| To: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward |
| From: | Patrick McHardy <kaber@xxxxxxxxx> |
| Date: | Mon, 18 Oct 2004 22:34:23 +0200 |
| Cc: | "David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <20041017231258.GA29294@xxxxxxxxxxxxxxxxxxx> |
| References: | <4172943B.8050904@xxxxxxxxx> <20041017212317.GA28615@xxxxxxxxxxxxxxxxxxx> <4172F1AB.4020305@xxxxxxxxx> <20041017231258.GA29294@xxxxxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 |
Herbert Xu wrote: Well it's too late to change the default policy. People rely on the default policy being allow so changing it will wreak havoc. Even if you do it only for packets with an IPsec encapsulation by checking skb->sp it may still break people who use manual keying and rely on the property that you can always add optional SAs. You're right. More importantly that it'll stick out like a sore thumb in terms of > its semantics. __xfrm_policy_check already rejects packets without a matching policy and skb->sp set, but it is skipped while the policy list is empty. What, from a semantics point of view, would be wrong with making xfrm_policy_check behave the same way ? So let's just fix racoon. Agreed. I have a patch I'm currently testing. Judging from a quick grep isakmpd also doesn't add forward policies. Regards Patrick |
| Previous by Date: | back from japan, David S. Miller |
|---|---|
| Next by Date: | Re: [PATCH 2.6.9-rc4 1/2] typhoon: use module_param, Stephen Hemminger |
| Previous by Thread: | Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu |
| Next by Thread: | [XFRM] Allow transport SAs even when there is no policy, Herbert Xu |
| Indexes: | [Date] [Thread] [Top] [All Lists] |