| To: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: Minor IPSec bug + solution |
| From: | Martin Bouzek <martin.bouzek@xxxxxxxxxxxx> |
| Date: | 20 Sep 2004 09:49:49 +0200 |
| Cc: | Linux Kernel <linux-kernel@xxxxxxxxxxxxxxx>, davem@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <20040917102720.GA14579@gondor.apana.org.au> |
| Organization: | Radas, s.r.o. |
| References: | <E1C83f1-0002X7-00@gondolin.me.apana.org.au> <1095413173.2708.106.camel@mabouzek> <20040917102720.GA14579@gondor.apana.org.au> |
| Reply-to: | martin.bouzek@xxxxxxxxxxxx |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Fri, 2004-09-17 at 12:27, Herbert Xu wrote: > On Fri, Sep 17, 2004 at 11:26:13AM +0200, Martin Bouzek wrote: > > > > > > function. For tunnels it returns > > > > > > > > tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family); > > > > Well, I am not expierienced with the networking kernel code, > > nevertheless I still think the check is not correct. > > If you change the && to ||, then an ESP tunnel SA marked as required > can be matched by a simple IPIP SA with the same addresses. Ok. And would it be possible to check the protocols too (eg. tmpl->id.proto == x->id.proto)? If it is realy not possible to make the IPComp/required tunnel to work, it would be nice to mention it in for example the setkey man page. It could save quite lot of time to some people. (like me :-) ). |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 2.6] ip_nat_ftp - manip at the right place, Julian Anastasov |
|---|---|
| Next by Date: | Re: Kernel connector - userspace <-> kernelspace "linker"., Evgeniy Polyakov |
| Previous by Thread: | Re: Minor IPSec bug + solution, Herbert Xu |
| Next by Thread: | Re: Minor IPSec bug + solution, Herbert Xu |
| Indexes: | [Date] [Thread] [Top] [All Lists] |