netdev
[Top] [All Lists]

Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup

To: "David S. Miller" <davem@xxxxxxxxxx>
Subject: Re: [RFC, PATCH 4/5]: netfilter+ipsec - policy lookup
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri, 19 Mar 2004 16:30:29 +0100
Cc: herbert@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20040318221645.2b67e433.davem@redhat.com>
References: <20040308110331.GA20719@gondor.apana.org.au> <404C874D.4000907@trash.net> <20040308115858.75cdddca.davem@redhat.com> <4059CF17.8090907@trash.net> <20040318221645.2b67e433.davem@redhat.com>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040122 Debian/1.6-1
David S. Miller wrote:
On Thu, 18 Mar 2004 17:32:23 +0100
Patrick McHardy <kaber@xxxxxxxxx> wrote:


This patch adds policy lookups to ip_route_me_harder and makes NAT
reroute for any change that affects route/policy lookups.


Why are you deleting that "fl.proto = iph->protocol;" line in
net/core/netfilter.c?  Is something else going to set it properly?


The patch adds a call to decode_session/xfrm_lookup below. This handles packets with local and non-local source, setting fl.proto only handles packets with local source. Also we must check if the packet was already transformed to prevent loops.

Regards
Patrick

<Prev in Thread] Current Thread [Next in Thread>