• Patrick McHardy's avatar
    [XFRM]: Netfilter IPsec output hooks · 16a6677f
    Patrick McHardy authored
    
    
    Call netfilter hooks before IPsec transforms. Packets visit the
    FORWARD/LOCAL_OUT and POST_ROUTING hook before the first encapsulation
    and the LOCAL_OUT and POST_ROUTING hook before each following tunnel mode
    transform.
    
    Patch from Herbert Xu <herbert@gondor.apana.org.au>:
    
    Move the loop from dst_output into xfrm4_output/xfrm6_output since they're
    the only ones who need to it. xfrm{4,6}_output_one() processes the first SA
    all subsequent transport mode SAs and is called in a loop that calls the
    netfilter hooks between each two calls.
    
    In order to avoid the tail call issue, I've added the inline function
    nf_hook which is nf_hook_slow plus the empty list check.
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    16a6677f
netfilter.h 8.2 KB