| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2020 11:24:17 +0200
From: Tobias Brunner <tobias@...ongswan.org>
To: Xin Long <lucien.xin@...il.com>
Cc: network dev <netdev@...r.kernel.org>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Sabrina Dubroca <sd@...asysnail.net>,
Yuehaibing <yuehaibing@...wei.com>,
Andreas Steffen <andreas.steffen@...ongswan.org>
Subject: Re: [PATCHv2 ipsec] xfrm: fix a warning in xfrm_policy_insert_list
Hi Xin,
> For 'new/update/del', we should do an exact match with
> "mark.v == pol->mark.v && mark.m == pol->mark.m", as these are MSGs to
> manage the policies, every policy should be able to be matched.
Agreed, using an exact match for mark/mask would probably make the most
sense here.
> But for 'get', I'm not sure, shouldn't it be working as how it's used
> in skb rx/tx path, like in xfrm_policy_match()?
> (similar to 'ip route get')
> But maybe for ipsec userland it may be different, what do you think?
Interesting idea. But I don't think it currently has the same semantics
as RTM_GETROUTE, i.e. you don't pass it e.g. some IP addresses and get
the "best" matching policy back. We use it to query stats (curlft) of a
specific policy. Basically, we expect to get back the policy added with
XFRM_MSG_NEWPOLICY or updated with XFRM_MSG_UPDPOLICY when we pass the
same selector/mark. So I think it should work the same way as the
manipulation operations (i.e. it can continue to share the code path
with delete).
Regards,
Tobias
Powered by blists - more mailing lists