On Mon, Oct 18, 2004 at 12:26:51AM +0200, Patrick McHardy wrote:
>
> I only looked for pfkey symbolic names. So it seems only racoon
> needs to be fixed.
Agreed.
> I think we should apply the attached patch
> to make xfrm_policy_check reject packets decapsulated by IPsec
> without a policy for this direction, so people will notice
> something is wrong. It also prevents skipping checks against the
Well it's too late to change the default policy. People rely on the
default policy being allow so changing it will wreak havoc. Even if
you do it only for packets with an IPsec encapsulation by checking
skb->sp it may still break people who use manual keying and rely on
the property that you can always add optional SAs. More importantly
that it'll stick out like a sore thumb in terms of its semantics.
So let's just fix racoon.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|