netdev
[Top] [All Lists]

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Sat, 20 Mar 2004 15:01:55 +0100
Cc: "David S. Miller" <davem@xxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20040319210525.GA479@gondor.apana.org.au>
References: <20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF17.8090907@trash.net> <20040319115130.GE29066@gondor.apana.org.au> <405B2132.6060403@trash.net> <20040319210525.GA479@gondor.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040122 Debian/1.6-1
Herbert Xu wrote:

Actually it was me who was confused. ip_route_me_harder can be called on both incoming/outgoing packets. That's what the if clause is trying to determine. You should only call xfrm_lookup on the outgoing path.

No, ip_route_me_harder is currently (without the patches) only called for outgoing packets. The if-clause is there because ip_route_output doesn't handle packets with non-local source, and we don't want to set the source to 0 (as was done before) because it prevents policy routing from working properly. That's why we need the xfrm_lookup for both cases.

Regards
Patrick


So this should be moved back to the if clause above:

                fl.proto = iph->protocol;
                lookup = __ip_route_output_key;
#ifdef CONFIG_XFRM
                if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)) {
                        lookup = ip_route_output_key;
                        do_decode
                }
#endif
                if (lookup(&rt, &fl) != 0)
                        return -1;


<Prev in Thread] Current Thread [Next in Thread>