lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 Mar 2008 13:40:20 -0800 (PST) From: David Miller <davem@...emloft.net> To: kazunori@...azawa.org Cc: netdev@...r.kernel.org, usagi-core@...ux-ipv6.org Subject: Re: [PATCH][IPSEC] inter address family IPsec tunnel on the fly From: Kazunori MIYAZAWA <kazunori@...azawa.org> Date: Wed, 5 Mar 2008 21:37:27 +0900 > Hello David, Hello, > This patch fix inter address family ipsec tunneling > when we install IPsec SA via PF_KEY interface > because there are no interface to set the selector. > > This patch is for net-2.6 > > Signed-off-by: Kazunori MIYAZAWA <miyazawa@...ux-ipv6.org> > Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> It seems quite excessive to grab and release the module reference count during every packet input/output which happens through IPSEC tunnels. The whole reason we store the mode information in the state is so that we only have to grab the reference during IPSEC rule addition, instead of during packet processing. Having to export xfrm_mode_{get,put} from xfrm_state.c is a sure sign of trouble :-) Is there some way we can simply propagate the correct setting to x->inner_mode? I also wonder if the PF_KEY limitation really exists. For example we will set x->sel.family etc. from the SADB_EXT_ADDRESS_PROXY attribute if present. Finally, if the determination can be made in the data path, it by definition could be made during rule insertion which is much more efficient and appropriate. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists