            eth_proto;
+        unsigned int            nf_post_routing;
        struct module           *owner;
        struct xfrm_type        *type_map[IPPROTO_MAX];
        struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 137b8eb666b7..94ef788a2ac6 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -166,6 +166,7 @@ static struct dst_ops ipv4_dst_ops = {
        .negative_advice =      ipv4_negative_advice,
        .link_failure =         ipv4_link_failure,
        .update_pmtu =          ip_rt_update_pmtu,
+        .local_out =            ip_local_out,
        .entry_size =           sizeof(struct rtable),
 };
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 0ffc3d078489..2fb4efa3ff2c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -59,7 +59,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                return err;
        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
+        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED;
        skb->protocol = htons(ETH_P_IP);
@@ -67,87 +67,19 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm4_prepare_output);
-static inline int xfrm4_output_one(struct sk_buff *skb)
-{
-        int err;
-        err = xfrm_output(skb);
-        if (err)
-                goto error_nolock;
-        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
-        err = 0;
-out_exit:
-        return err;
-error_nolock:
-        kfree_skb(skb);
-        goto out_exit;
-}
-static int xfrm4_output_finish2(struct sk_buff *skb)
-{
-        int err;
-        while (likely((err = xfrm4_output_one(skb)) == 0)) {
-                nf_reset(skb);
-                err = __ip_local_out(skb);
-                if (unlikely(err != 1))
-                        break;
-                if (!skb->dst->xfrm)
-                        return dst_output(skb);
-                err = nf_hook(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
-                              skb->dst->dev, xfrm4_output_finish2);
-                if (unlikely(err != 1))
-                        break;
-        }
-        return err;
-}
 static int xfrm4_output_finish(struct sk_buff *skb)
 {
-        struct sk_buff *segs;
 #ifdef CONFIG_NETFILTER
        if (!skb->dst->xfrm) {
                IPCB(skb)->flags |= IPSKB_REROUTED;
                return dst_output(skb);
        }
-#endif
-        if (!skb_is_gso(skb))
+        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
-                return xfrm4_output_finish2(skb);
+#endif
        skb->protocol = htons(ETH_P_IP);
-        segs = skb_gso_segment(skb, 0);
+        return xfrm_output(skb);
-        kfree_skb(skb);
-        if (unlikely(IS_ERR(segs)))
-                return PTR_ERR(segs);
-        do {
-                struct sk_buff *nskb = segs->next;
-                int err;
-                segs->next = NULL;
-                err = xfrm4_output_finish2(segs);
-                if (unlikely(err)) {
-                        while ((segs = nskb)) {
-                                nskb = segs->next;
-                                segs->next = NULL;
-                                kfree_skb(segs);
-                        }
-                        return err;
-                }
-                segs = nskb;
-        } while (segs);
-        return 0;
 }
 int xfrm4_output(struct sk_buff *skb)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 1d7524375b49..b4948c170b3e 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -237,6 +237,7 @@ static struct dst_ops xfrm4_dst_ops = {
        .update_pmtu =          xfrm4_update_pmtu,
