diff -urN linux-2.6.18.1/include/linux/in.h linux-2.6.18.1.beet/include/linux/in.h--- linux-2.6.18.1/include/linux/in.h	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/include/linux/in.h	2006-10-21 14:59:54.000000000 +0300@@ -40,6 +40,7 @@    IPPROTO_ESP = 50,            /* Encapsulation Security Payload protocol */   IPPROTO_AH = 51,             /* Authentication Header protocol       */+  IPPROTO_BEETPH = 94,		/* IP option pseudo header for BEET */   IPPROTO_PIM    = 103,		/* Protocol Independent Multicast	*/    IPPROTO_COMP   = 108,                /* Compression Header protocol */diff -urN linux-2.6.18.1/include/linux/ip.h linux-2.6.18.1.beet/include/linux/ip.h--- linux-2.6.18.1/include/linux/ip.h	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/include/linux/ip.h	2006-10-21 14:59:54.000000000 +0300@@ -79,6 +79,8 @@ #define	IPOPT_TS_TSANDADDR	1		/* timestamps and addresses */ #define	IPOPT_TS_PRESPEC	3		/* specified modules only */ +#define IPV4_BEET_PHMAXLEN 8+ struct iphdr { #if defined(__LITTLE_ENDIAN_BITFIELD) 	__u8	ihl:4,@@ -122,4 +124,11 @@ 	__u16 cpi; }; +struct ip_beet_phdr {+	__u8 nexthdr;+	__u8 hdrlen;+	__u8 padlen;+	__u8 reserved;+};+ #endif	/* _LINUX_IP_H */diff -urN linux-2.6.18.1/include/linux/ipsec.h linux-2.6.18.1.beet/include/linux/ipsec.h--- linux-2.6.18.1/include/linux/ipsec.h	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/include/linux/ipsec.h	2006-10-21 14:59:54.000000000 +0300@@ -12,7 +12,8 @@ enum { 	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */ 	IPSEC_MODE_TRANSPORT	= 1,-	IPSEC_MODE_TUNNEL	= 2+	IPSEC_MODE_TUNNEL	= 2,+	IPSEC_MODE_BEET         = 3 };  enum {diff -urN linux-2.6.18.1/include/linux/xfrm.h linux-2.6.18.1.beet/include/linux/xfrm.h--- linux-2.6.18.1/include/linux/xfrm.h	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/include/linux/xfrm.h	2006-10-21 15:53:34.000000000 +0300@@ -43,6 +43,12 @@ #define XFRM_SC_ALG_RESERVED 0 #define XFRM_SC_ALG_SELINUX 1 +/* Transport layer flag  passed to xfrm_lookup. If set, the userspace+   process sleeps in a waitqueue until key management daemon has +   finished setting up security associations. This workaround exists +   until we have queues for outgoing IPsec packets. */+#define XFRM_LOOKUP_SLEEP (!in_atomic() && !in_softirq())+ /* Selector, used as selector both on policy rules (SPD) and SAs. */  struct xfrm_selector@@ -120,7 +126,8 @@  #define XFRM_MODE_TRANSPORT 0 #define XFRM_MODE_TUNNEL 1-#define XFRM_MODE_MAX 2+#define XFRM_MODE_BEET 2+#define XFRM_MODE_MAX 3  /* Netlink configuration messages.  */ enum {diff -urN linux-2.6.18.1/include/net/xfrm.h linux-2.6.18.1.beet/include/net/xfrm.h--- linux-2.6.18.1/include/net/xfrm.h	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/include/net/xfrm.h	2006-10-21 14:59:54.000000000 +0300@@ -297,6 +297,10 @@ /* Source address of tunnel. Ignored, if it is not a tunnel. */ 	xfrm_address_t		saddr; +/* family of the outer addresses. The family may differ from+   the one in selector */+	unsigned short		outer_family;+ 	__u32			reqid;  /* Mode: transport/tunnel */diff -urN linux-2.6.18.1/net/ipv4/ah4.c linux-2.6.18.1.beet/net/ipv4/ah4.c--- linux-2.6.18.1/net/ipv4/ah4.