On Tue, Mar 19, 2019 at 01:42:53PM -0700, Cong Wang wrote: > > IIRC, it is Steffen who suggested to add IPPROTO_ROUTING/IPPROTO_DSTOPTS > back to commit 6a53b7593233. My xfrm knowledge is not enough to > figure out IPPROTO_ROUTING/IPPROTO_DSTOPTS.
OK I dug into the history of xfrm_id_proto_match and this is definitely not right. The intention appears to be that IPSEC_PROTO_ANY should only match genuine IPsec protocols, i.e., AH/ESP/COMP, while the special value of zero will match everything. So I think what we should do is get rid of the validation function that you added in 6a5t3b7593233, and then change those internal functions which were incorrectly using IPSEC_PROTO_ANY to using zero instead. Does anybody still use IPPROTO_ROUTING/IPPROTO_DSTOPTS? It's always a pain when people come and add features and then don't shoulder the burden of maintaining them. Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