        .destroy =              xfrm4_dst_destroy,
        .ifdown =               xfrm4_dst_ifdown,
+        .local_out =            __ip_local_out,
        .gc_thresh =            1024,
        .entry_size =           sizeof(struct xfrm_dst),
 };
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 85f04b7b237f..80292fbf221a 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -11,6 +11,7 @@
 #include <net/xfrm.h>
 #include <linux/pfkeyv2.h>
 #include <linux/ipsec.h>
+#include <linux/netfilter_ipv4.h>
 static struct xfrm_state_afinfo xfrm4_state_afinfo;
@@ -66,6 +67,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
        .family                 = AF_INET,
        .proto                  = IPPROTO_IPIP,
        .eth_proto              = htons(ETH_P_IP),
+        .nf_post_routing        = NF_IP_POST_ROUTING,
        .owner                  = THIS_MODULE,
        .init_flags             = xfrm4_init_flags,
        .init_tempsel           = __xfrm4_init_tempsel,
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index ac70e2d3b10c..4ef2cfaa3467 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -113,6 +113,7 @@ static struct dst_ops ip6_dst_ops = {
        .negative_advice        =       ip6_negative_advice,
        .link_failure           =       ip6_link_failure,
        .update_pmtu            =       ip6_rt_update_pmtu,
+        .local_out              =       ip6_local_out,
        .entry_size             =       sizeof(struct rt6_info),
 };
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 0f0ff51f6dba..a0a924991c4f 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -66,6 +66,9 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                return err;
        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+#ifdef CONFIG_NETFILTER
+        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
+#endif
        skb->protocol = htons(ETH_P_IPV6);
@@ -73,80 +76,14 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm6_prepare_output);
-static inline int xfrm6_output_one(struct sk_buff *skb)
-{
-        int err;
-        err = xfrm_output(skb);
-        if (err)
-                goto error_nolock;
-        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-        err = 0;
-out_exit:
-        return err;
-error_nolock:
-        kfree_skb(skb);
-        goto out_exit;
-}
-static int xfrm6_output_finish2(struct sk_buff *skb)
-{
-        int err;
-        while (likely((err = xfrm6_output_one(skb)) == 0)) {
-                nf_reset(skb);
-                err = __ip6_local_out(skb);
-                if (unlikely(err != 1))
-                        break;
-                if (!skb->dst->xfrm)
-                        return dst_output(skb);
-                err = nf_hook(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL,
-                              skb->dst->dev, xfrm6_output_finish2);
-                if (unlikely(err != 1))
-                        break;
-        }
-        return err;
-}
 static int xfrm6_output_finish(struct sk_buff *skb)
 {
-        struct sk_buff *segs;
+#ifdef CONFIG_NETFILTER
+        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-        if (!skb_is_gso(skb))
+#endif
-                return xfrm6_output_finish2(skb);
        skb->protocol = htons(ETH_P_IPV6);
-        segs = skb_gso_segment(skb, 0);
+        return xfrm_output(skb);
-        kfree_skb(skb);
-        if (unlikely(IS_ERR(segs)))
-                return PTR_ERR(segs);
-        do {
-                struct sk_buff *nskb = segs->next;
-                int err;