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/ah4.c	2006-10-21 14:59:54.000000000 +0300@@ -253,8 +253,10 @@ 		goto error; 	 	x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) + ahp->icv_trunc_len);-	if (x->props.mode)+	if (x->props.mode == XFRM_MODE_TUNNEL) 		x->props.header_len += sizeof(struct iphdr);+	else if (x->props.mode == XFRM_MODE_BEET)+		x->props.header_len += IPV4_BEET_PHMAXLEN; 	x->data = ahp;  	return 0;diff -urN linux-2.6.18.1/net/ipv4/esp4.c linux-2.6.18.1.beet/net/ipv4/esp4.c--- linux-2.6.18.1/net/ipv4/esp4.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/esp4.c	2006-10-21 14:59:54.000000000 +0300@@ -237,7 +237,8 @@ 		 *    as per draft-ietf-ipsec-udp-encaps-06, 		 *    section 3.1.2 		 */-		if (!x->props.mode)+		if (x->props.mode == XFRM_MODE_TRANSPORT ||+		    x->props.mode == XFRM_MODE_BEET) 			skb->ip_summed = CHECKSUM_UNNECESSARY; 	} @@ -255,17 +256,27 @@ { 	struct esp_data *esp = x->data; 	u32 blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4);+	int enclen = 0; -	if (x->props.mode) {-		mtu = ALIGN(mtu + 2, blksize);-	} else {-		/* The worst case. */+	switch (x->props.mode) {+	default:+	case XFRM_MODE_TUNNEL:+		mtu = ALIGN(mtu +2, blksize);+		break;+	case XFRM_MODE_TRANSPORT:+		/* The worst case */ 		mtu = ALIGN(mtu + 2, 4) + blksize - 4;+		break;+	case XFRM_MODE_BEET:+		/* The worst case. */+		enclen = IPV4_BEET_PHMAXLEN;+		mtu = ALIGN(mtu + enclen + 2, blksize);+		break; 	} 	if (esp->conf.padlen) 		mtu = ALIGN(mtu, esp->conf.padlen); -	return mtu + x->props.header_len + esp->auth.icv_trunc_len;+	return mtu + x->props.header_len + esp->auth.icv_trunc_len - enclen; }  static void esp4_err(struct sk_buff *skb, u32 info)@@ -368,8 +379,10 @@ 	if (crypto_cipher_setkey(esp->conf.tfm, esp->conf.key, esp->conf.key_len)) 		goto error; 	x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen;-	if (x->props.mode)+	if (x->props.mode == XFRM_MODE_TUNNEL) 		x->props.header_len += sizeof(struct iphdr);+	else if (x->props.mode == XFRM_MODE_BEET)+		x->props.header_len += IPV4_BEET_PHMAXLEN; 	if (x->encap) { 		struct xfrm_encap_tmpl *encap = x->encap; diff -urN linux-2.6.18.1/net/ipv4/ipcomp.c linux-2.6.18.1.beet/net/ipv4/ipcomp.c--- linux-2.6.18.1/net/ipv4/ipcomp.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/ipcomp.c	2006-10-21 14:59:54.000000000 +0300@@ -176,7 +176,7 @@ 	return 0;  out_ok:-	if (x->props.mode)+	if (x->props.mode == XFRM_MODE_TUNNEL) 		ip_send_check(iph); 	return 0; }@@ -216,7 +216,7 @@ 	t->id.daddr.a4 = x->id.daddr.a4; 	memcpy(&t->sel, &x->sel, sizeof(t->sel)); 	t->props.family = AF_INET;-	t->props.mode = 1;+	t->props.mode = x->props.mode; 	t->props.saddr.a4 = x->props.saddr.a4; 	t->props.flags = x->props.flags; @@ -415,8 +415,10 @@ 		goto out;  	x->props.header_len = 0;-	if (x->props.mode)+	if (x->props.mode == XFRM_MODE_TUNNEL) 		x->props.header_len += sizeof(struct iphdr);+	else if (x->props.mode == XFRM_MODE_BEET)+		x->props.header_len += IPV4_BEET_PHMAXLEN;  	mutex_lock(&ipcomp_resource_mutex); 	if (!ipcomp_alloc_scratches())@@ -427,7 +429,7 @@ 		goto error; 	mutex_unlock(&ipcomp_resource_mutex); -	if (x->props.mode) {+	if (x->props.mode == XFRM_MODE_TUNNEL) { 		err = ipcomp_tunnel_attach(x); 		if (err) 			goto error_tunnel;diff -urN linux-2.6.18.1/net/ipv4/xfrm4_input.c linux-2.6.18.1.beet/net/ipv4/xfrm4_input.c--- linux-2.6.18.1/net/ipv4/xfrm4_input.