Hi Xin, > For 'new/update/del', we should do an exact match with > "mark.v == pol->mark.v && mark.m == pol->mark.m", as these are MSGs to > manage the policies, every policy should be able to be matched.
Agreed, using an exact match for mark/mask would probably make the most sense here. > But for 'get', I'm not sure, shouldn't it be working as how it's used > in skb rx/tx path, like in xfrm_policy_match()? > (similar to 'ip route get') > But maybe for ipsec userland it may be different, what do you think? Interesting idea. But I don't think it currently has the same semantics as RTM_GETROUTE, i.e. you don't pass it e.g. some IP addresses and get the "best" matching policy back. We use it to query stats (curlft) of a specific policy. Basically, we expect to get back the policy added with XFRM_MSG_NEWPOLICY or updated with XFRM_MSG_UPDPOLICY when we pass the same selector/mark. So I think it should work the same way as the manipulation operations (i.e. it can continue to share the code path with delete). Regards, Tobias