On Thu, Aug 04, 2005 at 06:48:18AM -0700, David S. Miller wrote: > > When you add an SA, you have to place it somewhere, don't you? > And that "where" (be it one policy template, or many) are > what you use to decide which policy for which to do the DST > flush.
Unfortunately, it goes straight into the SADB as (daddr, spi, proto). When policies are resolved during the xfrm_lookup for outbound flows, the best SA is then found from the SADB by iterating through all SAs with the same daddr as the template. So given a policy you can easily find the SAs for it. However, going in the opposite direction requirs you to walk through all policies. I suppose we could add another cache that hashes all the policies by their template destination addresses. > Anyways, I'm not going to listen to the "userland can fix this" > arguments any longer. The kernel needs to implement consistency > here, even if arguably stupid things occur. Alright, let stupid things occur then :) But at least guard it with a sysctl or something. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
