From: David Miller Subject: Re: Add IPSec IP Range in Linux kernel Date: Tue, 08 Nov 2011 20:42:53 -0500 (EST) Message-ID: <20111108.204253.891598837549584662.davem@davemloft.net> References: <20111108.121620.2044664919065812135.davem@davemloft.net> <1289495586.20111109093607@mail.ru> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, adobriyan@gmail.com, peter.p.waskiewicz.jr@intel.com To: danila.st@mail.ru Return-path: Received: from shards.monkeyblade.net ([198.137.202.13]:56647 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752718Ab1KIBnB (ORCPT ); Tue, 8 Nov 2011 20:43:01 -0500 In-Reply-To: <1289495586.20111109093607@mail.ru> Sender: linux-crypto-owner@vger.kernel.org List-ID: From: Daniil Stolnikov Date: Wed, 9 Nov 2011 09:36:07 +0800 > I never imagined that it will cause some difficulties. Ever feature has side effects and costs associated with it. Some of which can be non-trivial. Like I said, if you want address ranges, ask the userland IPSEC daemon authors to synthesize it. I'm really not able to devote the time necessary to explain every nuance of how we store IPSEC rules in the kernel side database and what implications that has for expanding the kind of match keys we support.