On Sat, Jun 28, 2003 at 03:20:59PM +1000, herbert wrote: > > In fact, reading RFC 2367 and 2401 again, the solution is completely > specified in there :) All tunnel SAs must carry source/destination > identities with them which will in turn be used to check the inner > source/destination addresses. In fact, the information for this is already available in the form of xfrm_state->sel. All we need to do is move the state selector check from xfrm_policy_check to xfrm[46]_rcv_encap. The selector check in xfrm_policy_check doesn't make sense anyway. What if I've got an AH transport SA with the a host to host selector sitting outside an ESP tunnel SA? The check is bound to fail in xfrm_policy_check. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
