| To: | Harald Welte <laforge@xxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: NAT before IPsec with 2.6 |
| From: | "David S. Miller" <davem@xxxxxxxxxx> |
| Date: | Wed, 28 Jan 2004 11:38:25 -0800 |
| Cc: | aj@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <20040128085831.GM11761@xxxxxxxxxxxxxxxxxxxxxxx> |
| References: | <20040124082252.GA19035@xxxxxxxxxxxxxxxx> <Pine.LNX.4.44.0401241015470.32723-100000@xxxxxxxxxxxxxxxxxxxxx> <20040124092721.GA19140@xxxxxxxxxxxxxxxx> <20040127103917.GC11761@xxxxxxxxxxxxxxxxxxxxxxx> <20040127132725.GA14685@xxxxxxxxxxxxx> <pan.2004.01.27.21.13.32.754125@xxxxxxxxxxxxxxx> <20040128085831.GM11761@xxxxxxxxxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Wed, 28 Jan 2004 09:58:31 +0100
Harald Welte <laforge@xxxxxxxxxxxxx> wrote:
> No, we don't achieve this by manipulating the routing code, but by
> placing the respective hooks in ah{4,6}.c and esp{4,6}.c
> {ah,esp}_output() function respectively. We also need to (again) reset
> the skb->nfct and drop the conntrack reference again.
Why not just do this right when we pop into the dst_output() call
in ip_output.c This way we don't have to add all of this stuff
for every new encapsulator we ever implement.
Maybe not like this precisely, but something like it.
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH]snmp6 64-bit counter support in proc.c, David S. Miller |
|---|---|
| Next by Date: | Re: 2.6.2-rc2-mm1, David S. Miller |
| Previous by Thread: | Re: NAT before IPsec with 2.6, Harald Welte |
| Next by Thread: | Re: NAT before IPsec with 2.6, Andreas Jellinghaus |
| Indexes: | [Date] [Thread] [Top] [All Lists] |