> We have flows, sa's, and in some cases, senders and receivers. On > input, we check the socket's access to receive the sa's type in > rcv_skb, and on output we check the flow's (indirectly socket's, if > present) access to send to the sa's type in flow_state_match. > > The problem is that the types of the flow and policy are required to > match in lookup, but that is not a requirement for > types.
Did you mean to say sockets (instead of types) at the end above or did I miss something? > A socket > of type x can use a policy of type y which can be captured on > input, Actually this would be output (albeit indirectly via the flow). > but not on > output in this patch. You probably meant "input" here? > > I'll think about possible resolutions, but here are some further > questions. > > (1) must a flow type match that of the sa it uses (seems so)? Yes. The flow type must have sendto access to the SA. > (2) can we do lookup differently for input (where we are told > what it > should be) versus output (where it is based on what could be > authorized)? I am not getting this question. Please let me know on the side when would be a good time to call you. Thanks. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
