| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210722094324.GC893739@gauss3.secunet.de>
Date: Thu, 22 Jul 2021 11:43:24 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Antony Antony <antony.antony@...unet.com>
CC: Herbert Xu <herbert@...dor.apana.org.au>,
Christian Langrock <christian.langrock@...unet.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH v2 ipsec-next] xfrm: Add possibility to set the default
to block if we have no policy
On Sun, Jul 18, 2021 at 09:11:06AM +0200, Antony Antony wrote:
> From: Steffen Klassert <steffen.klassert@...unet.com>
>
> As the default we assume the traffic to pass, if we have no
> matching IPsec policy. With this patch, we have a possibility to
> change this default from allow to block. It can be configured
> via netlink. Each direction (input/output/forward) can be
> configured separately. With the default to block configuered,
> we need allow policies for all packet flows we accept.
> We do not use default policy lookup for the loopback device.
>
> v1->v2
> - fix compiling when XFRM is disabled
> - Reported-by: kernel test robot <lkp@...el.com>
>
> Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
> Co-developed-by: Christian Langrock <christian.langrock@...unet.com>
> Signed-off-by: Christian Langrock <christian.langrock@...unet.com>
> Co-developed-by: Antony Antony <antony.antony@...unet.com>
> Signed-off-by: Antony Antony <antony.antony@...unet.com>
Applied, thanks for pushing this upstream Antony!
Powered by blists - more mailing lists