summaryrefslogtreecommitdiffstats
path: root/net/mpls/internal.h
diff options
context:
space:
mode:
authorRobert Shearman <rshearma@brocade.com>2015-04-22 12:14:38 +0200
committerDavid S. Miller <davem@davemloft.net>2015-04-22 20:24:54 +0200
commit37bde79979c3862c79294c62ddcef7efc477e4bf (patch)
treea2268a0a600ed3eb1e33df0f43bbd3c72c5e30e0 /net/mpls/internal.h
parentmpls: Per-device MPLS state (diff)
downloadlinux-37bde79979c3862c79294c62ddcef7efc477e4bf.tar.xz
linux-37bde79979c3862c79294c62ddcef7efc477e4bf.zip
mpls: Per-device enabling of packet input
An MPLS network is a single trust domain where the edges must be in control of what labels make their way into the core. The simplest way of ensuring this is for the edge device to always impose the labels, and not allow forward labeled traffic from untrusted neighbours. This is achieved by allowing a per-device configuration of whether MPLS traffic input from that interface should be processed or not. To be secure by default, the default state is changed to MPLS being disabled on all interfaces unless explicitly enabled and no global option is provided to change the default. Whilst this differs from other protocols (e.g. IPv6), network operators are used to explicitly enabling MPLS forwarding on interfaces, and with the number of links to the MPLS core typically fairly low this doesn't present too much of a burden on operators. Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Robert Shearman <rshearma@brocade.com> Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/mpls/internal.h')
-rw-r--r--net/mpls/internal.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/mpls/internal.h b/net/mpls/internal.h
index 8090cb3099b4..693877d69606 100644
--- a/net/mpls/internal.h
+++ b/net/mpls/internal.h
@@ -23,6 +23,9 @@ struct mpls_entry_decoded {
};
struct mpls_dev {
+ int input_enabled;
+
+ struct ctl_table_header *sysctl;
};
struct sk_buff;