[IPSEC]: Implement DSCP decapsulation

This patch adds DSCP decapsulation for IPsec.  This is enabled by
a per-state flag which is off by default.  Leaving it off by default
maintains compatibility and is also good for performance reasons.

I decided to not implement a toggle on the output path since not
encapsulating the DSCP can and should be done by netfilter.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 8 insertions, 0 deletions

diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h
index a48a3ecc7c21..e6b519220245 100644
--- a/include/linux/pfkeyv2.h
+++ b/include/linux/pfkeyv2.h
@@ -245,6 +245,7 @@ struct sadb_x_nat_t_port {
 
 /* Security Association flags */
 #define SADB_SAFLAGS_PFS	1
+#define SADB_SAFLAGS_DECAP_DSCP	0x40000000
 #define SADB_SAFLAGS_NOECN	0x80000000
 
 /* Security Association states */
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 2e22a996f623..f0df02ae68a4 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -190,6 +190,7 @@ struct xfrm_usersa_info {
 	__u8				replay_window;
 	__u8				flags;
 #define XFRM_STATE_NOECN	1
+#define XFRM_STATE_DECAP_DSCP	2
 };
 
 struct xfrm_usersa_id {
diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
index 0bde1b6d5ced..6e2ee16546ec 100644
--- a/include/net/inet_ecn.h
+++ b/include/net/inet_ecn.h
@@ -78,6 +78,12 @@ static inline void IP_ECN_clear(struct iphdr *iph)
 	iph->tos &= ~INET_ECN_MASK;
 }
 
+static inline void ipv4_copy_dscp(struct iphdr *outer, struct iphdr *inner)
+{
+	u32 dscp = ipv4_get_dsfield(outer) & ~INET_ECN_MASK;
+	ipv4_change_dsfield(inner, INET_ECN_MASK, dscp);
+}
+
 struct ipv6hdr;
 
 static inline void IP6_ECN_set_ce(struct ipv6hdr *iph)