aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@sunset.davemloft.net>2007-05-24 21:17:54 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-05-24 21:17:54 -0400
commit14e50e57aedb2a89cf79b77782879769794cab7b (patch)
tree46cbdab9c8007cea0821294c9d397214b38ea4c8 /include/net
parent04efb8787e4d8a7b21a61aeb723de33154311256 (diff)
[XFRM]: Allow packet drops during larval state resolution.
The current IPSEC rule resolution behavior we have does not work for a lot of people, even though technically it's an improvement from the -EAGAIN buisness we had before. Right now we'll block until the key manager resolves the route. That works for simple cases, but many folks would rather packets get silently dropped until the key manager resolves the IPSEC rules. We can't tell these folks to "set the socket non-blocking" because they don't have control over the non-block setting of things like the sockets used to resolve DNS deep inside of the resolver libraries in libc. With that in mind I coded up the patch below with some help from Herbert Xu which provides packet-drop behavior during larval state resolution, controllable via sysctl and off by default. This lays the framework to either: 1) Make this default at some point or... 2) Move this logic into xfrm{4,6}_policy.c and implement the ARP-like resolution queue we've all been dreaming of. The idea would be to queue packets to the policy, then once the larval state is resolved by the key manager we re-resolve the route and push the packets out. The packets would timeout if the rule didn't get resolved in a certain amount of time. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/dst.h7
-rw-r--r--include/net/ipv6.h3
2 files changed, 10 insertions, 0 deletions
diff --git a/include/net/dst.h b/include/net/dst.h
index e12a8ce0b9b3..82270f9332db 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -265,9 +265,16 @@ static inline int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
265{ 265{
266 return 0; 266 return 0;
267} 267}
268static inline int __xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
269 struct sock *sk, int flags)
270{
271 return 0;
272}
268#else 273#else
269extern int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, 274extern int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
270 struct sock *sk, int flags); 275 struct sock *sk, int flags);
276extern int __xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
277 struct sock *sk, int flags);
271#endif 278#endif
272#endif 279#endif
273 280
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 4fa5dfe886c4..78a0d06d98d5 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -469,6 +469,9 @@ extern void ip6_flush_pending_frames(struct sock *sk);
469extern int ip6_dst_lookup(struct sock *sk, 469extern int ip6_dst_lookup(struct sock *sk,
470 struct dst_entry **dst, 470 struct dst_entry **dst,
471 struct flowi *fl); 471 struct flowi *fl);
472extern int ip6_dst_blackhole(struct sock *sk,
473 struct dst_entry **dst,
474 struct flowi *fl);
472extern int ip6_sk_dst_lookup(struct sock *sk, 475extern int ip6_sk_dst_lookup(struct sock *sk,
473 struct dst_entry **dst, 476 struct dst_entry **dst,
474 struct flowi *fl); 477 struct flowi *fl);