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/xfrm4_input.c	2006-10-21 14:59:54.000000000 +0300@@ -109,6 +109,84 @@ 		if (x->props.mode) { 			decaps = 1; 			break;+		} else if (x->props.mode == XFRM_MODE_BEET) {+			int phlen = 0;+			int optlen = 0;+			__u8 ph_nexthdr = 0;+			int size = (x->sel.family == AF_INET) ? sizeof(struct iphdr) : sizeof(struct ipv6hdr);+			int proto = skb->nh.iph->protocol;+			int hops = skb->nh.iph->ttl;+			int delta = sizeof(struct ipv6hdr) - sizeof(struct iphdr);+			if (x->sel.family == AF_INET6) {+				/* Here, the inner family is 6, therefore I have to+				 * substitute the IPhdr by enlarging it */+				if (skb_tailroom(skb) <  delta){+					if (pskb_expand_head(skb, 0, delta, GFP_ATOMIC))+						return -EINVAL;		//Just returning from here.+				}+				skb->nh.raw -= delta;+			} else if (x->sel.family == AF_INET) {+				// We need to extract the PH+				struct ip_beet_phdr *ph = (struct ip_beet_phdr*)(skb->nh.iph + 1);++				if (proto == IPPROTO_BEETPH) {+					if (!pskb_may_pull(skb, sizeof(*ph)))+						goto drop;+					phlen = ph->hdrlen * 8;+					optlen = phlen - ph->padlen - sizeof(*ph);++					if (optlen < 0 || optlen & 3 || optlen > 250)+						goto drop;+					if (!pskb_may_pull(skb, phlen))+						goto drop;++					ph_nexthdr = ph->nexthdr;+				}+			} else+				BUG_ON(1);+++			if (skb_cloned(skb) &&+			    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))+				goto drop;++			skb_push(skb, size);+			memmove(skb->data, skb->nh.raw, size);+			skb->nh.raw = skb->data;++			if (x->sel.family == AF_INET) {+				struct iphdr *iph = skb->nh.iph;++				if (unlikely(phlen)) {+					skb_pull(skb, phlen - optlen);+					memmove(skb->data, skb->nh.raw, sizeof(*iph));+					skb->nh.raw = skb->data;+					iph = skb->nh.iph;+				}++				iph->ihl = (sizeof(*iph) + optlen) / 4;+				iph->tot_len = htons(skb->len);+				iph->daddr = x->sel.daddr.a4;+				iph->saddr = x->sel.saddr.a4;+				if (ph_nexthdr)+					iph->protocol = ph_nexthdr;+				else+					iph->protocol = proto;+				ip_send_check(iph);+			} else if (x->sel.family == AF_INET6) {+				struct ipv6hdr *ip6h = skb->nh.ipv6h;+				memset(ip6h->flow_lbl, 0, sizeof(ip6h->flow_lbl));+				ip6h->version = 6;+				ip6h->priority = 0;+				ip6h->nexthdr = proto;+				ip6h->hop_limit = hops;+				ip6h->payload_len = htons(skb->len - size);+				ipv6_addr_copy(&ip6h->daddr, (struct in6_addr *)&x->sel.daddr.a6);+				ipv6_addr_copy(&ip6h->saddr, (struct in6_addr *)&x->sel.saddr.a6);+				skb->protocol = htons(ETH_P_IPV6);+			}+			decaps = 1;+			break; 		}  		if ((err = xfrm_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) < 0)diff -urN linux-2.6.18.1/net/ipv4/xfrm4_output.c linux-2.6.18.1.beet/net/ipv4/xfrm4_output.c--- linux-2.6.18.1/net/ipv4/xfrm4_output.