-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I have a kind of feature request, which I like to try and implement. But I'm not a kernel hacker and terribly short on time, therefor I like to discuss this feature with you guys first to see if you like the idea. I have a problem with the scalability of the SPD database. Because it's a linear list, sorted by priority, it's possible to make quite complex ipsecpolicies, but the list will grow enormously. Especially when using seperate ports in the policy, matching various addresses, trying to encrypt the default route:), various protocols, etc. Due to caching this scalability might not be a problem for the kernel, but for me as maintainer it's quite dainting. But the netfilter stack allready has a very flexible, advanced traffic matching structure. It would be nice if we could use the netfilter-mark as a match in the SPD. A similar approach exists in NetBSD where it's possible to use a packetfilter "tag" as a ipsecmatch. I have been looking into the neccesary changes to the kernel to use fwmark as SPD match, attached is a unfinished, unclean, old patch against the debian 2.6.9 source tree. As far as I know the pfkey interface is still very buggy. Patrick McHardy already pointed out one omission: "One thing that is missing is setting fl->fwmark for policy checks of incoming packets in xfrm{46}_decode_session()" I don't have a patch for the userland side yet. Hopefully I will have time to continue work on these patches the coming month. My question concerns the basics: Do you agree that using the fwmark as a SPD key is a usable way to describe ipsec policies? Would you consider applying such a patch to the kernel (or through POMng)? In general, is this work a waste of time or am I hitting something here? Thanks in advance, Ludo. - -- Ludo Stellingwerff V&S B.V. The Netherlands ProTactive firewall solution. Tel: +31 172 416116 Fax: +31 172 416124 site: www.protactive.nl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCO/m6OF3sCpZ+AJgRAr8gAJ9Nhg62dtusJ/rLLqFBw+vEIOmFJgCeLxm4 F36sywqctCAJLz/58N0o64Q= =yZQF -----END PGP SIGNATURE-----