From 990078afbf90e0175e71da2df04595b99153514c Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Thu, 7 Apr 2011 04:51:51 +0000 Subject: Disable rp_filter for IPsec packets The reverse path filter interferes with IPsec subnet-to-subnet tunnels, especially when the link to the IPsec peer is on an interface other than the one hosting the default route. With dynamic routing, where the peer might be reachable through eth0 today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless fake routes to the remote subnets are configured on the interface currently used to reach the peer. IPsec provides a much stronger anti-spoofing policy than rp_filter, so this patch disables the rp_filter for packets with a security path. Signed-off-by: Michael Smith Signed-off-by: David S. Miller --- include/net/xfrm.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 6ae4bc5ce8a..65ea3134863 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -957,6 +957,15 @@ struct sec_path { struct xfrm_state *xvec[XFRM_MAX_DEPTH]; }; +static inline int secpath_exists(struct sk_buff *skb) +{ +#ifdef CONFIG_XFRM + return skb->sp != NULL; +#else + return 0; +#endif +} + static inline struct sec_path * secpath_get(struct sec_path *sp) { -- cgit v1.2.3