Daniil Stolnikov <danila.st@xxxxxxx> wrote: >> Like I said, if you want address ranges, ask the userland IPSEC daemon >> authors to synthesize it. > > In this letter, the mailing list http://marc.info/?l=strongswan-users&m=130613736616488&w=4 strongswan-users say that their product has support for IP ranges, but the stack of Linux is based on network masks. So I do not understand how this would work without the support at the kernel level? How will coordination of policies? Simple, you break a range policy into parts that can be expressed as network/mask and install multiple policies. The actual policies in the kernel just has to have the same effect as the one you negotiated with the other side, it does not have to look the same. This is also why you can do the same thing with masks + netfilter. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
