On Tue, 14 Sep 2010 09:40:11 +0200, Tobias Heer <[email protected]>
wrote:
- opportunistic mode
- midauth
We need to fix this. However, I am confident that the change will be
minor.
Yes, opp-mode and midauth might even work right away because the magic
happens before recording the SA in the firewall.
- lightweight update
Was there code for this in the firewall? What does it do?
Most of the code is here:
http://bazaar.launchpad.net/~christof-mroz/hipl/hipfw-performance/annotate/head%3A/firewall/esp_prot_conntrack.c#L992
Lightweight update was mentioned because I assumed this is somehow related
to updating IP/SPI associations (like ordinary HIP_UDPATE), even though I
don't see where that's happening by skimming through the code (looking for
dst_addr_list modifications).
A propos: Currently, multiple destination addresses are managed per SPI
(i.e., a list is used):
http://bazaar.launchpad.net/~christof-mroz/hipl/hipfw-performance/annotate/head%3A/firewall/firewall_defines.h#L88
Is this still supported? If so, then I don't see where old addresses are
currently purged in the code, i.e. if an SA's IP address updates 10 times
to different values, there will be 10 values present in the list (and 10
iptables rules) until the connection is removed completely.
_______________________________________________
Mailing list: https://launchpad.net/~hipl-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~hipl-core
More help : https://help.launchpad.net/ListHelp