-                segs->next = NULL;
-                err = xfrm6_output_finish2(segs);
-                if (unlikely(err)) {
-                        while ((segs = nskb)) {
-                                nskb = segs->next;
-                                segs->next = NULL;
-                                kfree_skb(segs);
-                        }
-                        return err;
-                }
-                segs = nskb;
-        } while (segs);
-        return 0;
 }
 int xfrm6_output(struct sk_buff *skb)
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 63932c5fd3c7..a31dd531e191 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -252,6 +252,7 @@ static struct dst_ops xfrm6_dst_ops = {
        .update_pmtu =          xfrm6_update_pmtu,
        .destroy =              xfrm6_dst_destroy,
        .ifdown =               xfrm6_dst_ifdown,
+        .local_out =            __ip6_local_out,
        .gc_thresh =            1024,
        .entry_size =           sizeof(struct xfrm_dst),
 };
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index 90fef0a4726f..bb09e85a336d 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -14,6 +14,7 @@
 #include <net/xfrm.h>
 #include <linux/pfkeyv2.h>
 #include <linux/ipsec.h>
+#include <linux/netfilter_ipv6.h>
 #include <net/dsfield.h>
 #include <net/ipv6.h>
 #include <net/addrconf.h>
@@ -189,6 +190,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
        .family                 = AF_INET6,
        .proto                  = IPPROTO_IPV6,
        .eth_proto              = htons(ETH_P_IPV6),
+        .nf_post_routing        = NF_IP6_POST_ROUTING,
        .owner                  = THIS_MODULE,
        .init_tempsel           = __xfrm6_init_tempsel,
        .tmpl_sort              = __xfrm6_tmpl_sort,
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index b1efdc8850a7..bcb3701c5cf3 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -12,6 +12,7 @@
 #include <linux/errno.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
+#include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <net/dst.h>
@@ -40,7 +41,7 @@ err:
        return err;
 }
-int xfrm_output(struct sk_buff *skb)
+static int xfrm_output_one(struct sk_buff *skb)
 {
        struct dst_entry *dst = skb->dst;
        struct xfrm_state *x = dst->xfrm;
@@ -87,10 +88,73 @@ int xfrm_output(struct sk_buff *skb)
        err = 0;
-error_nolock:
+out_exit:
        return err;
 error:
        spin_unlock_bh(&x->lock);
-        goto error_nolock;
+error_nolock:
+        kfree_skb(skb);
+        goto out_exit;
+}
+static int xfrm_output2(struct sk_buff *skb)
+{
+        int err;
+        while (likely((err = xfrm_output_one(skb)) == 0)) {
+                struct xfrm_state *x;
+                nf_reset(skb);
+                err = skb->dst->ops->local_out(skb);
+                if (unlikely(err != 1))
+                        break;
+                x = skb->dst->xfrm;
+                if (!x)
+                        return dst_output(skb);
+                err = nf_hook(x->inner_mode->afinfo->family,
+                              x->inner_mode->afinfo->nf_post_routing, skb,
+                              NULL, skb->dst->dev, xfrm_output2);
+                if (unlikely(err != 1))
+                        break;
+        }
+        return err;
+}
+int xfrm_output(struct sk_buff *skb)
+{
+        struct sk_buff *segs;
+        if (!skb_is_gso(skb))
+                return xfrm_output2(skb);
+        segs = skb_gso_segment(skb, 0);
+        kfree_skb(skb);
+        if (unlikely(IS_ERR(segs)))
+                return PTR_ERR(segs);
