Re: a couple of comments on xfrm

From: Brian Buesker
Date: Wed Mar 31 2004 - 11:49:03 EST

David S. Miller wrote:

On Tue, 30 Mar 2004 11:18:51 +0200
John Williams Floroiu <floroiu@xxxxxxxxxxxxxxxxxxx> wrote:

Brian and me were discussing offline about the issue of structuring
the policies in a better way than a list, so that some kind of
automation in dealing with them would be possible.

The basic question that we tried to find an answer to was what should
be done if more a datagram matches more policies and more specifically
how the "best" policy in the SPD rather the first policy in the SPD
list could be determined.

Like for firewalling, people want an ordered list.

When adding/deleting policies, order can be imposed using priorities,
but other than that 'first match in list' is the thing to do.

Ok, then given that it has to stay the way it is, what is the best way to extend the PF_KEY interface to allow specifying the priority? The two options that seem possible are:

1. Use the sadb_x_policy_reserved2 field of struct sadb_x_policy to indicate the priority.
2. Define a new extension header that includes the priority and interface index.

I think the second may be preferrable as it allows the specification of the interface index as well. I realize that using the XFRM interface is the preferred solution, and that is a future goal for racoon and setkey, but having the support for these two fields in the PF_KEY interface would allow racoon and setkey to be more easily extended to support priorities and interface indices. Would one of the two above extensions be acceptable?

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at