netdev
[Top] [All Lists]

Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks
From: "David S. Miller" <davem@xxxxxxxxxx>
Date: Thu, 18 Mar 2004 22:19:04 -0800
Cc: herbert@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4059CF27.4030803@trash.net>
References: <20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF27.4030803@trash.net>
Sender: netdev-bounce@xxxxxxxxxxx
On Thu, 18 Mar 2004 17:32:39 +0100
Patrick McHardy <kaber@xxxxxxxxx> wrote:

> This patch makes xfrm_policy_check locate the correct policy after NAT.
> For protocols which do policy checks in their receive routines the
> reference to nfct has to be kept until policy checks are done, the
> other ones still drop it in ip_local_deliver_finish.

This patch looks fine to me.

Other than the minor comments I've made the most unhappy I am
with the input patch, and you agree it's grotty too.  Let's look
for a better solution, perhaps with new top-level SKB state,
and then we can put all of your work in after you're made the other
minor fixes I've asked for as well.

Thanks Patrick.


<Prev in Thread] Current Thread [Next in Thread>