| Thread Previous • Date Previous • Date Next • Thread Next |
We need to fix this. However, I am confident that the change will be minor.- opportunistic mode - midauth
Yes, opp-mode and midauth might even work right away because the magic happens before recording the SA in the firewall.
- lightweight updateWas there code for this in the firewall? What does it do?
Most of the code is here: http://bazaar.launchpad.net/~christof-mroz/hipl/hipfw-performance/annotate/head%3A/firewall/esp_prot_conntrack.c#L992Lightweight update was mentioned because I assumed this is somehow related to updating IP/SPI associations (like ordinary HIP_UDPATE), even though I don't see where that's happening by skimming through the code (looking for dst_addr_list modifications).
A propos: Currently, multiple destination addresses are managed per SPI (i.e., a list is used):
http://bazaar.launchpad.net/~christof-mroz/hipl/hipfw-performance/annotate/head%3A/firewall/firewall_defines.h#L88Is this still supported? If so, then I don't see where old addresses are currently purged in the code, i.e. if an SA's IP address updates 10 times to different values, there will be 10 values present in the list (and 10 iptables rules) until the connection is removed completely.
| Thread Previous • Date Previous • Date Next • Thread Next |
