On Wed, 12 Jul 2006, Venkat Yekkirala wrote: > This labels the flows that could utilize IPSec xfrms at the points they > are defined so that IPSec policy and SAs at the right label can be used. > > The following protos are currently not handled, but they should continue > to be able to use single-labeled IPSec like they currently do. > > ipmr > ip_gre > ipip > igmp > sit > sctp > ip6_tunnel (IPv6 over IPv6 tunnel device) > decnet >
Also, just to bring netdev up to date on this, previous discussion on the redhat-lspp list about this patch: (myself): > This seems problematic in that it's not a general solution and depends > always on hooking in at all of the right places in every protocol. > Adding a bunch of hooks to protocol-specific code is what got us in trouble > with the initial LSM submission. > > What about using secmark and connection tracking for this, instead? I did get a reply from Venkat but can't find it in the archives, so it may have been off-list? IIRC, the outgoing netfilter hook is in the wrong location. Venkat, please clarify. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
