> What if we want to share a single IPSEC SA for a range, and use e.g. > CIPSO/NetLabel to individually label traffic with individual levels > within that range? Does this patch set prevent such sharing > of SAs? Or
To a large extent, it does allow ranged SAs (I will have to loosen up the recvfrom mls constraint a little; sendto already explicitly allows for this). But the current intent would be for such ranged SAs to be manually created and loaded (via setkey), and for auto-generated SAs (via IKE) to be created at single levels. > is it just a matter of how we configure the policy rules for polmatch? Actually, it would be the ranged SA labels (defined in the xfrm policy), used as the target by sendto and recvfrom. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
