On Fri, 29 Sep 2006, James Morris wrote: > On Fri, 29 Sep 2006, Paul Moore wrote: > > > > It seems more of a pain to actually > > > prevent their use at the same time and/or explain strange/unnatural > > > behavior. > > > > Agreed, the solution that we agreed upon is much easier to implement and > > explain than a lot of the alternatives. > > Ok, can you please explain it further? > > i.e. show me what the policy looks like, exactly what the user is trying > to achieve, and explain what happens to each packet exactly in terms of > labeling on the input and output paths.
Also, why can't this be done just with xfrm labeling? CIPSO is not there to provide a mechanism for separating the label of the connection from the label of the data, it's only there to provide interop with legacy systems. If you need to have two labels for a packet (the object and the domain), then this needs to be supported directly by xfrm labeling. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
