Re: a couple of comments on xfrm
From: Brian Buesker
Date: Wed Mar 31 2004 - 11:49:03 EST
David S. Miller wrote:
On Tue, 30 Mar 2004 11:18:51 +0200Ok, then given that it has to stay the way it is, what is the best way
to extend the PF_KEY interface to allow specifying the priority? The two
options that seem possible are:
John Williams Floroiu <floroiu@xxxxxxxxxxxxxxxxxxx> wrote:
Brian and me were discussing offline about the issue of structuring
the policies in a better way than a list, so that some kind of
automation in dealing with them would be possible.
The basic question that we tried to find an answer to was what should
be done if more a datagram matches more policies and more specifically
how the "best" policy in the SPD rather the first policy in the SPD
list could be determined.
Like for firewalling, people want an ordered list.
When adding/deleting policies, order can be imposed using priorities,
but other than that 'first match in list' is the thing to do.
1. Use the sadb_x_policy_reserved2 field of struct sadb_x_policy to
indicate the priority.
2. Define a new extension header that includes the priority and
I think the second may be preferrable as it allows the specification of
the interface index as well. I realize that using the XFRM interface is
the preferred solution, and that is a future goal for racoon and setkey,
but having the support for these two fields in the PF_KEY interface
would allow racoon and setkey to be more easily extended to support
priorities and interface indices. Would one of the two above extensions
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html