Re: resend patch: xfrm policybyid

[jamal <hadi@xxxxxxxxxx>]

On Sun, 2005-08-05 at 17:23 +0200, Patrick McHardy wrote:

> Allowing the user to freely set indices breaks racoon:
> 
> #ifdef __linux__
>         /* bsd skips over per-socket policies because there will be no
>          * src and dst extensions in spddump messages. On Linux the only
>          * way to achieve the same is check for policy id.
>          */
>         if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
> #endif
> 

I can see where the %8 >= 3 comes from.
[per socket creation with calls xfrm_gen_index(XFRM_POLICY_MAX+dir)
and the kernel does things in increments of 8]

I didnt quiet understand that check in racoon: Why this guess work? if
per-socket policies need to be identified, why dont they get explicitly
marked as per-socket somehow? I am actually curious why that check is
needed. Sorry have never stared at the racoon code. Do other IKE/ISAKMP
daemons depend on it?

> So how could we handle this?
> 

We can disallow the explicit setting of any index which passes test
(index % 8 >= 3) - but it does seem to me the whole concept of reserving
those indices for per-socket policies is a bit of a hack and may need a
rethinking. Maybe we need to maintain a mark in the kernel for
per-socket polices and do the same as BSD?

cheers,
jamal