summaryrefslogtreecommitdiff
path: root/include/net
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2013-02-05 11:52:55 (GMT)
committerSteffen Klassert <steffen.klassert@secunet.com>2013-02-06 07:31:10 (GMT)
commita0073fe18e718a1c815fe8b0120f1ac3c60284ba (patch)
tree1f30d5f9415a90c5662376fd3e4c0420a431b9f1 /include/net
parentfa8599db8f222fd9d351a640074377a841979187 (diff)
downloadlinux-a0073fe18e718a1c815fe8b0120f1ac3c60284ba.tar.xz
xfrm: Add a state resolution packet queue
As the default, we blackhole packets until the key manager resolves the states. This patch implements a packet queue where IPsec packets are queued until the states are resolved. We generate a dummy xfrm bundle, the output routine of the returned route enqueues the packet to a per policy queue and arms a timer that checks for state resolution when dst_output() is called. Once the states are resolved, the packets are sent out of the queue. If the states are not resolved after some time, the queue is flushed. This patch keeps the defaut behaviour to blackhole packets as long as we have no states. To enable the packet queue the sysctl xfrm_larval_drop must be switched off. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/dst.h1
-rw-r--r--include/net/xfrm.h7
2 files changed, 8 insertions, 0 deletions
diff --git a/include/net/dst.h b/include/net/dst.h
index 9a78810..3da47e0 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -61,6 +61,7 @@ struct dst_entry {
#define DST_NOPEER 0x0040
#define DST_FAKE_RTABLE 0x0080
#define DST_XFRM_TUNNEL 0x0100
+#define DST_XFRM_QUEUE 0x0200
unsigned short pending_confirm;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 814a1ba..30f3e5b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -501,6 +501,12 @@ struct xfrm_policy_walk {
u32 seq;
};
+struct xfrm_policy_queue {
+ struct sk_buff_head hold_queue;
+ struct timer_list hold_timer;
+ unsigned long timeout;
+};
+
struct xfrm_policy {
#ifdef CONFIG_NET_NS
struct net *xp_net;
@@ -522,6 +528,7 @@ struct xfrm_policy {
struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft;
struct xfrm_policy_walk_entry walk;
+ struct xfrm_policy_queue polq;
u8 type;
u8 action;
u8 flags;