+        do {
+                struct sk_buff *nskb = segs->next;
+                int err;
+                segs->next = NULL;
+                err = xfrm_output2(segs);
+                if (unlikely(err)) {
+                        while ((segs = nskb)) {
+                                nskb = segs->next;
+                                segs->next = NULL;
+                                kfree_skb(segs);
+                        }
+                        return err;
+                }
+                segs = nskb;
+        } while (segs);
+        return 0;
 }
 EXPORT_SYMBOL_GPL(xfrm_output);
author	Herbert Xu <herbert@gondor.apana.org.au>	2007-11-14 00:43:11 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-28 17:53:48 -0500
commit	862b82c6f960cc61274d370aa78ce1112f92a83e (patch)
tree	51e252e1525dd7d02a695d428890a4c37fae2442
parent	ef76bc23ef2acf20c8f7f841a542d8ab74c827c6 (diff)

diff --git a/include/net/dst.h b/include/net/dst.h index 7a0b1bde8e28..e86b9a008ebf 100644 --- a/include/net/dst.h +++ b/include/net/dst.h
@@ -98,6 +98,7 @@ struct dst_ops
98	struct dst_entry * (negative_advice)(struct dst_entry );	98	struct dst_entry * (negative_advice)(struct dst_entry );
99	void (link_failure)(struct sk_buff );	99	void (link_failure)(struct sk_buff );
100	void (update_pmtu)(struct dst_entry dst, u32 mtu);	100	void (update_pmtu)(struct dst_entry dst, u32 mtu);
		101	int (local_out)(struct sk_buff skb);
101	int entry_size;	102	int entry_size;
102		103
103	atomic_t entries;	104	atomic_t entries;


diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a9dbe091ae58..ab9e747340b4 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -259,6 +259,7 @@ struct xfrm_state_afinfo {
259	unsigned int family;	259	unsigned int family;
260	unsigned int proto;	260	unsigned int proto;
261	unsigned int eth_proto;	261	unsigned int eth_proto;
		262	unsigned int nf_post_routing;
262	struct module *owner;	263	struct module *owner;
263	struct xfrm_type *type_map[IPPROTO_MAX];	264	struct xfrm_type *type_map[IPPROTO_MAX];
264	struct xfrm_mode *mode_map[XFRM_MODE_MAX];	265	struct xfrm_mode *mode_map[XFRM_MODE_MAX];


diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 137b8eb666b7..94ef788a2ac6 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c
@@ -166,6 +166,7 @@ static struct dst_ops ipv4_dst_ops = {
166	.negative_advice = ipv4_negative_advice,	166	.negative_advice = ipv4_negative_advice,
167	.link_failure = ipv4_link_failure,	167	.link_failure = ipv4_link_failure,
168	.update_pmtu = ip_rt_update_pmtu,	168	.update_pmtu = ip_rt_update_pmtu,
		169	.local_out = ip_local_out,
169	.entry_size = sizeof(struct rtable),	170	.entry_size = sizeof(struct rtable),
170	};	171	};
171		172


diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index 0ffc3d078489..2fb4efa3ff2c 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c
@@ -59,7 +59,7 @@ int xfrm4_prepare_output(struct xfrm_state x, struct sk_buff skb)
59	return err;	59	return err;
60		60
61	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));	61	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
62	IPCB(skb)->flags \|= IPSKB_XFRM_TUNNEL_SIZE;	62	IPCB(skb)->flags \|= IPSKB_XFRM_TUNNEL_SIZE \| IPSKB_XFRM_TRANSFORMED;
63		63
64	skb->protocol = htons(ETH_P_IP);	64	skb->protocol = htons(ETH_P_IP);
65		65
@@ -67,87 +67,19 @@ int xfrm4_prepare_output(struct xfrm_state x, struct sk_buff skb)
67	}	67	}
68	EXPORT_SYMBOL(xfrm4_prepare_output);	68	EXPORT_SYMBOL(xfrm4_prepare_output);
69		69
70	static inline int xfrm4_output_one(struct sk_buff *skb)
71	{
72	int err;
