[Top] [All Lists]

Re: [XFRM]: Always reroute in tunnel mode

To: Patrick McHardy <kaber@xxxxxxxxx>
Subject: Re: [XFRM]: Always reroute in tunnel mode
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Feb 2005 07:38:05 +1100
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, Maillist netdev <netdev@xxxxxxxxxxx>
In-reply-to: <4214DF5B.3010608@xxxxxxxxx>
References: <4214381F.5020507@xxxxxxxxx> <20050217113654.GA10346@xxxxxxxxxxxxxxxxxxx> <4214DF5B.3010608@xxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040722i
On Thu, Feb 17, 2005 at 07:15:55PM +0100, Patrick McHardy wrote:
> >Perhaps we can simply expand the check to include local as well,
> >i.e.,
> >
> >     if (local != fl->fl4_src || remote != fl->fl4_dst) {
> >
> >What do you think?
> I don't think this solves the inconsistency. By reuseing routes in tunnel
> mode we allow routing by different criteria when the inner packet is headed
> for the remote gateway. Your suggestion limits this a bit further, but we
> can still have a situation where all packets going through a tunnel take
> one path, except when the inner packet is heading for the remote gateway
> itself.

That's right.  However, you should also look at it this way.  We start
with a policy with a transport mode SA.  In order to protect the IP
header we change it to use a tunnel mode SA with a host-to-host selector.
With your patch this will change the route that the packet uses.
Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>