Le 6 févr. 2013 à 15:30, Jamal Hadi Salim a écrit : > On 13-02-06 08:53 AM, Emmanuel Thierry wrote: >> Actually, we didn't think about this problem since we work with priorities, >> putting the default policy (without a mark) at a minor priority than the >> marked one. > > I think priorities are the way to go in cases of ambiguity. > >> Your remark makes clearer the ideas behind the design of XFRM, but this >> leads to an interesting concern. If on policy insertion, the policy were >> inserted depending on the accuracy of the mark (the more the mask is >> specific, the more the mark must be put at the beginning of the list), how >> would we decide which is the more specific between these ones ? >> >> ip -6 xfrm policy add src fd00::1/128 dst fd00::2/128 dir out mark >> 0x00000001 mask 0x00000005 >> >> ip -6 xfrm policy add src fd00::1/128 dst fd00::2/128 dir out mark >> 0x00000001 mask 0x00000003 > > They look different to me, no? i.e i dont see a conflict - one has mark=5 and > the other > has mark=3.
I think you misread the example ! Marks are both 1, masks are different. This case is more complex than a policy with no mark (so mark=0 and mask=0) versus a policy with an exact mark (so mark=1 and mask=0xffffffff), and i wanted to know if the algorithm would take these kind of cases into account. Best regards Emmanuel Thierry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
