UPSTREAM: xfrm: Add virtual xfrm interfaces

This patch adds support for virtual xfrm interfaces.
Packets that are routed through such an interface
are guaranteed to be IPsec transformed or dropped.
It is a generic virtual interface that ensures IPsec
transformation, no need to know what happens behind
the interface. This means that we can tunnel IPv4 and
IPv6 through the same interface and support all xfrm
modes (tunnel, transport and beet) on it.

Co-developed-by: Lorenzo Colitti <lorenzo@google.com>
Co-developed-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Shannon Nelson <shannon.nelson@oracle.com>
Tested-by: Benedict Wong <benedictwong@google.com>
Tested-by: Antony Antony <antony@phenome.org>
Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
(cherry picked from commit f203b76d78092faf248db3f851840fbecf80b40e)
Bug: 113046120
Change-Id: I05e8fe1e8a8a4b01886504ce694ddda29e4fbec6

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 2112db61dc0d5a035986614c60bf670905c7ef52..2c4b3a4c9363cef398bc6d455d346aa6ad62dde8 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2284,6 +2284,8 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
                          unsigned int family, int reverse)
 {
        const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
+       const struct xfrm_if_cb *ifcb = xfrm_if_get_cb();
+       struct xfrm_if *xi;
        int err;
 
        if (unlikely(afinfo == NULL))