73
74	err = xfrm_output(skb);
75	if (err)
76	goto error_nolock;
77
78	IPCB(skb)->flags \|= IPSKB_XFRM_TRANSFORMED;
79	err = 0;
80
81	out_exit:
82	return err;
83	error_nolock:
84	kfree_skb(skb);
85	goto out_exit;
86	}
87
88	static int xfrm4_output_finish2(struct sk_buff *skb)
89	{
90	int err;
91
92	while (likely((err = xfrm4_output_one(skb)) == 0)) {
93	nf_reset(skb);
94
95	err = __ip_local_out(skb);
96	if (unlikely(err != 1))
97	break;
98
99	if (!skb->dst->xfrm)
100	return dst_output(skb);
101
102	err = nf_hook(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
103	skb->dst->dev, xfrm4_output_finish2);
104	if (unlikely(err != 1))
105	break;
106	}
107
108	return err;
109	}
110
111	static int xfrm4_output_finish(struct sk_buff *skb)	70	static int xfrm4_output_finish(struct sk_buff *skb)
112	{	71	{
113	struct sk_buff *segs;
114
115	#ifdef CONFIG_NETFILTER	72	#ifdef CONFIG_NETFILTER
116	if (!skb->dst->xfrm) {	73	if (!skb->dst->xfrm) {
117	IPCB(skb)->flags \|= IPSKB_REROUTED;	74	IPCB(skb)->flags \|= IPSKB_REROUTED;
118	return dst_output(skb);	75	return dst_output(skb);
119	}	76	}
120	#endif
121		77
122	if (!skb_is_gso(skb))	78	IPCB(skb)->flags \|= IPSKB_XFRM_TRANSFORMED;
123	return xfrm4_output_finish2(skb);	79	#endif
124		80
125	skb->protocol = htons(ETH_P_IP);	81	skb->protocol = htons(ETH_P_IP);
126	segs = skb_gso_segment(skb, 0);	82	return xfrm_output(skb);
127	kfree_skb(skb);
128	if (unlikely(IS_ERR(segs)))
129	return PTR_ERR(segs);
130
131	do {
132	struct sk_buff *nskb = segs->next;
133	int err;
134
135	segs->next = NULL;
136	err = xfrm4_output_finish2(segs);
137
138	if (unlikely(err)) {
139	while ((segs = nskb)) {
140	nskb = segs->next;
141	segs->next = NULL;
142	kfree_skb(segs);
143	}
144	return err;
145	}
146
147	segs = nskb;
148	} while (segs);
149
150	return 0;
151	}	83	}
152		84
153	int xfrm4_output(struct sk_buff *skb)	85	int xfrm4_output(struct sk_buff *skb)


diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 1d7524375b49..b4948c170b3e 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c
@@ -237,6 +237,7 @@ static struct dst_ops xfrm4_dst_ops = {
237	.update_pmtu = xfrm4_update_pmtu,	237	.update_pmtu = xfrm4_update_pmtu,
238	.destroy = xfrm4_dst_destroy,	238	.destroy = xfrm4_dst_destroy,
239	.ifdown = xfrm4_dst_ifdown,	239	.ifdown = xfrm4_dst_ifdown,
		240	.local_out = __ip_local_out,
240	.gc_thresh = 1024,	241	.gc_thresh = 1024,
241	.entry_size = sizeof(struct xfrm_dst),	242	.entry_size = sizeof(struct xfrm_dst),
242	};	243	};


diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c index 85f04b7b237f..80292fbf221a 100644 --- a/net/ipv4/xfrm4_state.c +++ b/net/ipv4/xfrm4_state.c
@@ -11,6 +11,7 @@
11	#include <net/xfrm.h>	11	#include <net/xfrm.h>
12	#include <linux/pfkeyv2.h>	12	#include <linux/pfkeyv2.h>
13	#include <linux/ipsec.h>	13	#include <linux/ipsec.h>
		14	#include <linux/netfilter_ipv4.h>
14		15
15	static struct xfrm_state_afinfo xfrm4_state_afinfo;	16	static struct xfrm_state_afinfo xfrm4_state_afinfo;
16		17
@@ -66,6 +67,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
66	.family = AF_INET,	67	.family = AF_INET,
67	.proto = IPPROTO_IPIP,	68	.proto = IPPROTO_IPIP,
68	.eth_proto = htons(ETH_P_IP),	69	.eth_proto = htons(ETH_P_IP),
		70	.nf_post_routing = NF_IP_POST_ROUTING,
69	.owner = THIS_MODULE,	71	.owner = THIS_MODULE,
70	.init_flags = xfrm4_init_flags,	72	.init_flags = xfrm4_init_flags,
71	.init_tempsel = __xfrm4_init_tempsel,	73	.init_tempsel = __xfrm4_init_tempsel,


diff --git a/net/ipv6/route.c b/net/ipv6/route.c index ac70e2d3b10c..4ef2cfaa3467 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c
