From: "Timo Teräs" <timo.teras@iki.fi>
To: David Miller <davem@davemloft.net>
Cc: herbert@gondor.apana.org.au, netdev@vger.kernel.org
Subject: Re: [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension
Date: Thu, 22 Jan 2009 07:56:57 +0200 [thread overview]
Message-ID: <49780AA9.9050508@iki.fi> (raw)
In-Reply-To: <20090121.144054.70937985.davem@davemloft.net>
David Miller wrote:
> From: Herbert Xu <herbert@gondor.apana.org.au>
> Date: Thu, 22 Jan 2009 09:33:29 +1100
>
>> Timo Teras <timo.teras@iki.fi> wrote:
>>> Parse and send SADB_X_EXT_NAT_T_OA along with other NAT-T extensions.
>>>
>>> Signed-off-by: Timo Teras <timo.teras@iki.fi>
>> Whatever application that you have in mind that's going to use
>> this should switch over to netlink.
>
> Agreed, I won't be applying this patch.
It's for ipsec-tools. Currently the NAT OA in xfrm structs isn't
really used, but I need it later when implementing the NHRP/GRE/NAT
traversal I've sent couple mails about [1,2].
I do understand that netlink/xfrm is better, and I have it on
my long todo list. But rewriting 30-40 thousand lines of code
isn't going to happen that soon.
Is there any particular reason why setting NAT-OA info should/
must be done using netlink? Or is this just a way to try to
put more pressure for the change to happen?
I find it very confusing that NAT_T_[SD]PORT are supported, but
NAT_T_OA is not which is part of the same set of extensions
(required by some other kernels to make nat-t work in first
place; to fix up the checksums in transport mode SAs).
Even though if kernel currently does not use that information it
might confuse applications to get mismatching information back.
Currently if pfkey adds an NAT_T SA, and someone queries it
via xfrm you get back a random NAT OA. It's because
pfkey_msg2xfrm_state() kmallocs() the encap struct but does not
zero out or copy in the encap_oa field. IMHO, it's better to
just copy the information. But checking that again now, it looks
like we would need to memset() the encap_oa also when NAT_T_OA
is not present.
Also I find it a bit confusing which things are to be allowed
in pfkey and which not. We've had bigger fixes/changes to pfkey
in past like MIGRATE rewrite, etc.
- Timo
[1] http://marc.info/?l=linux-netdev&m=122232910618099&w=4
[2] http://marc.info/?l=linux-netdev&m=123252926623554&w=2
next prev parent reply other threads:[~2009-01-22 5:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-21 7:34 [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension Timo Teras
2009-01-21 22:33 ` Herbert Xu
2009-01-21 22:40 ` David Miller
2009-01-22 5:56 ` Timo Teräs [this message]
2009-01-22 6:03 ` David Miller
2009-01-22 6:14 ` Timo Teräs
2009-01-22 6:21 ` David Miller
2009-01-22 6:32 ` Herbert Xu
2009-01-22 6:39 ` Timo Teräs
2009-01-22 6:47 ` Herbert Xu
2009-01-22 6:54 ` Timo Teräs
2009-01-22 7:39 ` Herbert Xu
2009-01-22 8:31 ` Timo Teräs
2009-01-22 8:50 ` Herbert Xu
2009-01-22 9:24 ` Timo Teräs
2009-01-22 9:41 ` Herbert Xu
2009-01-22 10:00 ` Timo Teräs
2009-01-22 10:10 ` Herbert Xu
2009-01-23 6:18 ` Timo Teräs
2009-01-23 9:09 ` Herbert Xu
2009-01-22 6:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49780AA9.9050508@iki.fi \
--to=timo.teras@iki.fi \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).