On Sat, Jun 28, 2003 at 10:21:01AM +0400, kuznet@ms2.inr.ac.ru wrote: > > Actually, I figured out how this hole appeared. > We do check for SA selector, look at the beginning of xfrm_policy_ok(). > So, if IKE sets up selectors right, the problem does not exist. Yes, in fact netlink can set them already. > The problem was that pfkeyv2 cannot not setup them, I did not know this > from the very beginning. But it would be real solution, logically > self-consistent and clean. Actually, if we extend pfkeyv2 with > those addtional attrbutes and prohibit incoming tunnel SAs with > wildcard source identity, it would be ideal variant. The only problem is that the check as it is doesn't work for anything apart from the last tunnel SA and transport SAs after it. But that is easily fixed up. There is one other problem though with nested policies. We only check the out-most policy in such a case. To solve that problem, we should invoke xfrm_policy_check recursively. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
