• Masahide NAKAMURA's avatar
    [XFRM] POLICY: sub policy support. · 4e81bb83
    Masahide NAKAMURA authored
    Sub policy is introduced. Main and sub policy are applied the same flow.
    (Policy that current kernel uses is named as main.)
    It is required another transformation policy management to keep IPsec
    and Mobile IPv6 lives separate.
    Policy which lives shorter time in kernel should be a sub i.e. normally
    main is for IPsec and sub is for Mobile IPv6.
    (Such usage as two IPsec policies on different database can be used, too.)
    
    Limitation or TODOs:
     - Sub policy is not supported for per socket one (it is always inserted as main).
     - Current kernel makes cached outbound with flowi to skip searching database.
       However this patch makes it disabled only when "two policies are used and
       the first matched one is bypass case" because neither flowi nor bundle
       information knows about transformation template size.
    Signed-off-by: default avatarMasahide NAKAMURA <nakam@linux-ipv6.org>
    Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    4e81bb83
xfrm_policy.c 38.9 KB