• Herbert Xu's avatar
    [IPSEC]: Move encap check back down to esp4.c · 3ded0baf
    Herbert Xu authored
    In a previous, I moved the encap_type checks in esp4.c from the packet
    processing path to xfrm_user/af_key.  This isn't ideal since those encap
    types only make sense for esp4.
    
    The following patch moves it back into esp4.c.  The difference is
    that it's now done in init_state so that it's only done once rather
    than per-packet.
    
    I've also added encap_type checks for every transform.  This means
    that people attaching encap objects to AH/IPCOMP/IPIP will now get
    errors.  That should be fine as no major KM does this.
    
    Please note that the error returned is now EINVAL instead of
    ENOPROTOOPT.  This shouldn't break anything since KMs only test
    the errno from setsockopt() for NAT-T support rather than add_sa
    where it would be too late anyway.
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@redhat.com>
    3ded0baf
ipcomp.c 8.36 KB