[XFRM] Allow transport SAs even when there is no policy

netdev

[XFRM] Allow transport SAs even when there is no policy

To:	Patrick McHardy <kaber@xxxxxxxxx>
Subject:	[XFRM] Allow transport SAs even when there is no policy
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Tue, 19 Oct 2004 07:43:26 +1000
Cc:	"David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx
In-reply-to:	<417428CF.2050802@trash.net>
References:	<4172943B.8050904@trash.net> <20041017212317.GA28615@gondor.apana.org.au> <4172F1AB.4020305@trash.net> <20041017231258.GA29294@gondor.apana.org.au> <417428CF.2050802@trash.net>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040722i

On Mon, Oct 18, 2004 at 10:34:23PM +0200, Patrick McHardy wrote:
> 
> > More importantly that it'll stick out like a sore thumb in terms of
> >
> > its semantics.
> 
> __xfrm_policy_check already rejects packets without a matching policy
> and skb->sp set, but it is skipped while the policy list is empty.
> What, from a semantics point of view, would be wrong with making
> xfrm_policy_check behave the same way ?

Good catch.  That was a bug introduced by yours truly :)

What I meant to say is all packets with tunnel mode SAs should be
rejected since we don't allow optional tunnel transforms for security
reasons.

This patch fixes it.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

p
Description: Text document

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy [XFRM] Allow transport SAs even when there is no policy, Herbert Xu <= Re: [XFRM] Allow transport SAs even when there is no policy, Patrick McHardy Re: [XFRM] Allow transport SAs even when there is no policy, Herbert Xu Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu

Previous by Date:	[PATCH][ATM]: point to multipoint signalling (from ekinzie@cmf.nrl.navy.mil), chas williams (contractor)
Next by Date:	Re: [PATCH 2.6.9] hp100: use module_param and netdev_priv, Jean Tourrilhes
Previous by Thread:	Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy
Next by Thread:	Re: [XFRM] Allow transport SAs even when there is no policy, Patrick McHardy
Indexes:	[Date] [Thread] [Top] [All Lists]