From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 00:02:41 +0900
> Sub policy is introduced. Main and sub policy are applied the same flow. > (Policy that current kernel uses is named as main.) > It is required another transformation policy management to keep IPsec > and Mobile IPv6 lives separate. > Policy which lives shorter time in kernel should be a sub i.e. normally > main is for IPsec and sub is for Mobile IPv6. > (Such usage as two IPsec policies on different database can be used, too.) > > Limitation or TODOs: > - Sub policy is not supported for per socket one (it is always inserted as > main). > - Current kernel makes cached outbound with flowi to skip searching database. > However this patch makes it disabled only when "two policies are used and > the first matched one is bypass case" because neither flowi nor bundle > information knows about transformation template size. > > Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Applied to net-2.6.19 Those socket policies are becomming more and more difficult to deal with. I like them as a feature, but I wonder who uses them :-) They do not live in the flow cache so they hurt performance until we find a way to place them there. Perhaps we can extend the flow keying somehow to account for socket based policies in the flow cache. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
