• Nicolas Dichtel's avatar
    xfrm: allow to avoid copying DSCP during encapsulation · a947b0a9
    Nicolas Dichtel authored
    By default, DSCP is copying during encapsulation.
    Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
    different DSCP may get reordered relative to each other in the network and then
    dropped by the remote IPsec GW if the reordering becomes too big compared to the
    replay window.
    
    It is possible to avoid this copy with netfilter rules, but it's very convenient
    to be able to configure it for each SA directly.
    
    This patch adds a toogle for this purpose. By default, it's not set to maintain
    backward compatibility.
    
    Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
    Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    a947b0a9
xfrm6_mode_tunnel.c 3.03 KB