tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: getsockopt(IP[V6]_IPSEC_POLICY) does not work



    If I understand correctly, the ipsec code is of external origin to
  NetBSD,

From KAME, but then we have FAST_IPSEC.

  but it seems that this part of the API needs to be rethought in
  general. There are some ways I can think of to move on with this:

  - remove that code from the get path entirely
  - #if 0 that code in the get path and let it rot
  - create extra option names _INWARD and _OUTWARD

At first thought this seems good.  setkey uses separate policy lines for
in and out and thus it makes sense for a socket to have both inbound and
outbound policy.

I doubt anyone is really using this, because racoon doesn't cope with
generating SAs for per-socket policy, or at least didn't use to, but I
suppose if there are static SAs they would be used.

  - version the _IPSEC_POLICY names and sadb_x_policy structure so
     that it contains inward AND outward policy.

Changing sadb_x_policy is unappealing - I suspect that's pretty pervasive.

  - make getsockopt copy in the buffer

Attachment: pgpnyLQ3j1vgE.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index