summaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2013-02-05 12:52:55 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2013-02-06 08:31:10 +0100
commita0073fe18e718a1c815fe8b0120f1ac3c60284ba (patch)
tree1f30d5f9415a90c5662376fd3e4c0420a431b9f1 /Documentation
parentfa8599db8f222fd9d351a640074377a841979187 (diff)
xfrm: Add a state resolution packet queue
As the default, we blackhole packets until the key manager resolves the states. This patch implements a packet queue where IPsec packets are queued until the states are resolved. We generate a dummy xfrm bundle, the output routine of the returned route enqueues the packet to a per policy queue and arms a timer that checks for state resolution when dst_output() is called. Once the states are resolved, the packets are sent out of the queue. If the states are not resolved after some time, the queue is flushed. This patch keeps the defaut behaviour to blackhole packets as long as we have no states. To enable the packet queue the sysctl xfrm_larval_drop must be switched off. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions