linux/net/xfrm
Nicolas Dichtel a947b0a93e xfrm: allow to avoid copying DSCP during encapsulation
By default, DSCP is copying during encapsulation.
Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
different DSCP may get reordered relative to each other in the network and then
dropped by the remote IPsec GW if the reordering becomes too big compared to the
replay window.

It is possible to avoid this copy with netfilter rules, but it's very convenient
to be able to configure it for each SA directly.

This patch adds a toogle for this purpose. By default, it's not set to maintain
backward compatibility.

Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2013-03-06 07:02:45 +01:00
..
Kconfig net/xfrm: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:03 -08:00
Makefile xfrm: make xfrm_algo.c a module 2012-05-15 13:13:34 -04:00
xfrm_algo.c pf_key/xfrm_algo: prepare pf_key and xfrm_algo for new algorithms without pfkey support 2013-02-01 10:13:43 +01:00
xfrm_hash.c
xfrm_hash.h
xfrm_input.c xfrm: Workaround incompatibility of ESN and async crypto 2012-09-04 14:09:45 -04:00
xfrm_ipcomp.c net: xfrm: use __this_cpu_read per-cpu helper 2012-11-13 14:38:52 +01:00
xfrm_output.c xfrm: fix a unbalanced lock 2013-02-01 10:33:40 +01:00
xfrm_policy.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
xfrm_proc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
xfrm_replay.c net/xfrm/xfrm_replay: avoid division by zero 2013-01-18 06:19:49 +01:00
xfrm_state.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00
xfrm_sysctl.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
xfrm_user.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00