From: David Miller <davem@davemloft.net>
To: kazunori@miyazawa.org
Cc: netdev@vger.kernel.org, usagi-core@linux-ipv6.org
Subject: Re: [PATCH][IPSEC] inter address family IPsec tunnel on the fly
Date: Wed, 05 Mar 2008 13:40:20 -0800 (PST) [thread overview]
Message-ID: <20080305.134020.05696990.davem@davemloft.net> (raw)
In-Reply-To: <20080305213727.35f46f2f.kazunori@miyazawa.org>
From: Kazunori MIYAZAWA <kazunori@miyazawa.org>
Date: Wed, 5 Mar 2008 21:37:27 +0900
> Hello David,
Hello,
> This patch fix inter address family ipsec tunneling
> when we install IPsec SA via PF_KEY interface
> because there are no interface to set the selector.
>
> This patch is for net-2.6
>
> Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org>
> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
It seems quite excessive to grab and release the module reference
count during every packet input/output which happens through IPSEC
tunnels.
The whole reason we store the mode information in the state is so that
we only have to grab the reference during IPSEC rule addition, instead
of during packet processing.
Having to export xfrm_mode_{get,put} from xfrm_state.c is a sure
sign of trouble :-)
Is there some way we can simply propagate the correct setting to
x->inner_mode?
I also wonder if the PF_KEY limitation really exists. For example we
will set x->sel.family etc. from the SADB_EXT_ADDRESS_PROXY attribute
if present.
Finally, if the determination can be made in the data path, it
by definition could be made during rule insertion which is much
more efficient and appropriate.
next prev parent reply other threads:[~2008-03-05 21:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 12:37 [PATCH][IPSEC] inter address family IPsec tunnel on the fly Kazunori MIYAZAWA
2008-03-05 21:40 ` David Miller [this message]
2008-03-07 6:32 ` Kazunori MIYAZAWA
2008-03-07 7:19 ` David Miller
2008-03-08 14:46 ` Kazunori MIAZAWA
2008-03-08 22:15 ` David Miller
2008-03-14 3:23 ` Kazunori MIYAZAWA
2008-03-21 11:20 ` David Miller
2008-03-24 7:16 ` Kazunori MIYAZAWA
2008-03-24 7:44 ` Kazunori MIYAZAWA
2008-03-24 7:49 ` David Miller
2008-03-24 21:53 ` David Miller
2008-03-24 7:48 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080305.134020.05696990.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=kazunori@miyazawa.org \
--cc=netdev@vger.kernel.org \
--cc=usagi-core@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).