diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2013-02-05 12:52:55 +0100 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2013-02-06 08:31:10 +0100 |
commit | a0073fe18e718a1c815fe8b0120f1ac3c60284ba (patch) | |
tree | 1f30d5f9415a90c5662376fd3e4c0420a431b9f1 /include/net/dst.h | |
parent | fa8599db8f222fd9d351a640074377a841979187 (diff) | |
download | linux-a0073fe18e718a1c815fe8b0120f1ac3c60284ba.tar.gz linux-a0073fe18e718a1c815fe8b0120f1ac3c60284ba.tar.bz2 linux-a0073fe18e718a1c815fe8b0120f1ac3c60284ba.zip |
xfrm: Add a state resolution packet queue
As the default, we blackhole packets until the key manager resolves
the states. This patch implements a packet queue where IPsec packets
are queued until the states are resolved. We generate a dummy xfrm
bundle, the output routine of the returned route enqueues the packet
to a per policy queue and arms a timer that checks for state resolution
when dst_output() is called. Once the states are resolved, the packets
are sent out of the queue. If the states are not resolved after some
time, the queue is flushed.
This patch keeps the defaut behaviour to blackhole packets as long
as we have no states. To enable the packet queue the sysctl
xfrm_larval_drop must be switched off.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net/dst.h')
-rw-r--r-- | include/net/dst.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/dst.h b/include/net/dst.h index 9a7881066fb3..3da47e0a4a1f 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -61,6 +61,7 @@ struct dst_entry { #define DST_NOPEER 0x0040 #define DST_FAKE_RTABLE 0x0080 #define DST_XFRM_TUNNEL 0x0100 +#define DST_XFRM_QUEUE 0x0200 unsigned short pending_confirm; |