kern/56783: support the sadb_x_policy_priority extension

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/56783: support the sadb_x_policy_priority extension
From: andrew.cagney%gmail.com@localhost
Date: Wed, 6 Apr 2022 18:15:00 +0000 (UTC)

>Number:         56783
>Category:       kern
>Synopsis:       support the sadb_x_policy_priority extension
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 06 18:15:00 +0000 2022
>Originator:     Andrew
>Release:        mainline
>Organization:
>Environment:
N/A
>Description:
Given two identical policies.  One with and one without corresponding state, it isn't possible to specify which should be prefered.  Linux and, I suspect, FreeBSD resolve this by specifying the policy's priority (the sadb_x_policy_priority extension) (smallest wins).

For instance (I suspect this requires the spd acquire extension, which is also missing but i digress) given a policy with no state vis:

  192.1.2.45[any] 192.1.2.23[any] 255(reserved)
   out ipsec

an outgoing packet to 192.1.2.23 will trigger an acquire event so that the IKE daemon can establish an IPsec tunnel (installing policy+state):

  192.1.2.45[any] 192.1.2.23[any] 255(reserved)
   out ipsec
       esp/transport/192.1.2.45-192.1.2.23/require
     spid=2 seq=0 pid=794
    refcnt=0

the problem is that the two policies have identical src/dst.  Having a priority field lets the kernel resolve this.



>How-To-Repeat:

>Fix:

Prev by Date: Re: port-xen/56782: panic: /: bad dir ino null entry
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: port-xen/56782: panic: /: bad dir ino null entry
Next by Thread: PR/56778 CVS commit: src/lib/libedit
Indexes:

Home | Main Index | Thread Index | Old Index