During the LSPP conference call this past Monday (10/16) it was realized that one of the main reasons for wanting to use the sk_buff->secmark field was that labeled IPsec needed the field to preserve the packet's context in the case of forwarding.
I just spent the past couple of hours looking at the kernel trying to trace an IPsec packet's path through the stack from when it first enters to when it leaves through the forwarding path. From what I can tell it appears that the XFRM state is kept in the sk_buff->sp field for inbound transforms and in the sk_buff->dst->xfrm field for outbound transforms. Unless I missed something somewhere (very possibile, I was looking at a *lot* of code this morning) it seems like we should be able to retrieve the context from the inbound SAs without problem, eliminating the need to overload/split/etc. the sk_buff->secmark field. If I'm wrong about the XFRM state could someone please correct me? -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
