[IPSEC]: Check encap_type at config time.

The following patch moves the udp->encap_type check from the per-packet
hot-path into udp_setsockopt().

As a consequence, this allows user space to detect whether the kernel
actually supports the encap type that they're requesting.  Pity no one
did this before the NON-IKE patch was applied.  As it is there is no
easy way to detect whether NON-IKE support is present.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@redhat.com>

net/ipv4/udp.c

@@ -964,6 +964,7 @@ static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 	len = skb->tail - udpdata;
 
 	switch (encap_type) {
+	default:
 	case UDP_ENCAP_ESPINUDP:
 		/* Check if this is a keepalive packet.  If so, eat it. */
 		if (len == 1 && udpdata[0] == 0xff) {
@@ -1016,12 +1017,6 @@ static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 		} else
 			/* Must be an IKE packet.. pass it through */
 			return 1;
-
-	default:
-		if (net_ratelimit())
-			printk(KERN_INFO "udp_encap_rcv(): Unhandled UDP encap type: %u\n",
-			       encap_type);
-		return 1;
 	}
 #endif
 }
@@ -1297,7 +1292,16 @@ static int udp_setsockopt(struct sock *sk, int level, int optname,
 		break;
 		
 	case UDP_ENCAP:
-		up->encap_type = val;
+		switch (val) {
+		case 0:
+		case UDP_ENCAP_ESPINUDP:
+		case UDP_ENCAP_ESPINUDP_NON_IKE:
+			up->encap_type = val;
+			break;
+		default:
+			err = -ENOPROTOOPT;
+			break;
+		}
 		break;
 
 	default:

net/ipv6/udp.c

@@ -1044,7 +1044,14 @@ static int udpv6_setsockopt(struct sock *sk, int level, int optname,
 		break;
 		
 	case UDP_ENCAP:
-		up->encap_type = val;
+		switch (val) {
+		case 0:
+			up->encap_type = val;
+			break;
+		default:
+			err = -ENOPROTOOPT;
+			break;
+		}
 		break;
 
 	default: