On Thu, 5 Oct 2006, Venkat Yekkirala wrote:
> > > - if (xfrm_policy_match(pol, fl, type, family, dir)) {
> > > + err = xfrm_policy_match(pol, fl, type, family, dir);
> > > + if (err) {
> > > + if (err == -ESRCH)
> > > + continue;
> > > + else {
> > > + ret = ERR_PTR(err);
> > > + goto fail;
> > > + }
> > > + } else {
> >
> > Semantics issue: if the exact policy match fails with
> > -EACCESS, should we
> > then try an inexact match before failing?
>
> I wonder what you mean by an inexact match here.
There are two policy chains in the kernel: 'bydst'for non-prefixed
addresses (e.g. /32 or /128 nodes) and 'byidx' for prefixed addresses.
xfrm_policy_lookup_bytype() first checks for a non-prefixed match and then
for a prefixed match with a higher priority mark.
So, I wonder if it makes sense to continue on to the prefixed lookup if we
get an -EACCESS on the non-prefixed lookup.
Perhaps some further discussion on this with MLS folk is needed, but in
any case, I don't think it should block this patchset going in as a
bugfix, as the behavior can be changed in a further patch if required.
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
