netdev
[Top] [All Lists]

Re: [NETFILTER] Apply IPsec to ipt_REJECT packets

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [NETFILTER] Apply IPsec to ipt_REJECT packets
From: Harald Welte <laforge@xxxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 10:22:30 +0100
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, coreteam@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20041123084225.GA3514@xxxxxxxxxxxxxxxxxxx>
References: <20041123084225.GA3514@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Tue, Nov 23, 2004 at 07:42:25PM +1100, Herbert Xu wrote:
> Hi:
> 
> I found out today that packets generated by ipt_REJECT weren't protected
> by IPsec.  This is because the proto field isn't set at all in the flow
> supplied to ip_route_output_key.

I see.  I guess REJECT is actually longer in the kernel than the IPsec
code, so nobody with a thorough understanding of both pieces of code did
notice that it needs to change.

> The following patch sets that as well as protocol-specific fields so
> that the appropriate IPsec policy can be applied.

The patch looks fine to me.  Dave: Please apply at your convenience.

> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

Signed-off-by: Harald Welte <laforge@xxxxxxxxxxxxx>

(in case this is needed)

> Cheers,

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>