On Jun 21, 2006, at 8:58 AM, Venkat Yekkirala wrote:
It seems like semantics of the flow sid is different between output
and input. On output, it's based on the socket and on input it's
based on the sa. The flow/sa analogy makes sense to me, but the
socket less so (multiple sockets can use the same flow).
Different flows (as opposed to sockets) may use the same flow cache
entry.
Is that what you meant here?
No. I meant that the flow's sid is computed from the socket on
output and the sa on input. These would seem to have different
authorization requirements to me (socket requires permission to send
on output and sa should match policy on input). Does that make sense
or should I try to be more specific?
The cache uses these sid's subsequently of course, but we authorize
socket to sa on input and flow (which is derived from socket) to sa
on output.
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: [EMAIL PROTECTED]
Ph: (814) 865-1042, Fax: (814) 865-3176
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
