Herbert Xu wrote:
On Thu, Mar 18, 2004 at 05:32:14PM +0100, Patrick McHardy wrote:
diff -Nru a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
--- a/net/ipv4/ip_input.c Thu Mar 18 16:45:35 2004
+++ b/net/ipv4/ip_input.c Thu Mar 18 16:45:35 2004
@@ -224,6 +224,12 @@
resubmit:
hash = protocol & (MAX_INET_PROTOS - 1);
raw_sk = sk_head(&raw_v4_htable[hash]);
+ ipprot = inet_protos[hash];
+ smp_read_barrier_depends();
+
+ if (skb->sp && !ipprot->xfrm_prot)
+ if (nf_postxfrm_input(skb))
+ goto out;
Just an idea: what if we reinject the packet just as we do in tunnel mode?
If we also have a possibility to determine when decapsulation is done
we could avoid the nf_postxfrm_* hacks. Without that, I don't think it
helps.
@@ -346,6 +351,10 @@
}
}
+ if (skb->sp && !(((struct rtable *)skb->dst)->rt_flags&RTCF_LOCAL))
+ if (nf_postxfrm_nonlocal(skb))
+ goto drop;
+
What if the PRE_ROUTING turns it into a local address again?
You have good eyes ;) The packet needs to be rerouted in
nf_postxfrm_nonlocal and needs to be special-cased in nf_postxfrm_input
so it doesn't traverse PRE_ROUTING twice.
Thanks for your other suggestions as well, I'm going to make these
changes.
Regards
Patrick
|