Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

[Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>]

On Sat, Mar 20, 2004 at 03:01:55PM +0100, Patrick McHardy wrote:
> Herbert Xu wrote:
> >
> >Actually it was me who was confused.  ip_route_me_harder can be called
> >on both incoming/outgoing packets.  That's what the if clause is trying
> >to determine.  You should only call xfrm_lookup on the outgoing path.
> 
> No, ip_route_me_harder is currently (without the patches) only called
> for outgoing packets. The if-clause is there because ip_route_output
> doesn't handle packets with non-local source, and we don't want to set
> the source to 0 (as was done before) because it prevents policy routing
> from working properly. That's why we need the xfrm_lookup for both
> cases.

You're right.  Sorry for the confusion.
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt