On Wed, Jul 06, 2005 at 04:24:53PM -0400, jaegert wrote:
> The patch has been revised to attach the security context
> to the xfrm_state and xfrm_policy rather than the selector.
Thanks a lot for making the change Trent.
> On input, the policy retrieved must also be authorized for the socket
> (at __xfrm_policy_check), and the security context of the policy must
> also match the security association being used.
This might be a silly question as I probably don't understand this
fully. There seems to be an apparent asymmetry in the implementation.
The outbound packets are looked up with their originating socket, i.e.,
for TCP packets it's the TCP socket that originated the packet. But
inbound packets seem to be looked with socket set to NULL. Is this
intended or have I missed some sublte code in the patch? :)
> @@ -45,6 +61,12 @@ struct xfrm_selector
> uid_t user;
> };
>
> +/* All but the security field */
> +static inline int xfrm_selector_base_size(void)
> +{
> + return sizeof(struct xfrm_selector) - sizeof(struct xfrm_sec_ctx *);
> +}
> +
This function can probably be deleted now.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
