Herbert Xu wrote:
On Thu, Feb 17, 2005 at 10:23:02PM +0100, Patrick McHardy wrote:
I don't consider this inconsistent, in fact it is consistent to what
happens with other tunnels. We could get the behaviour you want (my
Well we'll have to disagree on that. IMHO the flow with the internal
addresses equal to the external addresses over a tunnel mode SA should
be treated the same as that over a transport mode SA.
Maybe Dave can help resolve this with a third opinion.
patch + old behaviour for host-to-host tunnels) by looking at the
policy selector, but I would prefer to always reroute. The change
doesn't affect existing setups, as I said in my previous mail, it
doesn't work properly since __xfrm4_find_bundle() ignores tos/fwmark
and uses the route for src/dst that made the cache (first one used)
for all tos/fwmark values, even if other routes exist.
Are you sure that it doesn't change existing behaviour? Suppose that
I had a socket bound to a specific device, doesn't the current code
use that device as long as we're sending to the remote IPsec gateway?
You're right, if no other route using same src/dst/oif made the cache
first it will be used.
Regards
Patrick
|