On Tue, Jul 01, 2003 at 08:10:07PM +1000, herbert wrote: > > Sure. In fact, checking anything apart from the inner SA is pointless > since whoever added the policy check would've presumably carried out > that check already. So here is the new patch which only checks the > inner-most SA. Hmm, it's not as simple as that since the security path is not required to match exactly with the policy. For instance you may be able to steal someone's IPCOMP tunnel with this. I'll need to think about it a bit more. -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
