Sebastien Roy wrote:
* 2804: I believe the answer is yes, but danmcd should confirm. In
the old world, I believe an ipsec_in_t M_CTL would be pre-pended
even on a clear-text packet if there was global policy present.
This would cause ipsec_tun_inbound() to be called on such packets.
I'll check with Dan.
Okay.
One would thus assume that IRAF_IPSEC_SECURE should be set if there
was global policy present in the ip input path(?).
That doesn't seem like the natural semantics of a flag that says SECURE
- it shouldn't be set if the packet was received in the clear.
Perhaps an IRAF_IPSEC_HAS_GLOBAL_POLICY would make sense.
That's fine with me.
I went and looked at onnv-gate and there is no such thing in the receive
side for global policy for a clear-text packet.
If a clear-text packet comes into ip_input it calls
if (ip_iptun_input(NULL, mp, ipha, ill, ire, ipst))
i.e., no M_CTL.
Then the packet is passed to iptun_input that looks at IPsec policy iff
there is an M_CTL.
Thus a cleartext tunneled packet plus just a global IPsec policy doesn't
result in a policy check for iptun in Nevada.
TCP and UDP input does check for a global policy (in ip_tcp_input and
ip_udp_input).
Is the above a bug in Nevada?
In any case, IP datapath refactoring behaves the same as Nevada in this
case.
Erik
_______________________________________________
networking-discuss mailing list
[email protected]
