| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20071204.220634.112782343.davem@davemloft.net> Date: Tue, 04 Dec 2007 22:06:34 -0800 (PST) From: David Miller <davem@...emloft.net> To: simon@...e.lp0.eu Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: sockets affected by IPsec always block (2.6.23) From: Simon Arlott <simon@...e.lp0.eu> Date: Tue, 04 Dec 2007 18:53:19 +0000 > If I have a IPsec rule like: > spdadd 192.168.7.8 1.2.3.4 any -P out ipsec esp/transport//require; > (i.e. a remote host 1.2.3.4 which will not respond) > > Then any attempt to communicate with 1.2.3.4 will block, even when using non-blocking sockets: If you don't like this behavior: echo "1" >/proc/sys/net/core/xfrm_larval_drop but those initial connection setup packets will be dropped while waiting for the IPSEC route to be resolved, and in your 8 hour case the TCP connect will fail. Anyways, the choice for different behavior is there, select it to suit your tastes. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists