Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#9 Add Policy Priority Support

closed
nobody
None
5
2005-05-13
2004-05-14
Brian Buesker
No

Here is the patch as discussed in the "Policy Priority
Syntax" thread. It allows a user to set the priority of
a security policy when using setkey or
ipsec_set_policy. The new syntax is described in the
man pages and basically consists of adding a keyword to
indicate that the priority is being specified (one of
"prio" or "priority") followed by either an integer
which is an offset from the default priority, or a
simple arithmetic expression consisting of one of the
defined priority levels ("low", "def", and "high") with
an unsigned integer added or subtracted from it.

As stated in the manpage, as far as setkey is
concerned, policies with higher priorities are placed
earlier in the SPD than those with lower priorities.
Ties are broken by ordering them in a FIFO manner.

The following two example spdadd statements do exactly
the same thing:

spdadd 1.2.3.4 5.6.7.8 udp -P out prio def + 1 ipsec
esp/transport//require;
spdadd 1.2.3.4 5.6.7.8 udp -P out prio 1 ipsec
esp/transport//require;

If the priority is not specified, all policies will be
inserted at the default priority.

Support for policy priorities will only be enabled if
the kernel support is detected by the configure script
(the 2.6.6 kernel supports it). If you compile setkey
against a kernel that supports priorities and then use
it with a kernel that does not support them, you will
receive a warning message indicating that the kernel
does not support it after inserting your first security
policy .

The patch is against ipsec-tools 0.3.1. I will also
place this patch in the patches section of the
Sourceforge project page. If you have any questions
regarding this patch, please feel free to contact me.

Brian Buesker
Engineer
QUALCOMM
5775 Morehouse Dr.
San Diego, CA 92121

Email: bbuesker@qualcomm.com

WARRANTY DISCLAIMER: LIMITATION OF LIABILITY. THE
SOFTWARE AND CONTENT ARE PROVIDED "AS IS" WITH NO
EXPRESS OR IMPLIED REPRESENTATIONS, GUARANTEES, OR
WARRANTIES, INCLUDING BUT NOT LIMITED TO SUCH
REPRESENTATION, GUARANTEES OR WARRANTIES REGARDING THE
USABILITY, SUITABILITY, CONDITION, OPERATION OR
ACCURACY THEREOF.

ALL OTHER WARRANTIES AND CONDITIONS (EXPRESS, IMPLIED
OR STATUTORY) ARE HEREBY DISCLAIMED, SUCH WARRANTIES
AND CONDITIONS INCLUDING WITHOUT LIMITATION, ALL
WARRANTIES AND CONDITIONS OF MERCHANTABILITY, TITLE,
FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT,
COMPATIBILITY, AND SECURITY OR ACCURACY.

Discussion

  • Brian Buesker
    Brian Buesker
    2004-05-14

     
    Attachments
  • Logged In: NO

    ffff

     
  • Aidas Kasparas
    Aidas Kasparas
    2005-05-13

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.