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/xfrm4_output.c	2006-10-21 14:59:54.000000000 +0300@@ -54,7 +54,7 @@ 			goto error_nolock; 	} -	if (x->props.mode) {+	if (x->props.mode == XFRM_MODE_TUNNEL) { 		err = xfrm4_tunnel_check_size(skb); 		if (err) 			goto error_nolock;diff -urN linux-2.6.18.1/net/ipv4/xfrm4_policy.c linux-2.6.18.1.beet/net/ipv4/xfrm4_policy.c--- linux-2.6.18.1/net/ipv4/xfrm4_policy.c	2006-10-14 06:34:03.000000000 +0300+++ linux-2.6.18.1.beet/net/ipv4/xfrm4_policy.c	2006-10-21 14:59:54.000000000 +0300@@ -16,6 +16,8 @@ static struct dst_ops xfrm4_dst_ops; static struct xfrm_policy_afinfo xfrm4_policy_afinfo; +static void xfrm4_update_pmtu(struct dst_entry *dst, u32 mtu);+ static int xfrm4_dst_lookup(struct xfrm_dst **dst, struct flowi *fl) { 	return __ip_route_output_key((struct rtable**)dst, fl);@@ -53,17 +55,20 @@ 	struct dst_entry *dst, *dst_prev; 	struct rtable *rt0 = (struct rtable*)(*dst_p); 	struct rtable *rt = rt0;-	u32 remote = fl->fl4_dst;-	u32 local  = fl->fl4_src; 	struct flowi fl_tunnel = { 		.nl_u = { 			.ip4_u = {-				.saddr = local,-				.daddr = remote,+				.saddr = fl->fl4_dst,+				.daddr = fl->fl4_src, 				.tos = fl->fl4_tos 			} 		} 	};+	union {+		struct in6_addr *in6;+		struct in_addr *in;+	} remote, local;+	unsigned short outer_family = 0, beet = 0; 	int i; 	int err; 	int header_len = 0;@@ -75,7 +80,6 @@ 	for (i = 0; i < nx; i++) { 		struct dst_entry *dst1 = dst_alloc(&xfrm4_dst_ops); 		struct xfrm_dst *xdst;-		int tunnel = 0;  		if (unlikely(dst1 == NULL)) { 			err = -ENOBUFS;@@ -96,21 +100,45 @@  		dst1->next = dst_prev; 		dst_prev = dst1;-		if (xfrm[i]->props.mode) {-			remote = xfrm[i]->id.daddr.a4;-			local  = xfrm[i]->props.saddr.a4;-			tunnel = 1;++		if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL || xfrm[i]->props.mode == XFRM_MODE_BEET) {+			outer_family = xfrm[i]->props.family;+			beet = (xfrm[i]->props.mode == XFRM_MODE_BEET);++			if(outer_family == AF_INET6){+				remote.in6 = (struct in6_addr*)&xfrm[i]->id.daddr;+				local.in6 = (struct in6_addr*)&xfrm[i]->props.saddr;+			} else if(outer_family == AF_INET){+				remote.in = (struct in_addr*)&xfrm[i]->id.daddr;+				local.in = (struct in_addr*)&xfrm[i]->props.saddr;+			} else+				BUG_ON(1); 		} 		header_len += xfrm[i]->props.header_len; 		trailer_len += xfrm[i]->props.trailer_len; -		if (tunnel) {-			fl_tunnel.fl4_src = local;-			fl_tunnel.fl4_dst = remote;+		if (outer_family) {+			switch(outer_family) {+			case AF_INET:+				fl_tunnel.fl4_dst = remote.in->s_addr;+				fl_tunnel.fl4_src = local.in->s_addr;+				break;+			case AF_INET6:+				ipv6_addr_copy(&fl_tunnel.fl6_dst, remote.in6);+				ipv6_addr_copy(&fl_tunnel.fl6_src, local.in6);+				break;+			default:+				BUG_ON(1);+			} 			err = xfrm_dst_lookup((struct xfrm_dst **)&rt,-					      &fl_tunnel, AF_INET);+					      &fl_tunnel, outer_family); 			if (err) 				goto error;