On Tue, Nov 23, 2004 at 07:42:25PM +1100, Herbert Xu wrote:
> Hi:
>
> I found out today that packets generated by ipt_REJECT weren't protected
> by IPsec. This is because the proto field isn't set at all in the flow
> supplied to ip_route_output_key.
I see. I guess REJECT is actually longer in the kernel than the IPsec
code, so nobody with a thorough understanding of both pieces of code did
notice that it needs to change.
> The following patch sets that as well as protocol-specific fields so
> that the appropriate IPsec policy can be applied.
The patch looks fine to me. Dave: Please apply at your convenience.
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Harald Welte <laforge@xxxxxxxxxxxxx>
(in case this is needed)
> Cheers,
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
signature.asc
Description: Digital signature
|