On Fri, 2005-22-04 at 09:58 +1000, Herbert Xu wrote:
> On Thu, Apr 21, 2005 at 07:50:19PM -0400, jamal wrote:
> > What was the reason there exist a FWD direction in the policies?
>
> You should really ask Alexey about that :) I myself had the same
> question when I first started in this area. However, since it
> has been present since the very beginning and people are already
> relying on it, we will have to live with it.
>
I am sure if Alexey did it theres a good reason - I am not sure i get
it. CCing mr Kuznet.
> > Also - shouldnt the FWD policies closely match the OUT ones instead of
> > the IN direction (browsing the forwarding code)? i.e
> > does this look odd to you (picking a sample from Wolfgangs output):
>
> The FWD policies are analogous to the FORWARD table in netfilter.
> The FWD policies apply to forwarded packet, meaning packets that
> end up in ip_forward instead of ip_local_deliver. The IN policies
> only apply to packets that end up in ip_local_deliver.
>
Heres what confused me when i browsed:
looking at ip_forward() - it does a xfrm4_policy_check(NULL,
XFRM_POLICY_FWD, skb) - this leads to a flow cache creation based on
FWD direction. Later on in the path (still in ip_forward)
xfrm4_route_forward() gets invoked which does a flow_cache build again
based on XFRM_POLICY_OUT.
So i was wondering whether they OUT shouldnt be just a duplicate of
FWD (instead FWD seems to be the dup of IN). Look at that sample i
posted - all his policies look like that. What gives? Why are the IN and
FWD exactly the same? bug in racoon/setkey?
cheers,
jamal
|