Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Here documents known IPsec corner cases which need to be keep in mind when

deploy various IPsec configuration in real world production environment.

1. IPcomp: Small IP packet won't get compressed at sender, and failed on

	   policy check on receiver.

Quote from RFC3173:

2.2. Non-Expansion Policy

   If the total size of a compressed payload and the IPComp header, as

   defined in section 3, is not smaller than the size of the original

   payload, the IP datagram MUST be sent in the original non-compressed

   form.  To clarify: If an IP datagram is sent non-compressed, no

   IPComp header is added to the datagram.  This policy ensures saving

   the decompression processing cycles and avoiding incurring IP

   datagram fragmentation when the expanded datagram is larger than the

   MTU.

   Small IP datagrams are likely to expand as a result of compression.

   Therefore, a numeric threshold should be applied before compression,

   where IP datagrams of size smaller than the threshold are sent in the

   original form without attempting compression.  The numeric threshold

   is implementation dependent.

Current IPComp implementation is indeed by the book, while as in practice

when sending non-compressed packet to the peer(whether or not packet len

is smaller than the threshold or the compressed len is large than original

packet len), the packet is dropped when checking the policy as this packet

matches the selector but not coming from any XFRM layer, i.e., with no

security path. Such naked packet will not eventually make it to upper layer.

The result is much more wired to the user when ping peer with different

payload length.

One workaround is try to set "level use" for each policy if user observed

above scenario. The consequence of doing so is small packet(uncompressed)

will skip policy checking on receiver side.

	__u8	flowic_proto;

	__u8	flowic_flags;

#define FLOWI_FLAG_ANYSRC		0x01

#define FLOWI_FLAG_CAN_SLEEP		0x02

#define FLOWI_FLAG_KNOWN_NH		0x04

#define FLOWI_FLAG_KNOWN_NH		0x02

	__u32	flowic_secid;

};

int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi6 *fl6);

struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,

				      const struct in6_addr *final_dst,

				      bool can_sleep);

				      const struct in6_addr *final_dst);

struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,

					 const struct in6_addr *final_dst,

					 bool can_sleep);

					 const struct in6_addr *final_dst);

struct dst_entry *ip6_blackhole_route(struct net *net,

				      struct dst_entry *orig_dst);

	struct hlist_head	state_gc_list;

	struct work_struct	state_gc_work;

	wait_queue_head_t	km_waitq;

	struct list_head	policy_all;

	struct hlist_head	*policy_byidx;

	unsigned int		policy_idx_hmask;

#if IS_ENABLED(CONFIG_IPV6)

	struct dst_ops		xfrm6_dst_ops;

#endif

	spinlock_t xfrm_state_lock;

	spinlock_t xfrm_policy_sk_bundle_lock;

	rwlock_t xfrm_policy_lock;

	struct mutex xfrm_cfg_mutex;

};

#endif

static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32 src,

					 u32 tos, int oif, u8 protocol,

					 __be16 sport, __be16 dport,

					 struct sock *sk, bool can_sleep)

					 struct sock *sk)

{

	__u8 flow_flags = 0;

	if (inet_sk(sk)->transparent)

		flow_flags |= FLOWI_FLAG_ANYSRC;

	if (can_sleep)

		flow_flags |= FLOWI_FLAG_CAN_SLEEP;

	flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,

			   protocol, flow_flags, dst, src, dport, sport);

					      __be32 dst, __be32 src, u32 tos,

					      int oif, u8 protocol,

					      __be16 sport, __be16 dport,

					      struct sock *sk, bool can_sleep)

					      struct sock *sk)

{

	struct net *net = sock_net(sk);

	struct rtable *rt;

	ip_route_connect_init(fl4, dst, src, tos, oif, protocol,

			      sport, dport, sk, can_sleep);

			      sport, dport, sk);

	if (!dst || !src) {

		rt = __ip_route_output_key(net, fl4);