| To: | Patrick McHardy <kaber@xxxxxxxxx> |
|---|---|
| Subject: | Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks |
| From: | "David S. Miller" <davem@xxxxxxxxxx> |
| Date: | Thu, 18 Mar 2004 22:19:04 -0800 |
| Cc: | herbert@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <4059CF27.4030803@trash.net> |
| References: | <20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF27.4030803@trash.net> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Thu, 18 Mar 2004 17:32:39 +0100 Patrick McHardy <kaber@xxxxxxxxx> wrote: > This patch makes xfrm_policy_check locate the correct policy after NAT. > For protocols which do policy checks in their receive routines the > reference to nfct has to be kept until policy checks are done, the > other ones still drop it in ip_local_deliver_finish. This patch looks fine to me. Other than the minor comments I've made the most unhappy I am with the input patch, and you agree it's grotty too. Let's look for a better solution, perhaps with new top-level SKB state, and then we can put all of your work in after you're made the other minor fixes I've asked for as well. Thanks Patrick. |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup, David S. Miller |
|---|---|
| Next by Date: | Re: [PATCH]dump interface IPv6 multicast/anycast addresses through netlink, YOSHIFUJI Hideaki / 吉藤英明 |
| Previous by Thread: | [RFC, PATCH 5/5]: netfilter+ipsec - policy checks, Patrick McHardy |
| Next by Thread: | Re: [RFC, PATCH 5/5]: netfilter+ipsec - policy checks, Patrick McHardy |
| Indexes: | [Date] [Thread] [Top] [All Lists] |