If I understand correctly, the ipsec code is of external origin to
NetBSD,
From KAME, but then we have FAST_IPSEC.
but it seems that this part of the API needs to be rethought in
general. There are some ways I can think of to move on with this:
- remove that code from the get path entirely
- #if 0 that code in the get path and let it rot
- create extra option names _INWARD and _OUTWARD
At first thought this seems good. setkey uses separate policy lines for
in and out and thus it makes sense for a socket to have both inbound and
outbound policy.
I doubt anyone is really using this, because racoon doesn't cope with
generating SAs for per-socket policy, or at least didn't use to, but I
suppose if there are static SAs they would be used.
- version the _IPSEC_POLICY names and sadb_x_policy structure so
that it contains inward AND outward policy.
Changing sadb_x_policy is unappealing - I suspect that's pretty pervasive.
- make getsockopt copy in the buffer
Attachment:
pgpnyLQ3j1vgE.pgp
Description: PGP signature