← Back to team overview

hipl-core team mailing list archive

Re: About the hipfw-performance branch


On Tue, 14 Sep 2010 09:40:11 +0200, Tobias Heer <heer@xxxxxxxxxxxxxxxxx> wrote:
- opportunistic mode
- midauth
We need to fix this. However, I am confident that the change will be minor.

Yes, opp-mode and midauth might even work right away because the magic happens before recording the SA in the firewall.

- lightweight update
Was there code for this in the firewall? What does it do?

Most of the code is here:
Lightweight update was mentioned because I assumed this is somehow related to updating IP/SPI associations (like ordinary HIP_UDPATE), even though I don't see where that's happening by skimming through the code (looking for dst_addr_list modifications).

A propos: Currently, multiple destination addresses are managed per SPI (i.e., a list is used):
Is this still supported? If so, then I don't see where old addresses are currently purged in the code, i.e. if an SA's IP address updates 10 times to different values, there will be 10 values present in the list (and 10 iptables rules) until the connection is removed completely.