[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPSEC (both stacks) slight adaptation to kauth(9)
elad%NetBSD.org@localhost (Elad Efrat) writes:
>The attached diff addresses this last abuse for uidinfo for
>authorization by doing the following:
> 1. Reorganize the switch statements so they are easier to understand.
> They differ only slightly, and as the networking stacks have enough
> duplicated code as it is, this is a step in the right direction if
> we are to eventually clean them up.
As discussed yesterday, your 'beautified' code just muddles the
separation between privileged and unprivileged case. And if you
think that this is an optimization (and I disagree), it should be
applied in a separate change.
> 2. Remove the 'priv' field of the SP PCB structures from both IPSEC
> and FAST_IPSEC. Isolate it to the relevant context, and retrieve
> its value in runtime and don't cache it.
I think the cached value is there for a reason. Replacing it
with runtime checks silently changes semantics and adds significant
overhead to each outgoing IP packet.
> 3. Replace uid comparison for privileged/unprivileged distinction with
> kauth(9) calls. For now, these are done on the generic scope as I
> have other changes in the pipe; once committed, these will be
> changed to use the network scope.
That's the one thing you should have done...
Michael van Elst
"A potential Snark may lurk in every tree."
Main Index |
Thread Index |