From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@redhat.com>,
netdev@oss.sgi.com, ipsec-tools-devel@lists.sourceforge.net
Subject: Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward
Date: Mon, 18 Oct 2004 22:34:23 +0200 [thread overview]
Message-ID: <417428CF.2050802@trash.net> (raw)
In-Reply-To: <20041017231258.GA29294@gondor.apana.org.au>
Herbert Xu wrote:
>
>Well it's too late to change the default policy. People rely on the
>default policy being allow so changing it will wreak havoc. Even if
>you do it only for packets with an IPsec encapsulation by checking
>skb->sp it may still break people who use manual keying and rely on
>the property that you can always add optional SAs.
>
You're right.
> More importantly that it'll stick out like a sore thumb in terms of
>
> its semantics.
__xfrm_policy_check already rejects packets without a matching policy
and skb->sp set, but it is skipped while the policy list is empty.
What, from a semantics point of view, would be wrong with making
xfrm_policy_check behave the same way ?
>
>So let's just fix racoon.
>
Agreed. I have a patch I'm currently testing. Judging from a quick
grep isakmpd also doesn't add forward policies.
Regards
Patrick
next prev parent reply other threads:[~2004-10-18 20:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-17 15:48 [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward Patrick McHardy
2004-10-17 21:23 ` Herbert Xu
2004-10-17 22:26 ` Patrick McHardy
2004-10-17 22:42 ` Patrick McHardy
2004-10-17 23:12 ` Herbert Xu
2004-10-18 20:34 ` Patrick McHardy [this message]
2004-10-18 21:43 ` [XFRM] Allow transport SAs even when there is no policy Herbert Xu
2004-10-19 14:16 ` Patrick McHardy
2004-10-19 21:25 ` Herbert Xu
2004-10-21 5:04 ` David S. Miller
2004-10-21 5:02 ` David S. Miller
2004-10-19 15:31 ` [Ipsec-tools-devel] Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward Aidas Kasparas
2004-10-19 15:38 ` Patrick McHardy
2004-10-19 15:57 ` Aidas Kasparas
2004-10-19 21:26 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417428CF.2050802@trash.net \
--to=kaber@trash.net \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ipsec-tools-devel@lists.sourceforge.net \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).