From: Venkat Yekkirala <[EMAIL PROTECTED]> Date: Wed, 12 Jul 2006 16:14:42 -0500
> This labels the flows that could utilize IPSec xfrms at the points they > are defined so that IPSec policy and SAs at the right label can be used. > > The following protos are currently not handled, but they should continue > to be able to use single-labeled IPSec like they currently do. > > ipmr > ip_gre > ipip > igmp > sit > sctp > ip6_tunnel (IPv6 over IPv6 tunnel device) > decnet > > Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]> This isn't the most beautiful way to handle this, but I cannot dream up a better way at the current time. I think the names and arguments of these funcitons could be nicer, may I suggest: static inline void security_sk_classify_flow(struct sock *sk, struct flowi *f); static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *f); These interfaces describe better what is happening, in a way that doesn't divulge the details of the fact that there is security ID and it's a 32-bit integer, etc. With the above interfaces you can change the implementation easily without having to dork with all the call sites all over again if something other than a 32-bit integer is ever needed. The other changes I'm either OK with, or they are outside my scope of knowledge (the stuff that lives inside of SELINUX). - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
