Re: [PATCH] Disable rp_filter for IPsec packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Smith <msmith@cbnco.com>
To: netdev@vger.kernel.org
Subject: Re: [PATCH] Disable rp_filter for IPsec packets
Date: Mon, 14 Mar 2011 17:29:43 -0400	[thread overview]
Message-ID: <4D7E88C7.5080706@cbnco.com> (raw)
In-Reply-To: <20110314.142520.28811818.davem@davemloft.net>

David Miller wrote:
> First, I'm only willing to accept a patch like this to net-next-2.6
> for which all of the code you are changing is radically different.

OK.

> Secondly, fib_validate_source() already takes too many damn arguments.
> Find another, less costly, way to pass this information down there.

What would be a less costly way to pass it? Could I just hand it the 
whole skb?

> Frankly, I think RPF should be disabled completely by default.  When
> it doesn't do anything useful, it's making route lookups twice as
> expensive as they need to be.

Yeah, it's disabled by default. It's an easy way of preventing spoofing 
of internal source addresses from the Internet, so I like it.

Thanks,
Mike

next prev parent reply	other threads:[~2011-03-14 21:37 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-14 21:14 [PATCH] Disable rp_filter for IPsec packets Michael Smith
2011-03-14 21:25 ` David Miller
2011-03-14 21:29   ` Michael Smith [this message]
2011-03-14 21:41     ` David Miller
2011-03-14 22:11       ` Michael Smith
2011-03-14 22:14         ` David Miller
2011-03-14 22:23           ` Michael Smith
2011-03-14 22:27             ` David Miller
2011-03-15 23:21               ` Michael Smith
2011-03-15 23:35                 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D7E88C7.5080706@cbnco.com \
    --to=msmith@cbnco.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.