summaryrefslogtreecommitdiffstats
path: root/net/core
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2017-04-14 10:07:28 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2017-04-14 10:07:28 +0200
commitf6e27114a60a0afdec40db1bf7f6da37b565745a (patch)
tree2465286baa3d77a51e27c2249db8d14f402b540f /net/core
parentesp: Use a synchronous crypto algorithm on offloading. (diff)
downloadlinux-f6e27114a60a0afdec40db1bf7f6da37b565745a.tar.xz
linux-f6e27114a60a0afdec40db1bf7f6da37b565745a.zip
net: Add a xfrm validate function to validate_xmit_skb
When we do IPsec offloading, we need a fallback for packets that were targeted to be IPsec offloaded but rerouted to a device that does not support IPsec offload. For that we add a function that checks the offloading features of the sending device and and flags the requirement of a fallback before it calls the IPsec output function. The IPsec output function adds the IPsec trailer and does encryption if needed. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/dev.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index ef9fe60ee294..5f0a864623e8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2972,6 +2972,9 @@ static struct sk_buff *validate_xmit_skb(struct sk_buff *skb, struct net_device
__skb_linearize(skb))
goto out_kfree_skb;
+ if (validate_xmit_xfrm(skb, features))
+ goto out_kfree_skb;
+
/* If packet is not checksummed and device does not
* support checksumming for this protocol, complete
* checksumming here.