[Top] [All Lists]

Re: [netfilter-core] [NETFILTER] Apply IPsec to ipt_REJECT packets

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [netfilter-core] [NETFILTER] Apply IPsec to ipt_REJECT packets
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Nov 2004 09:19:01 +1100
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, coreteam@xxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <41A3AF41.4010700@xxxxxxxxx>
References: <20041123084225.GA3514@xxxxxxxxxxxxxxxxxxx> <41A37EC0.8010901@xxxxxxxxx> <20041123211630.GA9805@xxxxxxxxxxxxxxxxxxx> <41A3AF41.4010700@xxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040722i
On Tue, Nov 23, 2004 at 10:44:33PM +0100, Patrick McHardy wrote:
> No. ip_forward handles the original packet, not the packet generated
> by ipt_REJECT. RSTs generated in NF_IP_FORWARD are routed using
> ip_route_input because they have a non-local source, so xfrm_route_forward
> or xfrm_lookup needs to be called for them.

You're absolutely right.  How about this patch then?

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> 

Now I'm puzzled as to how I haven't noticed this behaviour before.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

Attachment: p
Description: Text document

<Prev in Thread] Current Thread [Next in Thread>