netdev
[Top] [All Lists]

Re: [PATCH 3/3 XFRM]: Fix invalid key for lookup of cached bundles

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH 3/3 XFRM]: Fix invalid key for lookup of cached bundles
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Mon, 07 Mar 2005 02:41:30 +0100
Cc: davem@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20050307012458.GA4335@gondor.apana.org.au>
References: <E1D7t0w-0008Qa-00@gondolin.me.apana.org.au> <422AF8D0.3010905@trash.net> <20050307012458.GA4335@gondor.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20050106 Debian/1.7.5-1
Herbert Xu wrote:
On Sun, Mar 06, 2005 at 01:34:24PM +0100, Patrick McHardy wrote:

How about this one ? It keeps the DST_XFRM_TUNNEL flag and sets it on
the first xfrm_dst in a bundle. I know it doesn't really belong there,


Actually, why do we need to treat tunnel mode differently here?
In other words, why not just do the mark/tos checks unconditionally.

Forwarded packets don't get a proper tos/mark setting for IPsec
but that's a bug in itself.

Mainly to avoid excessive long lists of cached bundles in tunnel mode. The use of a single list for the cache is questionable, but the patch was supposed to fix a different issue. Restricting use of tos/mark to transport mode avoids having exploding lists that are easily remotely triggerable.

Regards
Patrick

<Prev in Thread] Current Thread [Next in Thread>