diff options
author | Patrick McHardy <kaber@trash.net> | 2006-01-06 23:01:48 -0800 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-07 12:57:28 -0800 |
commit | 16a6677fdf1d1194f688f8291b06fbaff248c353 (patch) | |
tree | 61badedc44ed88eb8f39e082d1abf114252cc686 /include/net/dst.h | |
parent | ee2e6841b934d76cb944a3390bbea84da777d4fa (diff) | |
download | linux-16a6677fdf1d1194f688f8291b06fbaff248c353.tar.gz linux-16a6677fdf1d1194f688f8291b06fbaff248c353.tar.bz2 linux-16a6677fdf1d1194f688f8291b06fbaff248c353.zip |
[XFRM]: Netfilter IPsec output hooks
Call netfilter hooks before IPsec transforms. Packets visit the
FORWARD/LOCAL_OUT and POST_ROUTING hook before the first encapsulation
and the LOCAL_OUT and POST_ROUTING hook before each following tunnel mode
transform.
Patch from Herbert Xu <herbert@gondor.apana.org.au>:
Move the loop from dst_output into xfrm4_output/xfrm6_output since they're
the only ones who need to it. xfrm{4,6}_output_one() processes the first SA
all subsequent transport mode SAs and is called in a loop that calls the
netfilter hooks between each two calls.
In order to avoid the tail call issue, I've added the inline function
nf_hook which is nf_hook_slow plus the empty list check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/dst.h')
-rw-r--r-- | include/net/dst.h | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/include/net/dst.h b/include/net/dst.h index bee8b84d329d..5161e89017f9 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -225,16 +225,7 @@ static inline void dst_set_expires(struct dst_entry *dst, int timeout) /* Output packet to network from transport. */ static inline int dst_output(struct sk_buff *skb) { - int err; - - for (;;) { - err = skb->dst->output(skb); - - if (likely(err == 0)) - return err; - if (unlikely(err != NET_XMIT_BYPASS)) - return err; - } + return skb->dst->output(skb); } /* Input packet from network to transport. */ |