On Jun 20, 2006, at 7:10 PM, Venkat Yekkirala wrote:
The extra level of indirection provided by the flow makes things a
bit harder to follow, so I think that this should be made clear in
documentation somehow. I am not sure if people will be able to
maintain this notion easily later. My understanding is below.
It would be lot a easier if people looked at this in terms of "flow".
The "indirection" is necessary and the "flow" has always been there
since we
don't always have a socket (forward case again). We just needed to
go with
the flow :)
We have flows, sa's, and in some cases, senders and receivers. On
input, we check the socket's access to receive the sa's type in
rcv_skb, and on output we check the flow's (indirectly socket's, if
present) access to send to the sa's type in flow_state_match.
The problem is that the types of the flow and policy are required to
match in lookup, but that is not a requirement for types. A socket
of type x can use a policy of type y which can be captured on input,
but not on output in this patch.
I'll think about possible resolutions, but here are some further
questions.
(1) must a flow type match that of the sa it uses (seems so)?
(2) can we do lookup differently for input (where we are told what it
should be) versus output (where it is based on what could be
authorized)?
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: [EMAIL PROTECTED]
Ph: (814) 865-1042, Fax: (814) 865-3176
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
