netdev
[Top] [All Lists]

Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [RFC, PATCH 3/5]: netfilter+ipsec - input hooks
From: "David S. Miller" <davem@xxxxxxxxxx>
Date: Thu, 18 Mar 2004 22:15:23 -0800
Cc: herbert@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4059CF0E.3050708@trash.net>
References: <20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF0E.3050708@trash.net>
Sender: netdev-bounce@xxxxxxxxxxx
On Thu, 18 Mar 2004 17:32:14 +0100
Patrick McHardy <kaber@xxxxxxxxx> wrote:

> If the protocol handler of a packet with a secpath
> pointer is a non-xfrm-protocol the packet was handled by ipsec and
> is done now, it traverses the PRE_ROUTING and LOCAL_IN hooks then.
> This catches packets from both tunnel-mode and transport-mode SAs.

Be careful!  xfrm4_tunnel handles both uncompressed ipcomp packets
_and_ IPIP encapsulator device packets.  Yet you will intepret usage
of the ipprot as 'xfrm_prot==1' in all cases.

Yes this is ugly... if we added some kind of flag bit-mask to sk_buff,
would that allow an easier implementation?

<Prev in Thread] Current Thread [Next in Thread>