[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On transport-level policy enforcement (was Re: RFC 2401...)
> actually, per host policy can be implemented by a policy entry with
> filter "0.0.0.0/0". i don't remember why it is not done yet.
That makes sense.
> because of some complexity (*) we have in our code, we do not cache
> packet filter policy into inpcb. it definitely makes sense to cache it.
> BTW, the cache-in-pcb way does not work well if the BSD box is used
> as a router:-)
In Solaris, tunnels are interfaces over the "IP device". Since sockets are
also opens of the "TCP/IP device," "UDP/IP device," or the "raw IP device,"
tunnels have pcb's just like sockets do!
OTOH if your tunnels have complex rules (e.g. varieties of per-flow
policies), then per-pcb-caching breaks down.
> also, if we cache policy, inpcb management will get more complex -
> need to make sure we do not have dangling pointer from inpcb to policy
> entry.
Heh heh. That's a tricky one, but it's doable. Throw multithreading issues
in if you want extra fun! :)
Dan
Follow-Ups:
References: