From: "Timo Teräs" <timo.teras@iki.fi>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension
Date: Thu, 22 Jan 2009 08:39:35 +0200 [thread overview]
Message-ID: <497814A7.3060302@iki.fi> (raw)
In-Reply-To: <20090122063206.GA11818@gondor.apana.org.au>
Herbert Xu wrote:
> On Wed, Jan 21, 2009 at 10:21:12PM -0800, David Miller wrote:
>>> I would not consider this a new feature. It just makes pfkey
>>> act consistently. If you don't want it supported, it'd make
>>> more sense to not #define SADB_X_EXT_NAT_T_OA and drop all of
>>> the verification code already present than to silently
>>> ignore it. Make kernel return an error if some tried using it.
>> Fair enough, sounds like a reasonable argument.
>>
>> Herbert what do you think? The proposal is that we just reflect the
>> value we get, rather than acting upon it.
>
> The only references to SADB_X_EXT_NAT_T_OA in our kernel currently
> are for the user => kernel direction. This patch does kernel =>
> user so I don't see a connection.
>
> In any case I just grabbed the latest ipsec-tools source and it
> doesn't use this stuff at all so IMO this is a new feature.
There hasn't been new release for ipsec-tools for a while.
It's been in ipsec-tools CVS since 2007-12-12. And I know many
who are using the CVS code in production.
Again, my argument is that the code does not modify any headers,
add/modify structures, extensions or messages. So in kernel
point of view it's not a new feature. From userland point of
view it makes kernel act consistently as now the kernel claims
to support something (by having the defines, checking it,
validating it) but just ignores it silently.
Now the split is artificial: the pfkey code knows about nat-oa
but silently ignores it instead of passing it to xfrm. It made
more sense if it was properly or not knowing at all about it.
- Timo
next prev parent reply other threads:[~2009-01-22 6:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-21 7:34 [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension Timo Teras
2009-01-21 22:33 ` Herbert Xu
2009-01-21 22:40 ` David Miller
2009-01-22 5:56 ` Timo Teräs
2009-01-22 6:03 ` David Miller
2009-01-22 6:14 ` Timo Teräs
2009-01-22 6:21 ` David Miller
2009-01-22 6:32 ` Herbert Xu
2009-01-22 6:39 ` Timo Teräs [this message]
2009-01-22 6:47 ` Herbert Xu
2009-01-22 6:54 ` Timo Teräs
2009-01-22 7:39 ` Herbert Xu
2009-01-22 8:31 ` Timo Teräs
2009-01-22 8:50 ` Herbert Xu
2009-01-22 9:24 ` Timo Teräs
2009-01-22 9:41 ` Herbert Xu
2009-01-22 10:00 ` Timo Teräs
2009-01-22 10:10 ` Herbert Xu
2009-01-23 6:18 ` Timo Teräs
2009-01-23 9:09 ` Herbert Xu
2009-01-22 6:22 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497814A7.3060302@iki.fi \
--to=timo.teras@iki.fi \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).