Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
1) Remove a duplicated call to skb_orphan() in pf_key, from Cong Wang.

2) Prepare xfrm and pf_key for algorithms without pf_key support,
   from Jussi Kivilinna.

3) Fix an unbalanced lock in xfrm_output_one(), from Li RongQing.

4) Add an IPsec state resolution packet queue to handle
   packets that are send before the states are resolved.

5) xfrm4_policy_fini() is unused since 2.6.11, time to remove it.
   From Michal Kubecek.

6) The xfrm gc threshold was configurable just in the initial
   namespace, make it configurable in all namespaces. From
   Michal Kubecek.

7) We currently can not insert policies with mark and mask
   such that some flows would be matched from both policies.
   Allow this if the priorities of these policies are different,
   the one with the higher priority is used in this case.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 13 insertions, 2 deletions

diff --git a/include/net/dst.h b/include/net/dst.h
index 9a7881066fb3..3da47e0a4a1f 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -61,6 +61,7 @@ struct dst_entry {
 #define DST_NOPEER              0x0040
 #define DST_FAKE_RTABLE         0x0080
 #define DST_XFRM_TUNNEL         0x0100
+#define DST_XFRM_QUEUE          0x0200
 
         unsigned short          pending_confirm;
 
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 9b78862014a4..2ba9de89e8ec 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -22,6 +22,7 @@ struct netns_ipv4 {
         struct ctl_table_header *frags_hdr;
         struct ctl_table_header *ipv4_hdr;
         struct ctl_table_header *route_hdr;
+        struct ctl_table_header *xfrm4_hdr;
 #endif
         struct ipv4_devconf     *devconf_all;
         struct ipv4_devconf     *devconf_dflt;
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 214cb0a53359..1242f371718b 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -16,6 +16,7 @@ struct netns_sysctl_ipv6 {
         struct ctl_table_header *route_hdr;
         struct ctl_table_header *icmp_hdr;
         struct ctl_table_header *frags_hdr;
+        struct ctl_table_header *xfrm6_hdr;
 #endif
         int bindv6only;
         int flush_delay;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index de34883e8b16..24c8886fd969 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -501,6 +501,12 @@ struct xfrm_policy_walk {
         u32 seq;
 };
 
+struct xfrm_policy_queue {
+        struct sk_buff_head     hold_queue;
+        struct timer_list       hold_timer;
+        unsigned long           timeout;
+};
+
 struct xfrm_policy {
 #ifdef CONFIG_NET_NS
         struct net              *xp_net;
@@ -522,6 +528,7 @@ struct xfrm_policy {
         struct xfrm_lifetime_cfg lft;
         struct xfrm_lifetime_cur curlft;
         struct xfrm_policy_walk_entry walk;
+        struct xfrm_policy_queue polq;
         u8                      type;
         u8                      action;
         u8                      flags;
@@ -1320,6 +1327,7 @@ struct xfrm_algo_desc {
         char *name;
         char *compat;
         u8 available:1;
+        u8 pfkey_supported:1;
         union {
                 struct xfrm_algo_aead_info aead;
                 struct xfrm_algo_auth_info auth;
@@ -1561,8 +1569,8 @@ extern void xfrm_input_init(void);
 extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
 
 extern void xfrm_probe_algs(void);
-extern int xfrm_count_auth_supported(void);
-extern int xfrm_count_enc_supported(void);
+extern int xfrm_count_pfkey_auth_supported(void);
+extern int xfrm_count_pfkey_enc_supported(void);
 extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
 extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
 extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);