On Thu, Apr 28, 2005 at 11:21:35AM +1000, herbert wrote:
>
> I see. In that case you want to change your expression above
> so that the memcmp is never done if excl is off and the index
> is non-zero. Otherwise this will result in non-deterministic
> behaviour as the result will change depending on whether the
> first hit is an index match or a selector match.
Sorry, the index match needs more work. We need to maintain
these invariants:
1) There is only one policy with a given selector.
2) There is only one policy with a given index.
So to allow matching by index when updating, we need to deal
with the possibility of having to delete two existing policies.
The current code simply can't deal with that.
So if we're going to do this we'll need a bigger patch :)
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|