On Wed, 2007-03-28 at 17:35 -0400, Paul Moore wrote: > Well, I still did find one thing that was a bit odd, perhaps you can help > explain it to me. When I use the following SPD (where A and B are IPv4 > addresses, with the other end having the same policy but a shift in > direction): > > spdadd A B[5300] tcp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P out ipsec ah/transport//require; > spdadd A[5300] B tcp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P out ipsec ah/transport//require; > spdadd B[5300] A tcp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P in ipsec ah/transport//require; > spdadd B A[5300] tcp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P in ipsec ah/transport//require; > > spdadd A B[5300] udp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P out ipsec ah/transport//require; > spdadd A[5300] B udp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P out ipsec ah/transport//require; > spdadd B[5300] A udp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P in ipsec ah/transport//require; > spdadd B A[5300] udp > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > -P in ipsec ah/transport//require; > > ... and connect from B to A running netcat using both TCP and UDP I find that > both the UDP and TCP connections use the same SA on the host generating the > traffic. Based on the SPD above I wouldn't think that to be the case ... >
I see this too. I took a brief look at the code and could not readily find where we copy the selector info into the xfrm_state... Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
