From: Patrick M. <ka...@tr...> - 2004-10-19 14:17:20
|
Herbert Xu wrote: >What I meant to say is all packets with tunnel mode SAs should be >rejected since we don't allow optional tunnel transforms for security >reasons. > >This patch fixes it. > Looks good. So you agree we should also apply my patch to xfrm_policy_lookup (attached again with less confusing subject) ? It makes packets with a secpath fall through to __xfrm_policy_check when the policy list is empty, so the default policy is always the same. This will break setups with keying daemons that don't add forward policies for tunnel mode SAs. Regards Patrick |