On Sat, Jun 10, 2017 at 06:58:11PM -0400, David Miller wrote: > From: Ivan Delalande <col...@arista.com> > Date: Fri, 9 Jun 2017 19:14:49 -0700 > > > Add a flag field and address prefix length at the end of the tcp_md5sig > > structure so users can configure an address prefix length along with a > > key. Make sure shorter option values are still accepted in > > tcp_v4_parse_md5_keys and tcp_v6_parse_md5_keys to maintain backward > > compatibility. > > > > Signed-off-by: Bob Gilligan <gilli...@arista.com> > > Signed-off-by: Eric Mowat <mo...@arista.com> > > Signed-off-by: Ivan Delalande <col...@arista.com> > > As I believe was previously stated, the problem with this approach is > that if a new tool requests the prefix length and is run on an older > kernel, the kernel will return success even though the prefix length > was not taken into account. > > We do not want to get a success back when the operation requested was > not performed.
Ah yeah that's right, sorry, definitely not great. So I guess our only other option is to add a new socket option, like TCP_MD5SIG_EXT which would use the extended version of struct tcp_md5sig from this patch. Is it justified for this feature, or do you see any other way to achieve this? Thanks, -- Ivan Delalande Arista Networks