> The way I was seeing the problem was when connecting via IPsec to a > confined service on an SELinux box (vsftpd), which did not have the > appropriate SELinux policy permissions to send packets via IPsec. > > The first SYNACK would be blocked,
Given that the resolver fails to find a policy here, I am trying to understand what exactly is blocking it (the first SYNACK) from proceeding without IPSec. > because of an uncached lookup via > flow_cache_lookup(), which would fail to resolve an xfrm > policy because > the SELinux policy is checked at that point via the resolver. > > However, retransmitted SYNACKs would then find a cached flow > entry when > calling into flow_cache_lookup() with a null xfrm policy, which is > interpreted by xfrm_lookup() as the packet not having any associated > policy and similarly to the first case, allowing it to pass without > transformation. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html