From: James Morris <[EMAIL PROTECTED]>
Date: Thu, 5 Oct 2006 16:54:38 -0400 (EDT)
> > #ifdef CONFIG_XFRM_SUB_POLICY
> > pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir);
> > - if (pol)
> > + if (IS_ERR(pol)) {
> > + err = PTR_ERR(pol);
> > + pol = NULL;
> > + }
> > + if (pol || err)
> > goto end;
>
> Similarly, if the sub-policy lookup returns -EACCESS, should we then try a
> main policy lookup before failing?
We're trying to fill the flow cache here. In the case where we'd
have a match in both the sub-policy and main table, I think the
sub-policy is supposed to take precedence, and if you fail to get
this sub-policy you should fail the entire lookup.
The way the sub-policied entries work is that you find the sub-policy
as the primary object in the flow cache, and once you notice you have
a sub-policy you do an explicit lookup in the main table to put the
whole thing together.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
