-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Andi" == Andi Kleen <ak@xxxxxxx> writes:
>> We are seeking opinions.
Andi> nfmark has the advantage that the routing code knows about it and
Andi> can manage the destination cache based on it (very useful for pmtu
Andi> security is basically on its way out; it was for a never completely
Andi> merged ipsec implementation from the fi/sinus firewalls guys and is
Andi> largely bitrotted now (e.g. a lot of stack modules won't maintain
Andi> it correctly anymore and probably never have) If you wanted to use
Andi> it you would need to fix it first.
What maintenance does it need?
skb_copy() seems to copy it, and it seems to get initialized to zero.
I think that is sufficient for our use.
-> cb is free for your use as long as you have the skb queued privately,
Andi> but it'll be destroyed as soon as you give it away.
1) We wish to set something in netfilter and/or advanced routing and examine
it in dev xmit. (for entering the tunnel)
2) We wish to set something in dev recv, and examine it in netfilter.
(for checking that the packet that exited the tunnel complied to policy)
Andi> I don't
Andi> understand your 64k comment.
We need at least 16 bits of value to set/examine. This is the security
policy identifier :-)
Andi> I would recommend to use nfmark. as far as I can see you'll need
Andi> destination cache support anyways, and it gets you that for free.
Thanks. We'll use nfmark.
What will you guys use? We'll need between 16 and 32 bits of nfmark :-)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Finger me for keys
-----END PGP SIGNATURE-----