git.ipfire.org Git - thirdparty/linux.git/commit

xfrm: Add possibility to set the default to block if we have no policy

As the default we assume the traffic to pass, if we have no
matching IPsec policy. With this patch, we have a possibility to
change this default from allow to block. It can be configured
via netlink. Each direction (input/output/forward) can be
configured separately. With the default to block configuered,
we need allow policies for all packet flows we accept.
We do not use default policy lookup for the loopback device.

v1->v2
- fix compiling when XFRM is disabled
- Reported-by: kernel test robot <lkp@intel.com>

Co-developed-by: Christian Langrock <christian.langrock@secunet.com>
Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
Co-developed-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

author	Steffen Klassert <steffen.klassert@secunet.com>
	Sun, 18 Jul 2021 07:11:06 +0000 (09:11 +0200)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Wed, 21 Jul 2021 07:49:19 +0000 (09:49 +0200)
commit	2d151d39073aff498358543801fca0f670fea981
tree	76abb9648c571bb6fc5ccb5d7c25f000e22c1273	tree
parent	f8fdadef92b7a39e9a9a83bc2df68731ac6c298b	commit \| diff

include/net/netns/xfrm.h		diff \| blob \| blame \| history
include/net/xfrm.h		diff \| blob \| blame \| history
include/uapi/linux/xfrm.h		diff \| blob \| blame \| history
net/xfrm/xfrm_policy.c		diff \| blob \| blame \| history
net/xfrm/xfrm_user.c		diff \| blob \| blame \| history