On Sun, Jun 01, 2003 at 01:10:21AM -0700, David S. Miller wrote: > > It is exactly the intention. The use expiration is meant to expire > the state X seconds after the first packet ever using that > transformation is created. Thanks for the explanation. I mixed up its semantics with the one in the SPD. Which brings up the reason I went looking there in the first place :) Would you object if I added use_time expiration for the SPD? In addition to expiring the policy which can be done within the timer function, I'd also like a mechanism to notify the key managers. I'm thinking of adding XFRM_MSG_POLEXPIRE for that purpose. Does this sound acceptable to you? The appliation I had in mind for this is to automatically expire pass policies which is added by FreeSWAN for every single failed Opportunistic negotiation. As you can imagine, on a busy host you'll soon end up with quite a number of those. If we had the use_time expiration feature, then unused pass policied can be cleaned up automatically (as it is, FreeSWAN scans the SPD periodically to get rid of them). -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
