On Sun, Jul 13, 2003 at 11:03:46AM +1000, herbert wrote:
>
> This patch addes a reqid check for inbound packets. This is useful when
> there are two inbound templates/SAs between two hosts where one selector
> is strictly less than the other. For example, you can have a default
> ESP SA between two hosts and another ESP SA with different parameters
> that only apply to a TCP connection.
>
> Without the reqid check you'll have to hardcode the SPI which makes
> automatic SA renewal rather abrupt.
Since it doesn't make sense to have a wildcard reqid match, the patch
can and should be simplified as follows.
BTW, is there any reason why we don't cater for hardcoded outbound SPIs
in xfrm_state_find?
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--- kernel-source-2.5/net/xfrm/xfrm_policy.c.orig 2003-07-13 10:58:50.000000000 +1000
+++ kernel-source-2.5/net/xfrm/xfrm_policy.c 2003-07-13 10:59:06.000000000 +1000
@@ -860,6 +860,7 @@
{
return x->id.proto == tmpl->id.proto &&
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
+ x->props.reqid == tmpl->reqid &&
x->props.mode == tmpl->mode &&
(tmpl->aalgos & (1<<x->props.aalgo)) &&
!(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
