14e50e57ae
The current IPSEC rule resolution behavior we have does not work for a lot of people, even though technically it's an improvement from the -EAGAIN buisness we had before. Right now we'll block until the key manager resolves the route. That works for simple cases, but many folks would rather packets get silently dropped until the key manager resolves the IPSEC rules. We can't tell these folks to "set the socket non-blocking" because they don't have control over the non-block setting of things like the sockets used to resolve DNS deep inside of the resolver libraries in libc. With that in mind I coded up the patch below with some help from Herbert Xu which provides packet-drop behavior during larval state resolution, controllable via sysctl and off by default. This lays the framework to either: 1) Make this default at some point or... 2) Move this logic into xfrm{4,6}_policy.c and implement the ARP-like resolution queue we've all been dreaming of. The idea would be to queue packets to the policy, then once the larval state is resolved by the key manager we re-resolve the route and push the packets out. The packets would timeout if the rule didn't get resolved in a certain amount of time. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
acpi | ||
asm-alpha | ||
asm-arm | ||
asm-arm26 | ||
asm-avr32 | ||
asm-blackfin | ||
asm-cris | ||
asm-frv | ||
asm-generic | ||
asm-h8300 | ||
asm-i386 | ||
asm-ia64 | ||
asm-m32r | ||
asm-m68k | ||
asm-m68knommu | ||
asm-mips | ||
asm-parisc | ||
asm-powerpc | ||
asm-ppc | ||
asm-s390 | ||
asm-sh | ||
asm-sh64 | ||
asm-sparc | ||
asm-sparc64 | ||
asm-um | ||
asm-v850 | ||
asm-x86_64 | ||
asm-xtensa | ||
crypto | ||
keys | ||
linux | ||
math-emu | ||
media | ||
mtd | ||
net | ||
pcmcia | ||
rdma | ||
rxrpc | ||
scsi | ||
sound | ||
video | ||
Kbuild |