[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Fri Nov 25 18:04:30 EET 2022
New commits:
commit b85b6e3e6fb908af31b41339ecb7a05a664ba412
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Nov 25 08:56:29 2022 -0500
kernel: drop eclipsed() code
With KLIPS, which didn't support kernel policy priorities, a
connection template with /32 subnet (a bare kernel policy) could find
its kernel policy being eclipsed (scribbled on and then deleted) by a
connection instance with an identical /32 subnet.
In an attempt to get around this the eclipsed() code would try to
juggle the two policies, restoring the templates bare kernel policy
when the connection instance was deleted.
With traffic selectors and narrowing, this code completely fails. For
instance this can't handle a template with a /31 subnet being eclipsed
by an instance with two narrowed /32 subnets. Hence it is being
dropped.
The XFRM backend implements priorities so this isn't needed.
The FreeBSD kernel seems to support priorities (ref #740).
close #681
More information about the Swan-commit
mailing list