@@ -113,6 +113,7 @@ static struct dst_ops ip6_dst_ops = {
113	.negative_advice = ip6_negative_advice,	113	.negative_advice = ip6_negative_advice,
114	.link_failure = ip6_link_failure,	114	.link_failure = ip6_link_failure,
115	.update_pmtu = ip6_rt_update_pmtu,	115	.update_pmtu = ip6_rt_update_pmtu,
		116	.local_out = ip6_local_out,
116	.entry_size = sizeof(struct rt6_info),	117	.entry_size = sizeof(struct rt6_info),
117	};	118	};
118		119


diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index 0f0ff51f6dba..a0a924991c4f 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c
@@ -66,6 +66,9 @@ int xfrm6_prepare_output(struct xfrm_state x, struct sk_buff skb)
66	return err;	66	return err;
67		67
68	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));	68	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
		69	#ifdef CONFIG_NETFILTER
		70	IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;
		71	#endif
69		72
70	skb->protocol = htons(ETH_P_IPV6);	73	skb->protocol = htons(ETH_P_IPV6);
71		74
@@ -73,80 +76,14 @@ int xfrm6_prepare_output(struct xfrm_state x, struct sk_buff skb)
73	}	76	}
74	EXPORT_SYMBOL(xfrm6_prepare_output);	77	EXPORT_SYMBOL(xfrm6_prepare_output);
75		78
76	static inline int xfrm6_output_one(struct sk_buff *skb)
77	{
78	int err;
79
80	err = xfrm_output(skb);
81	if (err)
82	goto error_nolock;
83
84	IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;
85	err = 0;
86
87	out_exit:
88	return err;
89	error_nolock:
90	kfree_skb(skb);
91	goto out_exit;
92	}
93
94	static int xfrm6_output_finish2(struct sk_buff *skb)
95	{
96	int err;
97
98	while (likely((err = xfrm6_output_one(skb)) == 0)) {
99	nf_reset(skb);
100
101	err = __ip6_local_out(skb);
102	if (unlikely(err != 1))
103	break;
104
105	if (!skb->dst->xfrm)
106	return dst_output(skb);
107
108	err = nf_hook(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL,
109	skb->dst->dev, xfrm6_output_finish2);
110	if (unlikely(err != 1))
111	break;
112	}
113
114	return err;
115	}
116
117	static int xfrm6_output_finish(struct sk_buff *skb)	79	static int xfrm6_output_finish(struct sk_buff *skb)
118	{	80	{
119	struct sk_buff *segs;	81	#ifdef CONFIG_NETFILTER
120		82	IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;
121	if (!skb_is_gso(skb))	83	#endif
122	return xfrm6_output_finish2(skb);
123		84
124	skb->protocol = htons(ETH_P_IPV6);	85	skb->protocol = htons(ETH_P_IPV6);
125	segs = skb_gso_segment(skb, 0);	86	return xfrm_output(skb);
126	kfree_skb(skb);
127	if (unlikely(IS_ERR(segs)))
128	return PTR_ERR(segs);
129
130	do {
131	struct sk_buff *nskb = segs->next;
132	int err;
133
134	segs->next = NULL;
135	err = xfrm6_output_finish2(segs);
136
137	if (unlikely(err)) {
138	while ((segs = nskb)) {
139	nskb = segs->next;
140	segs->next = NULL;
141	kfree_skb(segs);
142	}
143	return err;
144	}
145
146	segs = nskb;
147	} while (segs);
148
149	return 0;
150	}	87	}
151		88
152	int xfrm6_output(struct sk_buff *skb)	89	int xfrm6_output(struct sk_buff *skb)


diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 63932c5fd3c7..a31dd531e191 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c
@@ -252,6 +252,7 @@ static struct dst_ops xfrm6_dst_ops = {
252	.update_pmtu = xfrm6_update_pmtu,	252	.update_pmtu = xfrm6_update_pmtu,
253	.destroy = xfrm6_dst_destroy,	253	.destroy = xfrm6_dst_destroy,
254	.ifdown = xfrm6_dst_ifdown,	254	.ifdown = xfrm6_dst_ifdown,
		255	.local_out = __ip6_local_out,
255	.gc_thresh = 1024,	256	.gc_thresh = 1024,
256	.entry_size = sizeof(struct xfrm_dst),	257	.entry_size = sizeof(struct xfrm_dst),
