From: "Dmitry V. Levin" <ldv@altlinux.org>
To: Antony Antony <antony.antony@secunet.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Christian Langrock <christian.langrock@secunet.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org
Subject: Re: [PATCH v2 ipsec-next] xfrm: Add possibility to set the default to block if we have no policy
Date: Wed, 1 Sep 2021 18:14:02 +0300 [thread overview]
Message-ID: <20210901151402.GA2557@altlinux.org> (raw)
In-Reply-To: <fc1364604051d6be5c4c14817817a004aba539eb.1626592022.git.antony.antony@secunet.com>
Hi,
On Sun, Jul 18, 2021 at 09:11:06AM +0200, Antony Antony wrote:
> From: Steffen Klassert <steffen.klassert@secunet.com>
>
> As the default we assume the traffic to pass, if we have no
> matching IPsec policy. With this patch, we have a possibility to
> change this default from allow to block. It can be configured
> via netlink. Each direction (input/output/forward) can be
> configured separately. With the default to block configuered,
> we need allow policies for all packet flows we accept.
> We do not use default policy lookup for the loopback device.
>
> v1->v2
> - fix compiling when XFRM is disabled
> - Reported-by: kernel test robot <lkp@intel.com>
>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> Co-developed-by: Christian Langrock <christian.langrock@secunet.com>
> Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
> Co-developed-by: Antony Antony <antony.antony@secunet.com>
> Signed-off-by: Antony Antony <antony.antony@secunet.com>
[...]
The following part of this patch is ABI break:
> diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
> index ffc6a5391bb7..6e8095106192 100644
> --- a/include/uapi/linux/xfrm.h
> +++ b/include/uapi/linux/xfrm.h
> @@ -213,6 +213,11 @@ enum {
> XFRM_MSG_GETSPDINFO,
> #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
>
> + XFRM_MSG_SETDEFAULT,
> +#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
> + XFRM_MSG_GETDEFAULT,
> +#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
> +
> XFRM_MSG_MAPPING,
> #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
> __XFRM_MSG_MAX
After this change, strace no longer builds with the following diagnostics:
../../../src/xlat/nl_xfrm_types.h:162:1: error: static assertion failed: "XFRM_MSG_MAPPING != 0x26"
162 | static_assert((XFRM_MSG_MAPPING) == (0x26), "XFRM_MSG_MAPPING != 0x26");
--
ldv
next prev parent reply other threads:[~2021-09-01 15:14 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210331144843.GA25749@moon.secunet.de>
2021-07-16 9:15 ` [PATCH ipsec-next] xfrm: Add possibility to set the default to block if we have no policy Antony Antony
2021-07-18 3:26 ` kernel test robot
2021-07-18 3:26 ` kernel test robot
2021-07-18 7:11 ` [PATCH v2 " Antony Antony
2021-07-22 9:43 ` Steffen Klassert
2021-08-11 16:14 ` Nicolas Dichtel
2021-08-17 11:19 ` Antony Antony
2021-08-25 10:01 ` Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-08 1:35 ` kernel test robot
2021-09-08 1:35 ` kernel test robot
2021-09-08 7:23 ` [PATCH ipsec v2 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-08 7:23 ` [PATCH ipsec v2 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-08 7:23 ` [PATCH ipsec v2 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-08 7:23 ` [RFC PATCH iproute2 v2] xfrm: enable to manage default policies Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-14 14:46 ` [RFC PATCH iproute2 v2] xfrm: enable to manage default policies Nicolas Dichtel
2021-09-15 9:19 ` [PATCH ipsec v3 0/2] xfrm: fix uapi for the default policy Antony Antony
2021-09-15 9:55 ` Nicolas Dichtel
2021-09-17 7:06 ` Steffen Klassert
2021-09-17 7:54 ` Nicolas Dichtel
2021-09-07 19:35 ` [RFC PATCH iproute2] xfrm: enable to manage default policies Nicolas Dichtel
2021-09-01 15:14 ` Dmitry V. Levin [this message]
2021-09-02 9:05 ` [PATCH v2 ipsec-next] xfrm: Add possibility to set the default to block if we have no policy Steffen Klassert
2021-09-19 22:40 ` Paul Cercueil
2021-09-21 6:33 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210901151402.GA2557@altlinux.org \
--to=ldv@altlinux.org \
--cc=antony.antony@secunet.com \
--cc=christian.langrock@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.