Re: [PATCH] Disable rp_filter for IPsec packets

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: msmith@cbnco.com
Cc: netdev@vger.kernel.org
Subject: Re: [PATCH] Disable rp_filter for IPsec packets
Date: Mon, 14 Mar 2011 14:25:20 -0700 (PDT)	[thread overview]
Message-ID: <20110314.142520.28811818.davem@davemloft.net> (raw)
In-Reply-To: <1300137299-28161-1-git-send-email-msmith@cbnco.com>

From: Michael Smith <msmith@cbnco.com>
Date: Mon, 14 Mar 2011 17:14:59 -0400

> The reverse path filter interferes with IPsec subnet-to-subnet tunnels,
> especially when the link to the IPsec peer is on an interface other than
> the one hosting the default route.
> 
> With dynamic routing, where the peer might be reachable through eth0
> today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless
> fake routes to the remote subnets are configured on the interface
> currently used to reach the peer.
> 
> IPsec provides a much stronger anti-spoofing policy than rp_filter, so
> this patch disables the rp_filter for packets with a security path.
> 
> Signed-off-by: Michael Smith <msmith@cbnco.com>

First, I'm only willing to accept a patch like this to net-next-2.6
for which all of the code you are changing is radically different.

Secondly, fib_validate_source() already takes too many damn arguments.
Find another, less costly, way to pass this information down there.

Frankly, I think RPF should be disabled completely by default.  When
it doesn't do anything useful, it's making route lookups twice as
expensive as they need to be.

next prev parent reply	other threads:[~2011-03-14 21:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-14 21:14 [PATCH] Disable rp_filter for IPsec packets Michael Smith
2011-03-14 21:25 ` David Miller [this message]
2011-03-14 21:29   ` Michael Smith
2011-03-14 21:41     ` David Miller
2011-03-14 22:11       ` Michael Smith
2011-03-14 22:14         ` David Miller
2011-03-14 22:23           ` Michael Smith
2011-03-14 22:27             ` David Miller
2011-03-15 23:21               ` Michael Smith
2011-03-15 23:35                 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110314.142520.28811818.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=msmith@cbnco.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).