[MLSXFRM]: Add flow labeling

This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.

The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.

ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 2 insertions, 0 deletions

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index a2ede167e045..308bdeac3455 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -328,6 +328,7 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
                          * keep trying until route appears or the connection times
                          * itself out.
                          */
+                        security_sk_classify_flow(sk, &fl);
                         if (ip_route_output_flow(&rt, &fl, sk, 0))
                                 goto no_route;
                 }
@@ -1366,6 +1367,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
                                                { .sport = skb->h.th->dest,
                                                  .dport = skb->h.th->source } },
                                     .proto = sk->sk_protocol };
+                security_skb_classify_flow(skb, &fl);
                 if (ip_route_output_key(&rt, &fl))
                         return;
         }