Hi Xin,

> For 'new/update/del', we should do an exact match with
> "mark.v == pol->mark.v && mark.m == pol->mark.m", as these are MSGs to
> manage the policies, every policy should be able to be matched.

Agreed, using an exact match for mark/mask would probably make the most
sense here.

> But for 'get', I'm not sure, shouldn't it be working as how it's used
> in skb rx/tx path, like in xfrm_policy_match()?
> (similar to 'ip route get')
> But maybe for ipsec userland it may be different, what do you think?

Interesting idea.  But I don't think it currently has the same semantics
as RTM_GETROUTE, i.e. you don't pass it e.g. some IP addresses and get
the "best" matching policy back.  We use it to query stats (curlft) of a
specific policy.  Basically, we expect to get back the policy added with
XFRM_MSG_NEWPOLICY or updated with XFRM_MSG_UPDPOLICY when we pass the
same selector/mark.  So I think it should work the same way as the
manipulation operations (i.e. it can continue to share the code path
with delete).

Regards,
Tobias

Reply via email to