On Sun, Jun 29, 2003 at 02:52:31PM -0700, David S. Miller wrote: > > How about installing the policies in the correct order perhaps? So > that the more specific entries are in the policy list before the less > specific ones? A user can afford to do that. But a KM can't since it can't anticipate what the user is going to do. In a mobile situation, you may even need switch between the two on a regular basis. Imagine a wireless gateway with an Ethernet interface so that you can use the same IP address whether you're connected via the cable or not. Suppose that it also imposes the restriction that all traffic from the Wireless side must be protected by IPsec. Then all policies in the SPD will need to be updated every time you switch between the two. There are also corporate private networks where the default gateway is IPsec where a similar problem exists. You will need to change policies depending on whether you're connected the corporate network or the Internet. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
