On Mon, 2005-09-05 at 13:45 +0200, Patrick McHardy wrote:
> Not sure why they're not marked as per-socket. Probably because
> sadb_x_policy_id is a KAME extension and KAME pf_key doesn't dump
> these policies with SADB_X_SPDDUMP. Racoon needs to skip them
> to avoid adding them to its internal SPD, they could conflict
> with global policies.
>
But as you can see without having some KAME extension or explicit flag
it resorts to some hack. I have a feeling they may have to put a
different hack for each OS that is not BSD derived.
> >>So how could we handle this?
> >>
> > We can disallow the explicit setting of any index which passes test
> > (index % 8 >= 3) - but it does seem to me the whole concept of reserving
> > those indices for per-socket policies is a bit of a hack and may need a
> > rethinking. Maybe we need to maintain a mark in the kernel for
> > per-socket polices and do the same as BSD?
>
> Disallowing this special case seems a bit inconsistent to me.
Well, those indices are "reserved" in a sense; so if we can get rid of
that speacial casing even better.
> We can
> deduce which are per-socket from the list they are contained in. We
> don't notify on per-socket policy change, perhaps we should also skip
> them when dumping in pf_key.
this sounds reasonable and would remove the necessity of special-casing
those indices.
cheers,
jamal
|