| To: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [XFRM] Allow transport SAs even when there is no policy |
| From: | "David S. Miller" <davem@xxxxxxxxxxxxx> |
| Date: | Wed, 20 Oct 2004 22:02:55 -0700 |
| Cc: | kaber@xxxxxxxxx, davem@xxxxxxxxxx, netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <20041018214326.GA6589@gondor.apana.org.au> |
| References: | <4172943B.8050904@trash.net> <20041017212317.GA28615@gondor.apana.org.au> <4172F1AB.4020305@trash.net> <20041017231258.GA29294@gondor.apana.org.au> <417428CF.2050802@trash.net> <20041018214326.GA6589@gondor.apana.org.au> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Tue, 19 Oct 2004 07:43:26 +1000 Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > On Mon, Oct 18, 2004 at 10:34:23PM +0200, Patrick McHardy wrote: > > > > > More importantly that it'll stick out like a sore thumb in terms of > > > > > > its semantics. > > > > __xfrm_policy_check already rejects packets without a matching policy > > and skb->sp set, but it is skipped while the policy list is empty. > > What, from a semantics point of view, would be wrong with making > > xfrm_policy_check behave the same way ? > > Good catch. That was a bug introduced by yours truly :) > > What I meant to say is all packets with tunnel mode SAs should be > rejected since we don't allow optional tunnel transforms for security > reasons. > > This patch fixes it. > > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Applied, thanks Herbert. |
| Previous by Date: | Re: [PATCH] Make netif_rx_ni preempt-safe, David S. Miller |
|---|---|
| Next by Date: | Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller |
| Previous by Thread: | Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller |
| Next by Thread: | Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas |
| Indexes: | [Date] [Thread] [Top] [All Lists] |