Hello! > Are there any other problems that you can think of? No. I just consider this solution highly unnatural and generally brainless. As rule this directly implies that it is unsatisfactory and contains lots of undesired side effects. > In fact, reading RFC 2367 and 2401 again, the solution is completely > specified in there :) All tunnel SAs must carry source/destination > identities with them which will in turn be used to check the inner > source/destination addresses. > > I'm happy to write the code for this unless you guys object to this > solution. Do you not mean SADB_EXT_IDENTITY_SRC/DST occasionally? No way. Though it would be interesting to know how you were going to use them. :-) Actually, I figured out how this hole appeared. We do check for SA selector, look at the beginning of xfrm_policy_ok(). So, if IKE sets up selectors right, the problem does not exist. The problem was that pfkeyv2 cannot not setup them, I did not know this from the very beginning. But it would be real solution, logically self-consistent and clean. Actually, if we extend pfkeyv2 with those addtional attrbutes and prohibit incoming tunnel SAs with wildcard source identity, it would be ideal variant. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
