git.ipfire.org Git - thirdparty/kernel/stable.git/commit

xfrm: Add possibility to set the default to block if we have no policy

[ Upstream commit 2d151d39073aff498358543801fca0f670fea981 ]

As the default we assume the traffic to pass, if we have no
matching IPsec policy. With this patch, we have a possibility to
change this default from allow to block. It can be configured
via netlink. Each direction (input/output/forward) can be
configured separately. With the default to block configuered,
we need allow policies for all packet flows we accept.
We do not use default policy lookup for the loopback device.

v1->v2
- fix compiling when XFRM is disabled
- Reported-by: kernel test robot <lkp@intel.com>

Co-developed-by: Christian Langrock <christian.langrock@secunet.com>
Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
Co-developed-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Steffen Klassert <steffen.klassert@secunet.com>
	Sun, 18 Jul 2021 07:11:06 +0000 (09:11 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 25 May 2022 07:17:57 +0000 (09:17 +0200)
commit	5b7f84b1f9f46327360a64c529433fa0d68cc3f4
tree	6563429e35552b18b18ae36fc58f0f2f4e01b36b	tree \| snapshot
parent	243e72e20446b25496887304f3e01e26702b0ac7	commit \| diff

include/net/netns/xfrm.h		diff \| blob \| blame \| history
include/net/xfrm.h		diff \| blob \| blame \| history
include/uapi/linux/xfrm.h		diff \| blob \| blame \| history
net/xfrm/xfrm_policy.c		diff \| blob \| blame \| history
net/xfrm/xfrm_user.c		diff \| blob \| blame \| history