On Sun, 2005-08-05 at 17:23 +0200, Patrick McHardy wrote:
> Allowing the user to freely set indices breaks racoon:
> #ifdef __linux__
> /* bsd skips over per-socket policies because there will be no
> * src and dst extensions in spddump messages. On Linux the only
> * way to achieve the same is check for policy id.
> if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
I can see where the %8 >= 3 comes from.
[per socket creation with calls xfrm_gen_index(XFRM_POLICY_MAX+dir)
and the kernel does things in increments of 8]
I didnt quiet understand that check in racoon: Why this guess work? if
per-socket policies need to be identified, why dont they get explicitly
marked as per-socket somehow? I am actually curious why that check is
needed. Sorry have never stared at the racoon code. Do other IKE/ISAKMP
daemons depend on it?
> So how could we handle this?
We can disallow the explicit setting of any index which passes test
(index % 8 >= 3) - but it does seem to me the whole concept of reserving
those indices for per-socket policies is a bit of a hack and may need a
rethinking. Maybe we need to maintain a mark in the kernel for
per-socket polices and do the same as BSD?