Commit 5b7f84b1 authored Jul 18, 2021 by Steffen Klassert Committed by Greg Kroah-Hartman May 25, 2022

xfrm: Add possibility to set the default to block if we have no policy



[ Upstream commit 2d151d39 ]

As the default we assume the traffic to pass, if we have no
matching IPsec policy. With this patch, we have a possibility to
change this default from allow to block. It can be configured
via netlink. Each direction (input/output/forward) can be
configured separately. With the default to block configuered,
we need allow policies for all packet flows we accept.
We do not use default policy lookup for the loopback device.

v1->v2
 - fix compiling when XFRM is disabled
 - Reported-by: kernel test robot <lkp@intel.com>

Co-developed-by: Christian Langrock <christian.langrock@secunet.com>
Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
Co-developed-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 243e72e2

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit cac3a605
· Nov 05, 2025

mentioned in commit cac3a605

mentioned in commit cac3a605c5e3384e27a1bfc5c3fb38fdea64aad5

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit cac3a605
· Nov 05, 2025

mentioned in commit cac3a605

mentioned in commit cac3a605c5e3384e27a1bfc5c3fb38fdea64aad5

Toggle commit list

Please to comment