xfrm: Add a state resolution packet queue

As the default, we blackhole packets until the key manager resolves
the states. This patch implements a packet queue where IPsec packets
are queued until the states are resolved. We generate a dummy xfrm
bundle, the output routine of the returned route enqueues the packet
to a per policy queue and arms a timer that checks for state resolution
when dst_output() is called. Once the states are resolved, the packets
are sent out of the queue. If the states are not resolved after some
time, the queue is flushed.

This patch keeps the defaut behaviour to blackhole packets as long
as we have no states. To enable the packet queue the sysctl
xfrm_larval_drop must be switched off.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 814a1baa175c..30f3e5b362ee 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -501,6 +501,12 @@ struct xfrm_policy_walk {
         u32 seq;
 };
 
+struct xfrm_policy_queue {
+        struct sk_buff_head     hold_queue;
+        struct timer_list       hold_timer;
+        unsigned long           timeout;
+};
+
 struct xfrm_policy {
 #ifdef CONFIG_NET_NS
         struct net              *xp_net;
@@ -522,6 +528,7 @@ struct xfrm_policy {
         struct xfrm_lifetime_cfg lft;
         struct xfrm_lifetime_cur curlft;
         struct xfrm_policy_walk_entry walk;
+        struct xfrm_policy_queue polq;
         u8                      type;
         u8                      action;
         u8                      flags;