On Thu, Feb 17, 2005 at 07:15:55PM +0100, Patrick McHardy wrote:
>
> >Perhaps we can simply expand the check to include local as well,
> >i.e.,
> >
> > if (local != fl->fl4_src || remote != fl->fl4_dst) {
> >
> >What do you think?
>
> I don't think this solves the inconsistency. By reuseing routes in tunnel
> mode we allow routing by different criteria when the inner packet is headed
> for the remote gateway. Your suggestion limits this a bit further, but we
> can still have a situation where all packets going through a tunnel take
> one path, except when the inner packet is heading for the remote gateway
> itself.
That's right. However, you should also look at it this way. We start
with a policy with a transport mode SA. In order to protect the IP
header we change it to use a tunnel mode SA with a host-to-host selector.
With your patch this will change the route that the packet uses.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|