> Simple, you break a range policy into parts that can be expressed
> as network/mask and install multiple policies. The actual policies
> in the kernel just has to have the same effect as the one you
> negotiated with the other side, it does not have to look the same.
> This is also why you can
Daniil Stolnikov wrote:
>> Like I said, if you want address ranges, ask the userland IPSEC daemon
>> authors to synthesize it.
>
> In this letter, the mailing list
> http://marc.info/?l=strongswan-users&m=130613736616488&w=4 strongswan-users
> say that their product has support for IP ranges, b
Herbert Xu wrote:
> Alternatively you can do this with marking and use netfilter
> to set the mark.
> Cheers,
We focus on connections to devices zywall. If you choose to zywall IP range as
the remote side will not harmonize policies. The connection is not established.
And this alternative mak
> Like I said, if you want address ranges, ask the userland IPSEC daemon
> authors to synthesize it.
In this letter, the mailing list
http://marc.info/?l=strongswan-users&m=130613736616488&w=4 strongswan-users say
that their product has support for IP ranges, but the stack of Linux is based
on
David Miller wrote:
>
> Like I said, if you want address ranges, ask the userland IPSEC daemon
> authors to synthesize it.
Alternatively you can do this with marking and use netfilter
to set the mark.
Cheers,
--
Email: Herbert Xu
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://
From: Daniil Stolnikov
Date: Wed, 9 Nov 2011 09:36:07 +0800
> I never imagined that it will cause some difficulties.
Ever feature has side effects and costs associated with it. Some of
which can be non-trivial.
Like I said, if you want address ranges, ask the userland IPSEC daemon
authors to s
> From: Daniil Stolnikov
> Date: Tue, 08 Nov 2011 12:40:13 +0400
>> I turned to you, the developers, but rather to urge you to implement
>> this feature using IP range.
> This won't be implemented, the keys used for IPSEC rule lookups supported by
> the kernel are already way too complex.
> Fro
From: Alexey Dobriyan
Date: Tue, 8 Nov 2011 14:08:24 +0200
> changing addr_match() is trivial for ipv4 and easy for ipv6. :-)
No, this is not happening. This added complexity screws up all the hash table
and lookup optimizations we have in the XFRM layer.
--
To unsubscribe from this list: send
From: Daniil Stolnikov
Date: Tue, 08 Nov 2011 12:40:13 +0400
> I turned to you, the developers, but rather to urge you to implement
> this feature using IP range.
This won't be implemented, the keys used for IPSEC rule lookups supported by
the kernel are already way too complex.
Ranges can be s
> On Tue, Nov 8, 2011 at 8:24 AM, Peter P Waskiewicz Jr
> wrote:
>> On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
>>> Hello!
>>>
>>> Found that the stack IPSec in Linux does not support any IP range. Many
>>> people ask this question. The archives say strongswan said that their
>>>
On Tue, Nov 8, 2011 at 8:24 AM, Peter P Waskiewicz Jr
wrote:
> On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
>> Hello!
>>
>> Found that the stack IPSec in Linux does not support any IP range. Many
>> people ask this question. The archives say strongswan said that their daemon
>> sup
> On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
>> Hello!
>>
>> Found that the stack IPSec in Linux does not support any IP range. Many
>> people ask this question. The archives say strongswan said that their daemon
>> supports a range, but the Linux IPSec stack supports only the su
On Mon, 2011-11-07 at 19:10 -0800, Daniil Stolnikov wrote:
> Hello!
>
> Found that the stack IPSec in Linux does not support any IP range. Many
> people ask this question. The archives say strongswan said that their daemon
> supports a range, but the Linux IPSec stack supports only the subnets.
Hello!
Found that the stack IPSec in Linux does not support any IP range. Many people
ask this question. The archives say strongswan said that their daemon supports
a range, but the Linux IPSec stack supports only the subnets. I am writing to
you to implement support for IP range in Linux. I th
14 matches
Mail list logo
