On Sat, 12 Jul 2003 12:38:12 +1000 Herbert Xu <herbert@gondor.apana.org.au> wrote: > I have changed policy_check to drop any packets containing an SA in > their security path that is not specified in the template. Optional > SAs in the template will continue to work. > > IPCOMP tunnels have been dealt with by including the IPIP state in the > security path. It has the special property that it will match any IPCOMP > tunnel SA with the same outer source/destination address. We're not going to fix this by hardcoding rules about IPIP and IPCOMP in generic xfrm code. When I start to see tests for IPIP and IPCOMP in xfrm_policy.c I start to be afraid :-) Let's stop special casing this IPCOMP/IPIP thing, like you're trying to do in these patches, and try to define what it _IS_ generally that we're trying to handle here. Really, I'm not bothered by the current behavior, so you're going to have to come up with a really clean way to solve this problem you perceive 8) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html