davidlt/kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
990078afbf
kernel-ark/net/ipv4
History
Michael Smith 990078afbf Disable rp_filter for IPsec packets 
The reverse path filter interferes with IPsec subnet-to-subnet tunnels,
especially when the link to the IPsec peer is on an interface other than
the one hosting the default route.

With dynamic routing, where the peer might be reachable through eth0
today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless
fake routes to the remote subnets are configured on the interface
currently used to reach the peer.

IPsec provides a much stronger anti-spoofing policy than rp_filter, so
this patch disables the rp_filter for packets with a security path.

Signed-off-by: Michael Smith <msmith@cbnco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-04-10 18:50:59 -07:00
..
netfilter netfilter: ipt_CLUSTERIP: fix buffer overflow 2011-03-20 15:42:52 +01:00
af_inet.c ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ah4.c xfrm: Use separate low and high order bits of the sequence numbers in xfrm_skb_cb 2011-03-13 20:22:28 -07:00
arp.c net: gre: provide multicast mappings for ipv4 and ipv6 2011-03-30 00:10:47 -07:00
cipso_ipv4.c
datagram.c ipv4: Make output route lookup return rtable directly. 2011-03-02 14:31:35 -08:00
devinet.c ipv4: Fallback to FIB local table in __ip_dev_find(). 2011-03-23 12:16:15 -07:00
esp4.c esp4: Add support for IPsec extended sequence numbers 2011-03-13 20:22:29 -07:00
fib_frontend.c Disable rp_filter for IPsec packets 2011-04-10 18:50:59 -07:00
fib_lookup.h ipv4: Fix nexthop caching wrt. scoping. 2011-03-24 18:06:47 -07:00
fib_rules.c ipv4: Use flowi4 in FIB layer. 2011-03-12 15:08:49 -08:00
fib_semantics.c ipv4: Fix nexthop caching wrt. scoping. 2011-03-24 18:06:47 -07:00
fib_trie.c fib: add __rcu annotations 2011-03-31 01:51:35 -07:00
gre.c
icmp.c net: Put fl4_* macros to struct flowi4 and use them again. 2011-03-12 15:08:54 -08:00
igmp.c ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
inet_connection_sock.c ipv4: Use flowi4_init_output() in inet_connection_sock.c 2011-03-31 04:53:20 -07:00
inet_diag.c Revert "netlink: test for all flags of the NLM_F_DUMP composite" 2011-01-19 13:34:20 -08:00
inet_fragment.c
inet_hashtables.c
inet_lro.c
inet_timewait_sock.c tcp: fix inet_twsk_deschedule() 2011-02-19 18:59:04 -08:00
inetpeer.c inetpeer: should use call_rcu() variant 2011-03-13 23:22:23 -07:00
ip_forward.c
ip_fragment.c ipv4: IP defragmentation must be ECN aware 2011-01-06 11:21:30 -08:00
ip_gre.c ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ip_input.c netfilter: fix Kconfig dependencies 2011-01-14 13:36:42 +01:00
ip_options.c ipv4: Fix IP timestamp option (IPOPT_TS_PRESPEC) handling in ip_options_echo() 2011-03-27 23:35:02 -07:00
ip_output.c ipv4: Use flowi4_init_output() in ip_send_reply() 2011-03-31 04:53:37 -07:00
ip_sockglue.c
ipcomp.c
ipconfig.c
ipip.c ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ipmr.c ipv4: Use flowi4 in ipmr code. 2011-03-12 15:08:49 -08:00
Kconfig ipv4: Remove fib_hash. 2011-02-01 15:35:25 -08:00
Makefile ipv4: Remove fib_hash. 2011-02-01 15:35:25 -08:00
netfilter.c netfilter: af_info: add 'strict' parameter to limit lookup to .oif 2011-04-04 17:00:54 +02:00
proc.c tcp: Replace time wait bucket msg by counter 2010-12-08 12:16:33 -08:00
protocol.c
raw.c ipv4: Use flowi4_init_output() in raw_sendmsg() 2011-03-31 04:53:51 -07:00
route.c fib_validate_source(): pass sk_buff instead of mark 2011-04-10 18:50:59 -07:00
syncookies.c ipv4: Use flowi4_init_output() in cookie_v4_check() 2011-03-31 04:54:08 -07:00
sysctl_net_ipv4.c net: add limits to ip_default_ttl 2010-12-13 12:16:14 -08:00
tcp_bic.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_cong.c
tcp_cubic.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-15 15:15:17 -07:00
tcp_diag.c
tcp_highspeed.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_htcp.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_hybla.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_illinois.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_input.c tcp: Make undo_ssthresh arg to tcp_undo_cwr() a bool. 2011-03-22 19:37:11 -07:00
tcp_ipv4.c ipv4: Make output route lookup return rtable directly. 2011-03-02 14:31:35 -08:00
tcp_lp.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_minisocks.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
tcp_output.c tcp: len check is unnecessarily devastating, change to WARN_ON 2011-04-01 21:47:41 -07:00
tcp_probe.c
tcp_scalable.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_timer.c tcp: Remove debug macro of TCP_CHECK_TIMER 2011-02-20 11:10:14 -08:00
tcp_vegas.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_vegas.h
tcp_veno.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_westwood.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp_yeah.c tcp: mark tcp_congestion_ops read_mostly 2011-03-10 00:40:17 -08:00
tcp.c net: Allow no-cache copy from user on transmit 2011-04-04 22:30:30 -07:00
tunnel4.c
udp_impl.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udp.c ipv4: Use flowi4_init_output() in udp_sendmsg() 2011-03-31 04:54:27 -07:00
udplite.c net: fix nulls list corruptions in sk_prot_alloc 2010-12-16 14:26:56 -08:00
xfrm4_input.c
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ipv4: Don't pre-seed hoplimit metric. 2010-12-12 22:08:17 -08:00
xfrm4_output.c
xfrm4_policy.c ipv4: Fix "Set rt->rt_iif more sanely on output routes." 2011-04-07 14:04:08 -07:00
xfrm4_state.c net: Use flowi4 and flowi6 in xfrm layer. 2011-03-12 15:08:52 -08:00
xfrm4_tunnel.c