257	};	258	};


diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c index 90fef0a4726f..bb09e85a336d 100644 --- a/net/ipv6/xfrm6_state.c +++ b/net/ipv6/xfrm6_state.c
@@ -14,6 +14,7 @@
14	#include <net/xfrm.h>	14	#include <net/xfrm.h>
15	#include <linux/pfkeyv2.h>	15	#include <linux/pfkeyv2.h>
16	#include <linux/ipsec.h>	16	#include <linux/ipsec.h>
		17	#include <linux/netfilter_ipv6.h>
17	#include <net/dsfield.h>	18	#include <net/dsfield.h>
18	#include <net/ipv6.h>	19	#include <net/ipv6.h>
19	#include <net/addrconf.h>	20	#include <net/addrconf.h>
@@ -189,6 +190,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
189	.family = AF_INET6,	190	.family = AF_INET6,
190	.proto = IPPROTO_IPV6,	191	.proto = IPPROTO_IPV6,
191	.eth_proto = htons(ETH_P_IPV6),	192	.eth_proto = htons(ETH_P_IPV6),
		193	.nf_post_routing = NF_IP6_POST_ROUTING,
192	.owner = THIS_MODULE,	194	.owner = THIS_MODULE,
193	.init_tempsel = __xfrm6_init_tempsel,	195	.init_tempsel = __xfrm6_init_tempsel,
194	.tmpl_sort = __xfrm6_tmpl_sort,	196	.tmpl_sort = __xfrm6_tmpl_sort,


diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index b1efdc8850a7..bcb3701c5cf3 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c
@@ -12,6 +12,7 @@
12	#include <linux/errno.h>	12	#include <linux/errno.h>
13	#include <linux/module.h>	13	#include <linux/module.h>
14	#include <linux/netdevice.h>	14	#include <linux/netdevice.h>
		15	#include <linux/netfilter.h>
15	#include <linux/skbuff.h>	16	#include <linux/skbuff.h>
16	#include <linux/spinlock.h>	17	#include <linux/spinlock.h>
17	#include <net/dst.h>	18	#include <net/dst.h>
@@ -40,7 +41,7 @@ err:
40	return err;	41	return err;
41	}	42	}
42		43
43	int xfrm_output(struct sk_buff *skb)	44	static int xfrm_output_one(struct sk_buff *skb)
44	{	45	{
45	struct dst_entry *dst = skb->dst;	46	struct dst_entry *dst = skb->dst;
46	struct xfrm_state *x = dst->xfrm;	47	struct xfrm_state *x = dst->xfrm;
@@ -87,10 +88,73 @@ int xfrm_output(struct sk_buff *skb)
87		88
88	err = 0;	89	err = 0;
89		90
90	error_nolock:	91	out_exit:
91	return err;	92	return err;
92	error:	93	error:
93	spin_unlock_bh(&x->lock);	94	spin_unlock_bh(&x->lock);
94	goto error_nolock;	95	error_nolock:
		96	kfree_skb(skb);
		97	goto out_exit;
		98	}
		99
		100	static int xfrm_output2(struct sk_buff *skb)
		101	{
		102	int err;
		103
		104	while (likely((err = xfrm_output_one(skb)) == 0)) {
		105	struct xfrm_state *x;
		106
		107	nf_reset(skb);
		108
		109	err = skb->dst->ops->local_out(skb);
		110	if (unlikely(err != 1))
		111	break;
		112
		113	x = skb->dst->xfrm;
		114	if (!x)
		115	return dst_output(skb);
		116
		117	err = nf_hook(x->inner_mode->afinfo->family,
		118	x->inner_mode->afinfo->nf_post_routing, skb,
		119	NULL, skb->dst->dev, xfrm_output2);
		120	if (unlikely(err != 1))
		121	break;
		122	}
		123
		124	return err;
		125	}
		126
		127	int xfrm_output(struct sk_buff *skb)
		128	{
		129	struct sk_buff *segs;
		130
		131	if (!skb_is_gso(skb))
		132	return xfrm_output2(skb);
		133
		134	segs = skb_gso_segment(skb, 0);
		135	kfree_skb(skb);
		136	if (unlikely(IS_ERR(segs)))
		137	return PTR_ERR(segs);
		138
		139	do {
		140	struct sk_buff *nskb = segs->next;
		141	int err;
		142
		143	segs->next = NULL;
		144	err = xfrm_output2(segs);
		145
		146	if (unlikely(err)) {
		147	while ((segs = nskb)) {
		148	nskb = segs->next;
		149	segs->next = NULL;
		150	kfree_skb(segs);
		151	}
		152	return err;
		153	}
		154
		155	segs = nskb;
		156	} while (segs);
		157
		158	return 0;
95	}	159	}
96	EXPORT_SYMBOL_GPL(xfrm_output);	160	EXPORT_SYMBOL_GPL(xfrm_output);