Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6

netdev

Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_for

To:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject:	Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward
From:	Patrick McHardy <kaber@xxxxxxxxx>
Date:	Mon, 18 Oct 2004 22:34:23 +0200
Cc:	"David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx
In-reply-to:	<20041017231258.GA29294@gondor.apana.org.au>
References:	<4172943B.8050904@trash.net> <20041017212317.GA28615@gondor.apana.org.au> <4172F1AB.4020305@trash.net> <20041017231258.GA29294@gondor.apana.org.au>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5

Herbert Xu wrote:


Well it's too late to change the default policy.  People rely on the
default policy being allow so changing it will wreak havoc.  Even if
you do it only for packets with an IPsec encapsulation by checking
skb->sp it may still break people who use manual keying and rely on
the property that you can always add optional SAs.

You're right.

 More importantly that it'll stick out like a sore thumb in terms of

> its semantics.

__xfrm_policy_check already rejects packets without a matching policy
and skb->sp set, but it is skipped while the policy list is empty.
What, from a semantics point of view, would be wrong with making
xfrm_policy_check behave the same way ?


So let's just fix racoon.

Agreed. I have a patch I'm currently testing. Judging from a quick
grep isakmpd also doesn't add forward policies.

Regards
Patrick

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy <= [XFRM] Allow transport SAs even when there is no policy, Herbert Xu Re: [XFRM] Allow transport SAs even when there is no policy, Patrick McHardy Re: [XFRM] Allow transport SAs even when there is no policy, Herbert Xu Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [XFRM] Allow transport SAs even when there is no policy, David S. Miller Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Patrick McHardy Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Aidas Kasparas Re: [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu

Previous by Date:	back from japan, David S. Miller
Next by Date:	Re: [PATCH 2.6.9-rc4 1/2] typhoon: use module_param, Stephen Hemminger
Previous by Thread:	Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu
Next by Thread:	[XFRM] Allow transport SAs even when there is no policy, Herbert Xu
Indexes:	[Date] [Thread] [Top] [All Lists]